Beware the ClickFix Trap: REMCOS RAT Hiding in “Helpful” PUAs

Cybereason GSOC observed a rise in REMCOS RAT infections delivered via trojanized Shotcut portable ZIPs that replace legitimate DLLs to load multi-stage loaders; attackers use MSHTA/PowerShell staging, DLL sideloading, callback-style shellcode injection, and in-memory loading to deploy a full-featured RAT capable of keylogging, credential theft, surveillance, privilege escalation, and persistent C2 communications, with identified IOCs and containment recommendations.