Fileless Multi-Stage Remcos RAT: From Phishing to Memory-Resident Execution

    Thursday, March 12, 2026 In: Threat Research Print

    Date: 03/12/2026

    Severity: Medium

    Summary

    A recent campaign involving Remcos RAT demonstrates the shift toward fileless malware techniques, using phishing emails with procurement-themed lures to initiate infection. The attack chain delivers a JavaScript downloader that retrieves an AES-obfuscated PowerShell payload, which then loads a .NET injector to perform process hollowing on a legitimate Windows process. The final Remcos RAT payload executes entirely in memory without leaving files on disk, highlighting modern attacker tactics such as layered scripting, in-memory execution, and abuse of trusted system components to evade traditional detection.

    Indicators of Compromise (IOC) List

    URLs/Domain

    eaidali.ddns.net

    www.lmfire.net

    http://eaidali.ddns.net:2404/

    http://www.lmfire.net:2404/

    IP Address

    91.92.243.550

    Hash

    de59f9c1b237af2b27df59a6cec82fd2

    47b1603f62306dfa34bd7d52b7159c7f

    c2b601dc165fa0b4837019f1152d005a

    6f61c2917c7dac70b4703700b3aafb33

    ffe4dc0ebc7b0b76d95dad2f383f6034

    e7983c9dc42001baeafedebdaba8b310

    df8a0d943f6df9394f0116521536a938

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "http://www.lmfire.net:2404/" or siteurl like "http://www.lmfire.net:2404/" or url like "http://www.lmfire.net:2404/" or domainname like "http://eaidali.ddns.net:2404/" or siteurl like "http://eaidali.ddns.net:2404/" or url like "http://eaidali.ddns.net:2404/" or domainname like "eaidali.ddns.net" or siteurl like "eaidali.ddns.net" or url like "eaidali.ddns.net" or domainname like "www.lmfire.net" or siteurl like "www.lmfire.net" or url like "www.lmfire.net"

    Detection Query 2 :

    dstipaddress IN ("91.92.243.550") or srcipaddress IN ("91.92.243.550")

    Detection Query 3 :

    md5hash IN ("c2b601dc165fa0b4837019f1152d005a","47b1603f62306dfa34bd7d52b7159c7f","de59f9c1b237af2b27df59a6cec82fd2","df8a0d943f6df9394f0116521536a938","ffe4dc0ebc7b0b76d95dad2f383f6034","e7983c9dc42001baeafedebdaba8b310","6f61c2917c7dac70b4703700b3aafb33")

    Reference:

    https://www.trellix.com/blogs/research/fileless-multi-stage-remcos-rat-phishing-to-memory/


    Tags

    MalwareREMCOSRATPhishing.NET Payloads

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.