New Remcos Campaign Distributed Through Fake Shipping Document

    Friday, January 16, 2026 In: Threat Research Print

    Date: 01/16/2026

    Severity: High

    Summary

    Labs identified a new phishing campaign active in the wild. The attack delivers a new variant of Remcos, a lightweight commercial RAT with extensive capabilities. These include system resource control, remote surveillance, network operations, and agent management. I performed an in-depth analysis of the campaign’s full infection chain. This includes the phishing email, malicious Word and RTF files, exploited vulnerability, and embedded VBScript and PowerShell code. The report also examines fileless Remcos execution via process hollowing, along with its configuration, packet structure, and functional capabilities.

    Indicators of Compromise (IOC) List

    Domains\URLs:

    http://66.179.94.117/157/w/w.doc

    http://66.179.94.117/157/fsf090g90dfg090asdfxcv0sdf09sdf90200002f0sf0df09f0s9f0sdf0sf00ds.vbe

    https://idliya.com/assets/optimized_MSI.png

    https://idliya.com/arquivo_20251130221101.txt

    Hash :

    7798059D678BCA13EEEEBB44A8DB3588E4AA287701AEDE94B094B18F33B58F84

    A35DD25CD31E4A7CCA528DBFFF37B5CDBB4076AAC28B83FD4DA397027402BADD

    E915CE8F7271902FA7D270717A5C08E57014528F19C92266F7B192793D40972F

    94CA3BEEB0DFD3F02FE14DE2E6FB0D26E29BEB426AEE911422B08465AFBD2FAA

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://idliya.com/assets/optimized_MSI.png" or url like "https://idliya.com/assets/optimized_MSI.png" or siteurl like "https://idliya.com/assets/optimized_MSI.png" or domainname like "http://66.179.94.117/157/w/w.doc" or url like "http://66.179.94.117/157/w/w.doc" or siteurl like "http://66.179.94.117/157/w/w.doc" or domainname like "https://idliya.com/arquivo_20251130221101.txt" or url like "https://idliya.com/arquivo_20251130221101.txt" or siteurl like "https://idliya.com/arquivo_20251130221101.txt" or domainname like "http://66.179.94.117/157/fsf090g90dfg090asdfxcv0sdf09sdf90200002f0sf0df09f0s9f0sdf0sf00ds.vbe" or url like "http://66.179.94.117/157/fsf090g90dfg090asdfxcv0sdf09sdf90200002f0sf0df09f0s9f0sdf0sf00ds.vbe" or siteurl like "http://66.179.94.117/157/fsf090g90dfg090asdfxcv0sdf09sdf90200002f0sf0df09f0s9f0sdf0sf00ds.vbe"

    Detection Query 2 :

    sha256hash IN ("94CA3BEEB0DFD3F02FE14DE2E6FB0D26E29BEB426AEE911422B08465AFBD2FAA","7798059D678BCA13EEEEBB44A8DB3588E4AA287701AEDE94B094B18F33B58F84","a35dd25cd31e4a7cca528dbfff37b5cdbb4076aac28b83fd4da397027402badd","E915CE8F7271902FA7D270717A5C08E57014528F19C92266F7B192793D40972F")

    Reference:

    https://www.fortinet.com/blog/threat-research/new-remcos-campaign-distributed-through-fake-shipping-document


    Tags

    MalwareREMCOSRATPhishingExploit

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.