Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT

Qualys Threat Research Unit describes a PowerShell-based fileless shellcode loader used to deliver and execute a Remcos RAT variant via weaponized LNK files and mshta.exe; the analysis details deobfuscation, in-memory PE loading, API resolution, persistence (registry run keys, mutex, process hollowing), UAC bypass attempts, C2 communications (domain/IPs, TLS port 2025), extensive espionage capabilities (keylogging, credential theft, screenshots, webcam/microphone capture), MITRE technique mappings, IOCs (hashes, domain, IPs, mutex), and recommended EDR/PowerShell/AMSI defensive controls.