AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign
A widespread phishing campaign is distributing AsyncRAT and Remcos remote access trojans (RATs) via malicious Excel spreadsheets. The emails impersonate legitimate business communications such as purchase orders and payment advice. Enabling macros triggers VBA code that downloads HTA payloads using URL shorteners and Cloudflare Workers. The infection chain is multi-stage and heavily obfuscated, employing Base64 encoding, steganography in PNG files, and character substitution. The campaign intensified in June 2026 and targets organizations globally across multiple industries.
AI Analysis
Technical Summary
This campaign uses phishing emails with malicious Excel attachments containing VBA macros. When macros are enabled, the VBA code retrieves HTA payloads through URL shorteners and Cloudflare Workers infrastructure. The multi-stage infection employs advanced obfuscation techniques including Base64 encoding, steganography in PNG images, and character substitution to evade detection. The payloads delivered are AsyncRAT and Remcos RATs, which provide remote access capabilities to attackers. The campaign targets diverse industries worldwide and uses automation and possibly large language models to generate payloads efficiently. The HTA payloads have distinctive naming conventions using concatenated positive English words.
Potential Impact
Successful exploitation results in the installation of AsyncRAT or Remcos RATs, which enable attackers to gain remote access and control over infected systems. This can lead to data theft, espionage, lateral movement within networks, and potential disruption of business operations. The campaign's use of multi-stage infection and heavy obfuscation complicates detection and response efforts.
Mitigation Recommendations
No official patch or fix applies as this is a phishing and malware distribution campaign. Mitigation focuses on user awareness to avoid enabling macros in unsolicited or unexpected Excel attachments. Email filtering to block phishing emails and URL shorteners used in the attack chain can reduce exposure. Endpoint detection and response solutions should be tuned to detect obfuscated VBA macros, HTA payloads, and behaviors associated with AsyncRAT and Remcos. Organizations should follow best practices for macro security and restrict execution of HTA files where possible.
Indicators of Compromise
- url: http://ffgfgjjddsgtrddhtjyfdsessxdssdfdfdfghfhg.duckdns.org:14647
- url: http://107.172.235.213/87/img_015059.png
- url: http://107.172.135.60/96/ibredgoodforbestthingscomingbackform.hta
- url: https://as.al/file/KBn1RC
- domain: cuth.me
- hash: 49c7b4eb6620917ee7ca796472b7af9f01ea6f7f80391ae7eb7bd8dabe0b7249
- url: http://198.12.83.75/98/img_194618.png
- url: https://cuth.me/sse8kU
- domain: ffgfgjjddsgtrddhtjyfdsessxdssdfdfdfghfhg.duckdns.org
- hash: 5e16dd79001f2faba4569e2abd5b19c0
- hash: d924b7e4d3fc4bc02422057ebe87dcdd
- hash: 6c2f10ec18c34ea9ba423b19e6ccf228ecf47a31
- hash: d044d5b8ba9c7abc203a0ff5688702c7f45b54cd
- hash: 0542b57b67b021f877969c900214362d62eb2ba56d0645ab4e62838c8c79733a
- hash: bb551faff31c0a2c073b8a8cde34b41b6aed6e3aa7ca190e4764fdbc037be2c3
- hash: eb5ec9fca46e31da933f3a52aed3e483aec25e59c7540b89740fbe6dc19b0bc8
- hash: 026e6e27fe574cd05c83c82610046ba2
- hash: 7efc7341472dc671779c0ca8d4e8ac5c
- hash: 4ca48fb14e6f26d617c77d219ae5529935bb4893
- hash: b36519598b8cd8ebcc959965db5dba1ace8d78a6
- url: http://as.al/file/KBn1RC.
AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign
Description
A widespread phishing campaign is distributing AsyncRAT and Remcos remote access trojans (RATs) via malicious Excel spreadsheets. The emails impersonate legitimate business communications such as purchase orders and payment advice. Enabling macros triggers VBA code that downloads HTA payloads using URL shorteners and Cloudflare Workers. The infection chain is multi-stage and heavily obfuscated, employing Base64 encoding, steganography in PNG files, and character substitution. The campaign intensified in June 2026 and targets organizations globally across multiple industries.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
This campaign uses phishing emails with malicious Excel attachments containing VBA macros. When macros are enabled, the VBA code retrieves HTA payloads through URL shorteners and Cloudflare Workers infrastructure. The multi-stage infection employs advanced obfuscation techniques including Base64 encoding, steganography in PNG images, and character substitution to evade detection. The payloads delivered are AsyncRAT and Remcos RATs, which provide remote access capabilities to attackers. The campaign targets diverse industries worldwide and uses automation and possibly large language models to generate payloads efficiently. The HTA payloads have distinctive naming conventions using concatenated positive English words.
Potential Impact
Successful exploitation results in the installation of AsyncRAT or Remcos RATs, which enable attackers to gain remote access and control over infected systems. This can lead to data theft, espionage, lateral movement within networks, and potential disruption of business operations. The campaign's use of multi-stage infection and heavy obfuscation complicates detection and response efforts.
Mitigation Recommendations
No official patch or fix applies as this is a phishing and malware distribution campaign. Mitigation focuses on user awareness to avoid enabling macros in unsolicited or unexpected Excel attachments. Email filtering to block phishing emails and URL shorteners used in the attack chain can reduce exposure. Endpoint detection and response solutions should be tuned to detect obfuscated VBA macros, HTA payloads, and behaviors associated with AsyncRAT and Remcos. Organizations should follow best practices for macro security and restrict execution of HTA files where possible.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://www.levelblue.com/blogs/spiderlabs-blog/asyncrat-and-remcos-delivered-in-multi-stage-phishing-campaign"]
- Adversary
- null
- Pulse Id
- 6a471de4dcdacfc396979ab8
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttp://ffgfgjjddsgtrddhtjyfdsessxdssdfdfdfghfhg.duckdns.org:14647 | — | |
urlhttp://107.172.235.213/87/img_015059.png | — | |
urlhttp://107.172.135.60/96/ibredgoodforbestthingscomingbackform.hta | — | |
urlhttps://as.al/file/KBn1RC | — | |
urlhttp://198.12.83.75/98/img_194618.png | — | |
urlhttps://cuth.me/sse8kU | — | |
urlhttp://as.al/file/KBn1RC. | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaincuth.me | — | |
domainffgfgjjddsgtrddhtjyfdsessxdssdfdfdfghfhg.duckdns.org | — |
Hash
| Value | Description | Copy |
|---|---|---|
hash49c7b4eb6620917ee7ca796472b7af9f01ea6f7f80391ae7eb7bd8dabe0b7249 | — | |
hash5e16dd79001f2faba4569e2abd5b19c0 | — | |
hashd924b7e4d3fc4bc02422057ebe87dcdd | — | |
hash6c2f10ec18c34ea9ba423b19e6ccf228ecf47a31 | — | |
hashd044d5b8ba9c7abc203a0ff5688702c7f45b54cd | — | |
hash0542b57b67b021f877969c900214362d62eb2ba56d0645ab4e62838c8c79733a | — | |
hashbb551faff31c0a2c073b8a8cde34b41b6aed6e3aa7ca190e4764fdbc037be2c3 | — | |
hasheb5ec9fca46e31da933f3a52aed3e483aec25e59c7540b89740fbe6dc19b0bc8 | — | |
hash026e6e27fe574cd05c83c82610046ba2 | — | |
hash7efc7341472dc671779c0ca8d4e8ac5c | — | |
hash4ca48fb14e6f26d617c77d219ae5529935bb4893 | — | |
hashb36519598b8cd8ebcc959965db5dba1ace8d78a6 | — |
Threat ID: 6a475f7e27e9c7971933af65
Added to database: 07/03/2026, 07:06:38 UTC
Last enriched: 07/03/2026, 07:21:19 UTC
Last updated: 07/03/2026, 09:20:28 UTC
Views: 16
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.