BLUF

 Threat actors are using sophisticated, multi-stage delivery mechanisms involving obfuscated PowerShell and a .NET Reactor Loader to deploy the Remcos Remote Access Trojan (RAT). The techniques leverage living-off-the-land binaries (LOLBins) to evade traditional antivirus and sandbox detections.

Executive Cost Summary

This cost analysis was developed by the CyberDax team using expert judgment and assisted analytical tools to support clarity and consistency.

For organizations affected by multi-stage Remcos RAT delivery via phishing and living-off-the-land techniques:

·       Low-end total cost: $500,000 – $900,000

·       (limited endpoint spread, no confirmed sensitive data exfiltration)

·       Typical expected range: $900,000 – $1.8M

·       (moderate lateral visibility, credential exposure, standard regulatory review)

·       Upper-bound realistic scenarios: $1.8M – $3.5M

·       (broader persistence, data exposure concerns, extended investigation and remediation)

Key Cost Drivers

·       Number of endpoints requiring reimaging and credential resets

·       Duration of attacker persistence before detection

·       Presence of regulated or sensitive data on infected systems

·       Geographic and sector-specific regulatory obligations

·       Effectiveness and scope of cyber insurance coverage

This cost profile reflects the operationally stealthy but financially cumulative nature of Remcos RAT activity, where impact is driven less by immediate disruption and more by investigation depth, containment breadth, and downstream assurance efforts.

Targeted Sectors

General users and organizations

Countries

Global

Date of First Reported Activity

·       January 13, 2026

Date of Last Reported Activity Update

·       January 13, 2026

APT Names

·       Not applicable at this time

Associated Criminal Organization Names

·       This malware is used by financially motivated groups however it is used by multiple groups

IOCs

·       Specific PowerShell scripts ("jdywa.ps1").

·       Use of MSBuild.exe for process injection.

·       Execution wrapper scripts for "win64.vbs".

·       VBS Launcher: wscript.exe invoking obfuscated scripts.

·       Registry Keys: HKCU\Software\Remcos

Tools Used in Campaign

·       PowerShell

·       wscript.exe

·       MSBuild.exe (LOLBins)

·       .NET Reactor Loader

TTPs

Initial Access & Persistence

·       T1195.002 Supply Chain Compromise

o   Compromise Software Dependencies: Attackers frequently compromise third-party scripts (e.g., analytics or chatbots) to inject skimmers into all sites using that service.

·       T1190 Exploit Public-Facing Application

o   Exploiting vulnerabilities in e-commerce platforms like Magento, WooCommerce, or Shopify to gain direct site access.

·       T1505.003 Server Software Component

o   Web Shell: Deploying web shells to maintain persistent access to a web server to reinstall skimmers if they are removed.

Execution & Defense Evasion

·       T1059.007 Command and Scripting Interpreter

o   JavaScript: The primary method for skimming is injecting malicious JavaScript into checkout pages.

·       T1027 Obfuscated Files or Information

o   Using Base64 encoding, string splitting, or XOR logic to hide malicious code within seemingly benign files.

·       T1564.004 Hide Artifacts: NTFS File Attributes / CSS

o   Recent 2025/2026 campaigns hide malicious code within CSS files or hijack 404 error pages to serve payloads stealthily.

·       T1036.007 Masquerading

o   Double Extension / Domain Mimicry: Hosting scripts on domains that mimic trusted services like google-analytics[.]com or googletagmanager-info[.]com.

Collection & Exfiltration

·       T1539 Steal Web Session Information

o   Capturing real-time keystrokes and form data (credit card numbers, CVVs, PII) directly from the browser.

·       T1071.001 Application Layer Protocol

o   Web Protocols: Exfiltrating stolen data via standard HTTP/S POST requests or WebSockets to attacker-controlled C2 servers to bypass firewalls.

Malware Names

·       Remcos RAT

·       .NET Reactor Loader

Malware Sample

As a reminder the heuristic behavior of the malware should be what is hunted on. hashes, domains, etc. tend to be dynamic and will usually be different for each target, attack and can be different within the same attack

Remcos RAT

sha256

654e9166acaee1646a53ce51154f81b1b8d4b3d25e07ea4046294f3a02240caa

URL link to sample

·       hxxps://www.virustotal.com/gui/file/654e9166acaee1646a53ce51154f81b1b8d4b3d25e07ea4046294f3a02240caa

.NET Reactor Loader

sha256

b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e

URL link to sample

·       hxxps://www.virustotal.com/gui/file/b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e

CVEs and CVSS Vectors

CVSS 3.1 Vector

·       No specific CVEs mentioned as it primarily uses living-off-the-land techniques and social engineering.

Nessus ID

·       Activity is not tied to a specific CVE

Suggested rules / potential hunts

As a reminder, these are indicator rules. They are likely to be noisy.

For best results consider creating a data model and reviewing the traffic as a report.

Suricata

Look for high-confidence Remcos botnet traffic alerts.

alert tcp $HOME_NET any -> $EXTERNAL_NET any (msg:"ET MALWARE Remcos RAT C2 Checkin"; flow:established,to_server; content:"|11 00 00 00|"; depth:4; reference:url, research.splunk.com/stories/remcos/; classtype:trojan-activity; sid:2026001; rev:1;)

Double Extensions

Alert on the download of files with deceptive extensions like .pdf.js or .xls.vbs from external sources.

SentinelOne

Initial Stage/Loader Activity

Search for suspicious processes launched from common initial access vectors.

Look for mshta.exe, powershell.exe, or cmd.exe being spawned from email clients, document applications (like EXCEL.EXE, ONENOTE.EXE), or archive utilities, especially if they make immediate network connections or write suspicious files.

Query

(InitiatingProcessName Contains "outlook.exe" OR InitiatingProcessName Contains "excel.exe") AND ProcessName Contains "powershell.exe" (Filter for unusual command lines or network activity).

Monitor for file writes in non-standard locations, particularly %Public% or paths with trailing spaces (e.g., C:\Windows \System32).

EventType = "File Creation" AND FilePath Contains "\\AppData\\Local\\Temp\\" AND FileName EndsWith ".exe" (Filter for files with low reputation or unusual names/sizes).

Hunt for remote process injection events, especially involving common target processes like iexplore.exe, svchost.exe, or dllhost.exe.

Query

EventType = "Process Injection" AND TargetProcessName In ("iexplore.exe", "svchost.exe", "dllhost.exe")

Query

(ProcessName = "svchost.exe" OR ProcessName = "iexplore.exe") AND ProcessImagePath Not Contains "C:\Windows\System32" (To find instances outside standard system paths).

Look for modifications to Run keys or the creation of new keys in HKCU\Software with random or specific names like HKCU\Software\Remcos-CN7LIG.

Query

EventType = "Registry Modification" AND RegistryKey Contains "Run" AND RegistryValueName Contains "Remcos"

Network Artifacts/C2 Communication: Look for unusual outbound connections or C2 setup.

Monitor for processes like svchost.exe or iexplore.exe making outbound connections to dynamic DNS domains, public cloud infrastructure (Dropbox, OneDrive), or IP addresses that retrieve geolocation data (e.g., geoplugin.net).

Query

EventType = "Network Connection" AND (RemoteUrl Contains "geoplugin.net" OR RemoteUrl Contains "dropbox.com")

Query

(ProcessName = "svchost.exe" OR ProcessName = "iexplore.exe") AND NetworkDirection = "Outbound" AND TotalRequestCount > 100 (Filter for suspicious volume/destination)

Splunk

Persistence & Keylogging: Detect file creation in the AppData\Roaming\remcos directory, specifically .dat files used for keylogs and clipboard data.

index=windows sourcetype="XmlWinEventLog:Microsoft-Windows-Sysmon/Operational" EventCode=11

| where match(file_path, "(?i)AppData\\\\Roaming\\\\remcos") AND match(file_name, "\\.dat$")

| stats count by host, file_path

Delivery Method

·       Multi-stage process likely initiated via phishing emails or drive-by downloads, leading to VBS script execution.

Email Samples

Internal HR/Performance Review Lure (late 2025 campaign)

Subject

Staff Performance Report for October 2025

Body

Dear [Employee Name],Please find the attached document regarding the "Staff Performance Report for October 2025".The report outlines information about upcoming terminations based on recent performance reviews. Please review your status immediately.Confidential Document Attached.Regards,Human Resources Department

Attachment

An archive file (e.g., performance_report.zip or report.ace) containing a disguised executable file (e.g., report.pdf.exe, relying on Windows to hide the .exe extension). When executed, this initiates the multi-stage infection chain.

Order/Logistics Lure (mid-2025 campaign)

Subject

RE: NEW ORDER 573923 or URGENT: SHIPMENT DOCUMENTS INV-PLIST01256

Body

Hello,Please find the attached purchase order and shipment documents for the new order.We require your confirmation and prompt processing.Thank you,[Sender Name][Company Name]

Attachment

A compressed archive (ZIP or RAR). Inside the archive is a malicious LNK file, JavaScript (.js), or VBScript that downloads and executes subsequent payloads from a remote server. Some campaigns use password-protected ZIP files with the password provided in the email body to bypass email security scanners.

References

The Hacker News

·       hxxps://thehackernews.com/2026/01/new-malware-campaign-delivers-remcos.html

TrendMicro

·       hxxps://www.trendmicro.com/en_us/research/19/h/analysis-new-remcos-rat-arrives-via-phishing-email.html

VirusTotal

·       hxxps://www.virustotal.com/gui/file/654e9166acaee1646a53ce51154f81b1b8d4b3d25e07ea4046294f3a02240caa

hxxps://www.virustotal.com/gui/file/b28b0934f36d4af7c1882a2d9ab9214e65821b007b4b89bece7daf72ac3f024e