Skip to main content
Press slash or control plus K to focus the search. Use the arrow keys to navigate results and press enter to open a threat.
Reconnecting to live updates…

AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign

0
Medium
Published: 07/03/2026 (07/03/2026, 02:26:44 UTC)
Source: AlienVault OTX General

Description

A widespread phishing campaign is distributing AsyncRAT and Remcos remote access trojans (RATs) via malicious Excel spreadsheets. The emails impersonate legitimate business communications such as purchase orders and payment advice. Enabling macros triggers VBA code that downloads HTA payloads using URL shorteners and Cloudflare Workers. The infection chain is multi-stage and heavily obfuscated, employing Base64 encoding, steganography in PNG files, and character substitution. The campaign intensified in June 2026 and targets organizations globally across multiple industries.

AI-Powered Analysis

Machine-generated threat intelligence

AILast updated: 07/03/2026, 07:21:19 UTC

Technical Analysis

This campaign uses phishing emails with malicious Excel attachments containing VBA macros. When macros are enabled, the VBA code retrieves HTA payloads through URL shorteners and Cloudflare Workers infrastructure. The multi-stage infection employs advanced obfuscation techniques including Base64 encoding, steganography in PNG images, and character substitution to evade detection. The payloads delivered are AsyncRAT and Remcos RATs, which provide remote access capabilities to attackers. The campaign targets diverse industries worldwide and uses automation and possibly large language models to generate payloads efficiently. The HTA payloads have distinctive naming conventions using concatenated positive English words.

Potential Impact

Successful exploitation results in the installation of AsyncRAT or Remcos RATs, which enable attackers to gain remote access and control over infected systems. This can lead to data theft, espionage, lateral movement within networks, and potential disruption of business operations. The campaign's use of multi-stage infection and heavy obfuscation complicates detection and response efforts.

Mitigation Recommendations

No official patch or fix applies as this is a phishing and malware distribution campaign. Mitigation focuses on user awareness to avoid enabling macros in unsolicited or unexpected Excel attachments. Email filtering to block phishing emails and URL shorteners used in the attack chain can reduce exposure. Endpoint detection and response solutions should be tuned to detect obfuscated VBA macros, HTA payloads, and behaviors associated with AsyncRAT and Remcos. Organizations should follow best practices for macro security and restrict execution of HTA files where possible.

Pro Console: star threats, build custom feeds, automate alerts via Slack, email & webhooks.Upgrade to Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://www.levelblue.com/blogs/spiderlabs-blog/asyncrat-and-remcos-delivered-in-multi-stage-phishing-campaign"]
Adversary
null
Pulse Id
6a471de4dcdacfc396979ab8
Threat Score
null

Indicators of Compromise

Url

ValueDescriptionCopy
urlhttp://ffgfgjjddsgtrddhtjyfdsessxdssdfdfdfghfhg.duckdns.org:14647
urlhttp://107.172.235.213/87/img_015059.png
urlhttp://107.172.135.60/96/ibredgoodforbestthingscomingbackform.hta
urlhttps://as.al/file/KBn1RC
urlhttp://198.12.83.75/98/img_194618.png
urlhttps://cuth.me/sse8kU
urlhttp://as.al/file/KBn1RC.

Domain

ValueDescriptionCopy
domaincuth.me
domainffgfgjjddsgtrddhtjyfdsessxdssdfdfdfghfhg.duckdns.org

Hash

ValueDescriptionCopy
hash49c7b4eb6620917ee7ca796472b7af9f01ea6f7f80391ae7eb7bd8dabe0b7249
hash5e16dd79001f2faba4569e2abd5b19c0
hashd924b7e4d3fc4bc02422057ebe87dcdd
hash6c2f10ec18c34ea9ba423b19e6ccf228ecf47a31
hashd044d5b8ba9c7abc203a0ff5688702c7f45b54cd
hash0542b57b67b021f877969c900214362d62eb2ba56d0645ab4e62838c8c79733a
hashbb551faff31c0a2c073b8a8cde34b41b6aed6e3aa7ca190e4764fdbc037be2c3
hasheb5ec9fca46e31da933f3a52aed3e483aec25e59c7540b89740fbe6dc19b0bc8
hash026e6e27fe574cd05c83c82610046ba2
hash7efc7341472dc671779c0ca8d4e8ac5c
hash4ca48fb14e6f26d617c77d219ae5529935bb4893
hashb36519598b8cd8ebcc959965db5dba1ace8d78a6

Threat ID: 6a475f7e27e9c7971933af65

Added to database: 07/03/2026, 07:06:38 UTC

Last enriched: 07/03/2026, 07:21:19 UTC

Last updated: 07/03/2026, 09:20:28 UTC

Views: 16

Community Reviews

0 reviews

Crowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.

Sort by
Loading community insights…

Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.

Actions

PRO

Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.

Please log in to the Console to use AI analysis features.

External Links

Need more coverage?

Upgrade to Pro Console for AI refresh and higher limits.

For incident response and remediation, OffSeq services can help resolve threats faster.

Latest Threats

Breach by OffSeqOFFSEQFRIENDS — 25% OFF

Check if your credentials are on the dark web

Instant breach scanning across billions of leaked records. Free tier available.

Scan now
OffSeq TrainingCredly Certified

Lead Pen Test Professional

Technical5-day eLearningPECB Accredited
View courses