X-Industry

Cybersecurity experts at Forcepoint’s X-Labs are warning about the continued activity of Remcos malware. This sophisticated threat consistently adapts to bypass security measures and maintain a hidden presence on infected computers.  This malware, often delivered through convincing phishing attacks, allows attackers to establish long-term access.

According to reports, campaigns observed between 2024 and 2025 show that Remcos malware remains highly active, continually adapting to stay hidden, as researchers noted in a blog post shared with Hackread.com.[1]

The initial infection typically begins with a deceptive email originating from compromised accounts of small businesses or schools.  These are legitimate accounts that have been hacked, making the emails appear trustworthy and less likely to be flagged as suspicious.

Malicious Email (Source: Forcepoint)

These emails carry malicious Windows shortcut (.LNK) files, disguised and hidden inside compressed archive attachments.  Once a user falls for the trick and opens the malicious file, Remcos quietly installs itself, creating hidden folders on the victim’s computer.

What makes these folders particularly tricky is that they are “spoofed Windows directories by exploiting path-parsing bypass techniques like prefixing paths with \\?.”  This technique, which involves using a special NT Object Manager path prefix, enables the malware to mimic legitimate system directories, such as C:\Windows\SysWOW64, making it extremely difficult for security tools to detect.

After initial installation, Remcos establishes methods to remain undetected on the system for an extended period. It achieves this by creating scheduled tasks and employing other stealthy methods, ensuring that it can maintain a backdoor open for attackers.  The malware even attempts to weaken Windows’ User Account Control (UAC) by modifying a registry setting, allowing it to run with elevated privileges without the usual secure prompts.

Remcos attack chain (Source: Forcepoint)

The malicious LNK files themselves contain hidden PowerShell code, which downloads a .dat file containing an executable program in Base64 format —a method of encoding data to make it appear as regular text, often used by malware to bypass detection.

This file then decodes into an executable program, typically disguised with a PDF icon but using a .pif extension, an unusual and rarely used shortcut file type.  This executable then creates copies of itself, a URL shortcut file, and four heavily disguised batch files with special symbols and meaningless foreign text, all designed to bypass antivirus detection.  Once fully operational, Remcos gives attackers complete control, enabling them to steal passwords, capture screenshots, copy files, and monitor user activity, including checking internet connection, system language, and country codes to refine their targeting.

Organizations and individuals are urged to be alert, looking out for unusual shortcuts, strange file paths, and changes in folder names, as these can be indicators of a Remcos infection.

Analysis - Blog Post:

Since last year and well into this year, Remcos malware campaigns have remained very active, continually evolving to stay hidden. Attackers typically send phishing emails containing malicious files, such as shortcuts, scripts, or documents. 

When a victim opens the file, it quietly installs the Remcos program and hides it in new folders with names similar to those of legitimate Windows system folders on the PC. Once installed, Remcos allows attackers to control the PC, steal passwords, and record keystrokes. The malware maintains a backdoor by setting up scheduled tasks or employing other stealthy tactics. This way, they stay on the system for a long time without being detected.

In this recent campaign, a typical and effective Remcos malware attack utilizes hacked real email accounts, often from small businesses or schools, to evade detection as suspicious. The emails distribute malicious Windows shortcut (LNK) files, typically concealed within compressed archive attachments. These attack chains later facilitate the creation of a spoofed Windows directory by leveraging path-parsing bypass techniques, such as prefixing the path with the NT namespace identifier “\\?\”.

Fig. 1 - Remcos attack chain

Email Analysis

Fig. 2 - Malicious email

Customers are targeted with emails sent from compromised accounts, carrying a .lnk shortcut embedded in a TAR file. 

LNK analysis:
The LNK file contains embedded PowerShell code and a long stream of random data, which increases its file size. The PowerShell script downloads a .dat file containing an EXE in Base64 format, decodes it, and then drops the resulting EXE with a .pif extension into C:\ProgramData.Fig. 3 - PowerShell code

EXE Analysis:
The EXE is built with the Borland Delphi compiler and has its resources packed. It uses a PDF icon to resemble a document, but it’s saved with a .pif extension, which is an unusual and rarely used shortcut file type.

When the EXE runs, it makes a copy of itself, creates a URL shortcut file, and drops four .cmd batch files to carry out further activity and maintain persistence. These batch files are heavily obfuscated, using special symbols like %% and adding meaningless Arabic or Japanese text. This technique is designed to bypass standard antivirus detection methods.

Fig. 4 - Obfuscated .BAT file

When the batch files are deobfuscated, the underlying malicious commands become clear, as detailed in the table below.

Dropped .URL shortcut file code:  It is created to be executed via a scheduler.

It tries to bypass Windows’ User Account Control (UAC) by changing a registry setting. Typically, UAC shows a secure pop-up to ask for permission before allowing essential actions. It edits the PromptOnSecureDesktop registry value, setting it to 1. This weakens UAC, making the prompt less strict so that it can run with higher privileges without the user seeing the usual secure prompt.

What is \\?\C:\Windows\SysWow64?

“\\?\” is an NT Object Manager path prefix used in the Windows API. It allows access to file and directory paths by bypassing expected path normalization and parsing rules (such as length limits or invalid character checks). This technique is sometimes employed by malware to circumvent security tools that rely on standardized paths. 

SysWOW64 is a legitimate Windows system directory. In this case, the Remcos malware tries to create a spoofed directory named “C:\Windows \SysWOW64” (with an added space) using the “\\?\” prefix. This allows the malware to mimic or ‘masquerade’ as a trusted Windows directory, making it harder for security tools and analysts to detect. By copying itself into this fake path, it significantly increases its chance of evasion and persistence. 

Fig. 5 - Directory created masquerading as "C:\Windows \”

Observed Command:
cmd.exe /c mkdir "\\?\C:\Windows \SysWOW64"

Fig. 6 - File creation attempt log

This main exe (.pif file) then later performs process injection in a legitimate Windows system file, SndVol.exe, which is responsible for controlling and adjusting audio volume and settings.

It connects to a C2 server domain hosted on OVHcloud  5y9pfu[.]missileries-fenagle[.]yelocom[.]com using an unusual port 32583 for its communication. 

Fig. 7 - C2 connection via legitimate process

It checks if the infected computer has an active internet connection.

It can also examine the system language to infer the victim’s country or region.

It even checks the country code set in the Windows registry to help target specific areas.

Once it’s fully running, Remcos gives attackers complete control of the PC.
That lets them do harmful things like stealing passwords, taking screenshots, copying essential files, and more.

Conclusion:

This Remcos campaign demonstrates how malware can conceal itself by masquerading as a trusted program. It utilizes shortcuts, disguised .pif files, and sneaky path tricks, such as “\\?\”, to create fake yet convincing Windows folders. By adding spaces and special paths, it masks itself to look like legitimate system files. Once inside, it can run quietly, making it harder for defenders to spot. Remcos malware demonstrates that hackers are becoming increasingly adept at blending seamlessly with everyday files and processes to conceal their true intentions. To stay safe, it’s essential to watch for unusual shortcuts, unusual paths, and subtle changes in folder names. In this new era, being alert and looking closer is the best defence.

Protection statement:

Forcepoint customers are protected against this threat at the following stages of attack: 

Lure – Malicious PDF attachments associated with these attacks are identified and blocked by email security analytics.

Dropper File - The dropper files are added to the Forcepoint malicious database and are blocked.

Call Home - C2 domains are categorized under the security category and blocked.

IOCs:

URLs:

siraco[.]net/acheck3.dat

C2:

5y9pfu[.]missileries-fenagle[.]yelocom[.]com
 

Hashes:

25591e9139b1c93e10ee2f22b86abb6da98785db - TAR

d14ffa3b95ae110794c1932581a0c3a0030521d4 - LNK

647fa7a36ec8d553c7b431acfb74cb55b475fa0e – EXE

bc7172dec0b12b05f2247bd5e17751eb33474d4e - BAT

61fdc4135afdc99e106912aeafeac9c8a967becc - BAT

6235b00643e324ac5fea07f9adae9f2a0db56b99- BAT

This article is shared with permission at no charge for educational and informational purposes only.

Red Sky Alliance is a Cyber Threat Analysis and Intelligence Service organization.  We provide indicators of compromise information via a notification service (RedXray) or an analysis service (CTAC).  For questions, comments, or assistance, please get in touch with the office directly at 1-844-492-7225 or feedback@redskyalliance.com    

• Reporting: https://www.redskyalliance.org/
• Website: https://www.redskyalliance.com/
• LinkedIn: https://www.linkedin.com/company/64265941 

Weekly Cyber Intelligence Briefings:
REDSHORTS - Weekly Cyber Intelligence Briefings
https://register.gotowebinar.com/register/5207428251321676122

[1] https://hackread.com/remcos-malware-campaigns-hit-businesses-and-schools/