The Stealthy Stalker: Remcos RAT

McAfee Labs technical analysis describes a rise in Remcos RAT activity and examines two variants: one delivered via an obfuscated VBS/PowerShell loader that fetches DLLs from FTP/PasteCode and injects a Remcos payload into RegAsm.exe, and another delivered through a malicious DOCX that leverages CVE-2017-11882 to drop an RTF which ultimately loads Remcos in memory via a dnlib assembly; the report includes detailed infection chains, persistence and injection techniques, memory artifacts, mutexes, numerous IOCs (hashes and URLs), and recommended mitigations.