Stealthy New Remcos RAT Variant Evades Detection Using Innovative Staging Layers

Security researchers disclosed a sophisticated phishing campaign delivering a Remcos RAT variant that hides malicious activity by abusing legitimate Windows administration components (e.g., SyncAppvPublishingServer.vbs) and a batch attachment (Bestellung.CMD); the attack stages payloads from cloud storage, drops helper tools and obfuscated configs, and ultimately executes an in-memory DonutLoader shellcode to evade traditional detection. The report highlights indicators and TTPs and recommends blocking unapproved scripts, monitoring native binary arguments, and restricting outbound connections to untrusted cloud storage.