May 16, 01:52 PM

Fileless Remcos RAT Delivered via Tax-Themed ZIPs Exploits PowerShell, Linked to Russian Cybercrime and SAP NetWeaver Attacks

A new cyberattack campaign has been identified that uses a fileless Remote Access Trojan (RAT) called Remcos, which operates entirely in memory to evade traditional security defenses. The malware is delivered through tax-themed ZIP files containing LNK shortcut files and leverages PowerShell and MSHTA to execute without writing files to disk. This technique allows attackers to gain full remote access to compromised systems. The campaign is linked to a known Russian cybercrime group and poses a threat to organizations in Western countries. Additionally, recent malicious activities include the use of .NET assemblies embedding bitmap resources to conceal RATs, as reported by cybersecurity researchers. Ransomware groups such as BianLian and RansomEXX, associated with Russian threat actors, have exploited vulnerabilities in SAP's NetWeaver software, with China-based groups also implicated in the attack chain. There is also a noted increase in ransomware gangs using Skitnet post-exploitation malware. Cybercriminals have further evolved tactics by embedding malware, spyware, and credential stealers directly into image files, complicating detection efforts.