CyberSecurityBoard
Sponsor Register Login

Hackers Use .PIF Files and UAC Bypass to Drop Remcos Malware on Windows

This multi-stage attack represents a concerning evolution in malware distribution techniques, as threat actors increasingly exploit legitimate Windows functionalities and outdated file formats to evade modern security solutions. The attack chain employs DBatLoader as its primary delivery mechanism, utilizing a combination of User Account Control bypass methods, obfuscated scripts, and Living Off the Land Binaries abuse to establish persistent access to compromised systems. A sophisticated new phishing campaign has emerged, leveraging obsolete Windows file formats and advanced evasion techniques to distribute the notorious Remcos Remote Access Trojan. The campaign begins with carefully crafted phishing emails containing malicious archives that house an executable named “FAKTURA,” designed to deploy DBatLoader onto target systems. The researchers noted that the attack leverages Program Information Files (.pif), originally designed for configuring DOS-based programs in early Windows systems, as a disguise mechanism for malicious executables. The sophisticated combination of UAC bypass, process injection, and scheduled task abuse creates a robust infection framework that challenges traditional detection methodologies and requires advanced behavioral analysis for identification. The malicious alpha.pif file, functioning as a Portable Executable, circumvents User Account Control by creating deceptive directories such as “C:\Windows ” with trailing spaces. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. Any.Run analysts identified this campaign through comprehensive sandbox analysis, revealing the intricate methods employed by the malware to maintain stealth and persistence. The attack employs sophisticated time-based evasion through PING.EXE abuse, executing the command to ping the local loopback address (127.0.0.1) ten times. While legitimate applications use this for network connectivity testing, DBatLoader repurposes this functionality to introduce artificial delays, helping evade time-sensitive detection systems. The campaign further employs BatCloak obfuscation for .cmd files and utilizes extrac32.exe to manipulate Windows Defender exclusion lists. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The core innovation of this campaign lies in its exploitation of .pif files and Windows folder name handling vulnerabilities.

This Cyber News was published on cybersecuritynews.com. Publication date: Mon, 30 Jun 2025 15:00:17 +0000


Cyber News related to Hackers Use .PIF Files and UAC Bypass to Drop Remcos Malware on Windows

The Persistent Danger of Remcos RAT - From initial infection to persistent control, the Remcos RAT campaign exemplifies the evolving nature of cyber threats and the need for proactive defense measures. This ecosystem is supported by a diverse array of servers that function as command and ...
2 years ago Cyberdefensemagazine.com
Hackers Use .PIF Files and UAC Bypass to Drop Remcos Malware on Windows - This multi-stage attack represents a concerning evolution in malware distribution techniques, as threat actors increasingly exploit legitimate Windows functionalities and outdated file formats to evade modern security solutions. The attack chain ...
8 months ago Cybersecuritynews.com Cloak
WinRAR Flaw: LONEPAGE Malware Strikes Ukrainian Firms - In the realm of cybersecurity, vigilance is paramount, and recent developments reveal a persistent threat facing Ukrainian entities. In this blog post, we'll look into the intricate details of the persistent cybersecurity threat posed by LONEPAGE ...
2 years ago Securityboulevard.com
UAC Bypass: 3 Methods Used Malware In Windows 11 in 2024 - User Account Control is one of the security measures introduced by Microsoft to prevent malicious software from executing without the user's knowledge. Modern malware has found effective ways to bypass this barrier and ensure silent deployment on the ...
1 year ago Cybersecuritynews.com
Ukraine Targeted by UAC-0050 Using Remcos RAT Pipe Method - Remcos RAT is a type of Remote Access Trojan used for unauthorized access and control of a computer system. It allows threat actors to perform various malicious activities like:-. Cybersecurity researchers at Uptycs recently discovered that the ...
2 years ago Gbhackers.com
February 2024's Most Wanted Malware: WordPress Websites Targeted by Fresh FakeUpdates Campaign - Our latest Global Threat Index for February 2024 saw researchers uncover a fresh FakeUpdates campaign compromising WordPress websites. These sites were infected using hacked wp-admin administrator accounts, with the malware adapting its tactics to ...
2 years ago Blog.checkpoint.com
New NightShadeC2 Botnet Uses UAC Prompt Bombing to Evade Detection - A new botnet named NightShadeC2 has been discovered employing a novel technique called UAC prompt bombing to bypass User Account Control (UAC) defenses on Windows systems. This innovative approach overwhelms the UAC prompts, effectively desensitizing ...
6 months ago Cybersecuritynews.com
Threat Actors Weaponize LNK Files With New REMCOS Variant That Bypasses AV Engines - Cybercriminals are increasingly leveraging malicious Windows Shortcut (LNK) files to deploy sophisticated backdoors, with a new campaign delivering an advanced REMCOS variant that successfully evades traditional antivirus detection mechanisms. This ...
7 months ago Cybersecuritynews.com
Types of Malware and How To Prevent Them - Malware is one of the biggest security threats to any type of technological device, and each type of malware uses unique tactics for successful invasions. Even if you've downloaded a VPN for internet browsing, our in-depth guide discusses the 14 ...
1 year ago Pandasecurity.com
Hackers abuse Windows SmartScreen flaw to drop DarkGate malware - A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers. SmartScreen is a Windows security feature that ...
2 years ago Bleepingcomputer.com CVE-2024-21412
Hackers exploit Windows SmartScreen flaw to drop DarkGate malware - A new wave of attacks by the DarkGate malware operation exploits a now-fixed Windows Defender SmartScreen vulnerability to bypass security checks and automatically install fake software installers. SmartScreen is a Windows security feature that ...
2 years ago Bleepingcomputer.com CVE-2024-21412
How to Remove Malware + Viruses - Malware removal can seem daunting after your device is infected with a virus, but with a careful and rapid response, removing a virus or malware program can be easier than you think. We created a guide that explains exactly how to rid your Mac or PC ...
1 year ago Pandasecurity.com
November 2023's Most Wanted Malware: New AsyncRAT Campaign Discovered while FakeUpdates Re-Entered the Top Ten after Brief Hiatus - Researchers reported on a new AsyncRAT campaign where malicious HTML files were being used to spread the stealthy malware. Our latest Global Threat Index for November 2023 saw researchers discover a AsyncRAT campaign where malicious HTML files were ...
2 years ago Blog.checkpoint.com
Top 10 Best Dynamic Malware Analysis Tools in 2025 - FireEye Malware AnalysisEnterprise-grade solution, zero-day detection, integration with threat intelligence, memory forensics.Enterprise-grade malware detection and forensicsPricing details not publicly available; contact for quote.Yes6. Detux ...
1 year ago Cybersecuritynews.com
PixPirate: The Brazilian financial malware you can't see, part one - The constantly mutating PixPirate malware has taken that strategy to a new extreme. PixPirate is a sophisticated financial remote access trojan malware that heavily utilizes anti-research techniques. Within IBM Trusteer, we saw several different ...
2 years ago Securityintelligence.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com
Stemming the Tide: Solving the Challenge of Password Reuse and Password-Stealing Malware - Password stealing malware is again rising with several attacks making the news cycle in recent months. A new password-stealing malware named Ov3r Stealer was discovered on Facebook Ads, spreading by way of fake job opportunities. Further analysis ...
1 year ago Cybersecurity-insiders.com

Latest Cyber News


    Cyber Trends (last 7 days)


    Trending Cyber News (last 7 days)