Cybercriminals are increasingly leveraging malicious Windows Shortcut (LNK) files to deploy sophisticated backdoors, with a new campaign delivering an advanced REMCOS variant that successfully evades traditional antivirus detection mechanisms. This campaign exemplifies the current threat landscape where attackers successfully combine social engineering with advanced technical evasion methods, making traditional signature-based detection increasingly ineffective against modern malware variants. However, beneath this facade lies a complex infection chain that leverages PowerShell commands, Base64 encoding, and fileless execution techniques to deliver the REMCOS backdoor payload. The malware maintains command and control communication with Romanian infrastructure at IP address 92.82.184.33, enabling remote access capabilities including file transfer, command execution, and surveillance functions. The embedded PowerShell command establishes the foundation for the entire infection chain through a carefully orchestrated sequence of file downloads and decoding operations. Point Wild analysts identified this particular variant through comprehensive behavioral analysis, revealing its ability to bypass multiple layers of security controls through sophisticated obfuscation techniques. This multi-stage attack demonstrates the evolving sophistication of threat actors who exploit legitimate Windows functionality to establish persistent footholds in targeted systems. The second stage performs in-memory Base64 decoding, converting the text content into a binary executable named CHROME.PIF, deliberately choosing a filename that suggests legitimate Chrome browser functionality. The campaign begins with social engineering tactics, distributing LNK files disguised as legitimate documents such as invoices or purchase orders. The initial LNK file contains an extensive PowerShell command that remains largely invisible to users due to Windows’ property display limitations. The malware’s stealth capabilities stem from its abuse of legitimate Windows processes and its strategic placement of malicious components within trusted system directories. The attack initiates when users double-click the seemingly harmless LNK file, which immediately triggers a hidden PowerShell execution. Rather than displaying macro warnings typical of malicious Office documents, LNK files execute silently, making them particularly dangerous for end users. Upon execution, it establishes persistence through registry modifications under the key “8917161-B37E3P” and creates a comprehensive keylogging system using the SetWindowsHookExA API function. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. These files carry innocuous names like “ORDINE-DI-ACQUIST-7263535” and appear as standard documents to unsuspecting users. He specializes in covering cybersecurity news, trends, and emerging threats, data breaches, and malware attacks.
This Cyber News was published on cybersecuritynews.com. Publication date: Wed, 30 Jul 2025 14:50:56 +0000