This threat involves a modernized infection chain for Remcos RAT 7.2.1 Pro, initiated by a phishing email containing a batch file (Bestellung.CMD) that runs Base64-encoded commands. Unlike previous campaigns relying on PowerShell .NET loaders, this variant uses DonutLoader shellcode and AutoIt scripts for in-memory execution. The infection abuses legitimate Windows binaries such as cscript.exe and SyncAppvPublishingServer.vbs to execute obfuscated payloads. Additional components, including 7Zip tools and password-protected archives with obfuscated JScript, are downloaded from cloud storage. The final stage injects Remcos RAT into colorcpl.exe, facilitating remote access, credential harvesting, keystroke logging, and deployment of further malicious payloads.

Successful exploitation results in remote attacker control over the infected system via Remcos RAT, enabling credential theft, keystroke logging, and the ability to deploy additional malware. The use of in-memory execution and process injection techniques complicates detection and mitigation efforts.

No official patch or vendor advisory is available for this threat. Patch status is not yet confirmed — check vendor advisories for current remediation guidance. Mitigation should focus on user awareness to prevent phishing infections, restricting execution of unauthorized batch files, and monitoring for abuse of legitimate Windows utilities. Network controls to block access to known cloud storage locations used for payload delivery may also help reduce risk.