LNK Trojan delivers REMCOS

July 30, 2025, 3:20 p.m.

Description

This report details a multi-stage malware campaign delivering the REMCOS backdoor via a malicious Windows LNK shortcut file. The attack begins with social engineering, leveraging PowerShell for initial execution and deploys a persistent backdoor capable of full system compromise. The infection chain involves file download, Base64 decoding, and execution of a malicious PIF file masquerading as a Chrome-related program. The LNK file contains a PowerShell command that downloads and executes a payload, which is then decoded and run as CHROME.PIF. This file is identified as the REMCOS backdoor, capable of various malicious activities including keylogging, screen capture, and remote access. The attack utilizes multiple stages to evade detection and establish persistence on the victim's system.

External References

https://www.pointwild.com/threat-intelligence/trojan-winlnk-powershell-runner
https://otx.alienvault.com/pulse/688a324d62b64db244b9463f
Tags
backdoor
powershell
remcos
keylogger
lnk file
c2 communication
pif file
multi-stage attack
base64 encoding
2025-07-30

Date

  • Created: July 30, 2025, 2:55 p.m.
  • Published: July 30, 2025, 2:55 p.m.
  • Modified: July 30, 2025, 3:20 p.m.

Indicators

  • 506ecb76cf8e39743ec06129d81873f0e4c1ebfe7a352fc5874d0fc60cc1d7c6
  • 5ec8268a5995a1fac3530acafe4a10eab73c08b03cabb5d76154a7d693085cc2
  • 8bc668fd08aecd53747de6ea83ccc439bdf21b6d9edf2acafd7df1a45837a4e1
  • 92.82.184.33
  • 198.23.251.10
  • http://shipping-hr.ro/m/r/r.txt
  • shipping-hr.ro
  • mal289re1.es
Download all indicators here!

Attack Patterns

  • REMCOS

Additional Informations

  • Romania
  • United States of America