A malicious ZIP archive (SHA256: a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094) contains a VHDX file that automatically mounts on modern Windows OSs, exposing a malicious JavaScript file. This JavaScript uses obfuscation and launches a PowerShell script through WMI to bypass endpoint detection and response (EDR) solutions. The PowerShell script reconstructs itself from obfuscated strings and downloads a second-stage payload from a remote server. This payload contains a PowerShell reflective .Net loader that loads shellcode, which downloads and injects the Remcos RAT into a legitimate Windows process (backgroundTaskHost.exe). The RAT communicates with a command-and-control server and achieves persistence via a registry Run key. The infection chain is complex, multi-staged, and designed to evade detection by common security controls.

The threat results in the installation of the Remcos remote access trojan (RAT) on affected Windows systems, enabling attackers to gain unauthorized remote control. The malware uses stealthy techniques to evade detection and establish persistence, potentially allowing attackers to perform reconnaissance, data exfiltration, or further compromise. The obfuscation and multi-stage delivery reduce the likelihood of early detection by antivirus and EDR solutions.

Patch status is not yet confirmed — check the vendor advisory for current remediation guidance. In the absence of an official fix, mitigation should focus on blocking the delivery vector (malicious ZIP files containing VHDX images) and monitoring for the described behaviors. Security teams should consider disabling automatic mounting of VHDX files if feasible, and enhance detection capabilities for WMI-based PowerShell execution and the specific obfuscation patterns described. Since the infection chain uses known techniques to evade detection, updating endpoint detection rules to identify WMI-launched PowerShell scripts and monitoring registry Run keys for suspicious entries is recommended.