From Inbox to Intrusion: Multi‑Stage Remcos RAT and C2‑Delivered Payloads in Network

April 1, 2026, 3:26 p.m.

Description

This multi-stage fileless Remcos RAT attack leverages a phishing-delivered JavaScript dropper to trigger a reflective PowerShell loader that executes payloads entirely in memory. The infection chain utilizes obfuscation techniques like rotational XOR and Base64 encoding to reconstruct .NET payloads, significantly reducing the disk-based detection footprint. Stealth is maintained by using aspnet_compiler.exe as a LOLBin to proxy malicious execution and dynamically retrieving the final payload from a remote C2 server.

External References

https://otx.alienvault.com/pulse/69cd1ac8518646002a1a0fbc
https://www.pointwild.com/threat-intelligence/from-inbox-to-intrusion-multi-stage-remcos-rat-and-c2-delivered-payloads-in-network/
Tags
rat
phishing
remcos
remote access trojan
2026-04-01
js dropper

Date

  • Created: April 1, 2026, 1:16 p.m.
  • Published: April 1, 2026, 1:16 p.m.
  • Modified: April 1, 2026, 3:26 p.m.

Indicators

  • ee25bbfc7de3f5b04d555c0f754645286ccb27be8a1e618c9ef9d239d22b083e
  • http://192-3-27-141.host.colocrossing.com:8087
Download all indicators here!

Attack Patterns

  • Remcos

Additional Informations

  • 192-3-27-141.host.colocrossing.com
  • almacensantangel.com