AsyncRAT and Remcos Delivered in Multi-Stage Phishing Campaign
An active multi-stage phishing campaign distributes AsyncRAT and Remcos RATs through weaponized Excel attachments targeting sales, procurement, and vendor management staff globally. The infection chain uses VBA macros to retrieve HTA payloads via URL shorteners and Cloudflare Workers, with final payloads hidden via PNG steganography and loaded filelessly into memory via .NET assembly loading. The campaign demonstrates high-volume, automated payload generation with consistent obfuscation patterns including Base64 encoding, character substitution, and string reversal.
- domaindawn-bush-ddd1[.]yasminanthonyy[.]workers[.]devCloudflare Worker hostname used for hosting campaign payloads
- domainffgfgjjddsgtrddhtjyfdsessxdssdfdfdfghfhg[.]duckdns[.]orgRemcos C2 domain on port 14647 with botnet ID MILLIONS and mutex MILLIONS
- domainicy-lab-0431[.]guilherme-telecomunicacoes2024[.]workers[.]devCloudflare Worker hostname accounting for approximately 90% of payload staging variations in the campaign
- domainsmall-morning-8be0[.]fsocietyandtools[.]workers[.]devCloudflare Worker hostname used for hosting campaign payloads
- ip107[.]172[.]135[.]60Server hosting Remcos HTA file at path /96/ibredgoodforbestthingscomingbackform.hta
- ip107[.]172[.]235[.]213Server hosting PNG-named Remcos stager at path /87/img_015059.png
- ip173[.]231[.]188[.]244Remcos C2 server communicating on port 14641 with botnet ID RemoteHost and mutex Rmc-J1B78C
- ip192[.]227[.]219[.]79Remcos C2 server communicating on ports 4550/4551/4553 with botnet ID alocrypt and mutex Rmc-B4NCF7
- ip198[.]12[.]83[.]75Server hosting AsyncRAT PNG payload and HTA files at paths /98/img_194618.png and /98/recreatingmylifewithbestnetworkingskills.hta
- mutexRmc-J1B78CMutex used by Remcos for instance tracking, associated with C2 173.231.188.244
- sha25649c7b4eb6620917ee7ca796472b7af9f01ea6f7f80391ae7eb7bd8dabe0b7249Analyzed malicious Excel attachment that delivers AsyncRAT through the multi-stage chain
- sha256bb551faff31c0a2c073b8a8cde34b41b6aed6e3aa7ca190e4764fdbc037be2c3Hash associated with HTA files givenmebreakwithbestthingsgood.hta and sleestak_payload_1.hta delivering Remcos
- sha256eb5ec9fca46e31da933f3a52aed3e483aec25e59c7540b89740fbe6dc19b0bc8Hash associated with HTA file goodthingsformebetterforme.hta delivering Remcos
- urlhxxp://107[.]172[.]135[.]60/96/ibredgoodforbestthingscomingbackform[.]htaDirect URL hosting Remcos HTA file with motivational word-salad naming convention
- urlhxxp://107[.]172[.]235[.]213/87/img_015059[.]pngPNG-named file hosting embedded Remcos stager payload
- urlhxxp://198[.]12[.]83[.]75/98/img_194618[.]pngPNG-named file hosting embedded AsyncRAT payload
- urlhxxp://198[.]12[.]83[.]75/98/recreatingmylifewithbestnetworkingskills[.]htaHTA file with decoy URL parameter appended for detection evasion
- urlhxxps://as[.]al/file/KBn1RCPaste service URL used to retrieve obfuscated next-stage payload from PowerShell
- urlhxxps://cuth[.]me/sse8kUURL shortener link redirecting to HTA payload in the first stage of the infection chain
- urlhxxps://masuk[.]to/FdpxBGURL shortener link redirecting to HTA payload
Detection / Hunteropenrouter
What Happened
Cybercriminals are sending fake business emails with malicious Excel files attached, targeting employees who handle purchasing and vendor relationships at companies around the world. When someone opens the spreadsheet and enables macros, it triggers a chain of hidden downloads that eventually installs remote access trojans (programs that let attackers control the computer remotely and steal data). The attackers disguise their malicious downloads using shortened web links, fake image files, and cloud computing services to avoid detection by security software. Organizations should train employees to be suspicious of unexpected attachments, ensure macro security settings are enforced, and check their systems for the specific indicators listed in this report.
Key Takeaways
- Multi-stage phishing campaign delivering Remcos and AsyncRAT via weaponized Excel attachments with VBA macros
- Attack chain uses URL shorteners, Cloudflare Workers, and PNG steganography to evade detection at each stage
- HTA files use a distinctive naming convention of concatenated positive/aspirational English words, serving as a high-fidelity hunting indicator
- Payloads are loaded filelessly via AppDomain.CurrentDomain.Load() invoking Fiber.Program.Main namespace
- Campaign shows signs of LLM-assisted automation given the high volume of payload variations and low-complexity obfuscation
Affected Systems
- Microsoft Windows endpoints with Microsoft Excel
- Organizations in manufacturing, media, professional services, agriculture, and chemicals sectors globally
Vulnerabilities (CVEs)
None identified.
Attack Chain
- Initial Access: Phishing emails with business-themed lures (purchase orders, shipping docs, supplier registration) deliver malicious Excel attachments to sales, procurement, and vendor management staff
- Execution: Victim opens Excel and enables macros; embedded VBA retrieves HTA payload via URL shorteners (cuth.me, masuk.to) or direct URLs with decoy parameters
- Defense Evasion: HTA file contains Base64-encoded PowerShell hidden between padding and 'disor' delimiter strings; PowerShell decodes payload using character substitution, reversal, and Base64 decoding
- Staging: PowerShell retrieves PNG file from attacker infrastructure or Cloudflare Workers containing an embedded DLL between 'IN-'/'-in1' or 'INICIO'/'FIM' markers
- Execution: DLL loaded filelessly via AppDomain.CurrentDomain.Load() invoking Fiber.Program.Main with hardcoded config including drop path, scheduled task name, and next-stage URL
- Persistence & C2: Final payload (AsyncRAT or Remcos) dropped to C:\Users\Public\Downloads, persistence via scheduled task and HKCU/HKLM Run keys; C2 over RC4-encrypted TLS channels
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: OTX Pulse
No detection rules are provided in the article. An OTX Pulse is referenced containing additional IOCs but no YARA, Sigma, Snort, or Suricata rules are included.
Detection Engineering Assessment
| Dimension | Rating | Rationale |
|---|---|---|
| EDR Visibility | Medium | The campaign relies heavily on fileless execution via PowerShell and .NET assembly loading, which may be visible through PowerShell script block logging and .NET assembly load events. However, the use of mshta.exe as a proxy execution tool and in-memory loading via AppDomain.CurrentDomain.Load() can bypass some EDR sensors that focus on file-based detections. |
| Network Visibility | Medium | HTTP/HTTPS traffic to URL shorteners, Cloudflare Workers, and direct IP-hosted PNG files is observable. However, Cloudflare Workers traffic blends with legitimate CDN traffic and the use of URL shorteners with decoy parameters may not trigger network signatures without specific URL path monitoring. |
| Detection Difficulty | Moderate | The campaign uses consistent patterns (HTA naming convention, Fiber.Program namespace, PNG steganography markers, Cloudflare Workers) that enable detection once identified. However, the high volume of payload variations and use of legitimate infrastructure (Cloudflare Workers, URL shorteners) requires behavioral detection rather than simple hash-based blocking. |
Required Log Sources
- PowerShell Script Block Logging (Event ID 4104)
- Microsoft-Windows-WMI-Activity/Operational
- Sysmon Event ID 1 (Process Creation)
- Sysmon Event ID 7 (Image Loaded - for .NET assembly loads)
- Sysmon Event ID 11 (File Creation - for dropped payloads)
- Sysmon Event ID 12/13 (Registry modifications for Run keys)
- DNS resolution logs
- HTTP proxy logs with full URL paths
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for mshta.exe spawning PowerShell processes, which would indicate HTA-based execution of script payloads consistent with this campaign's T1218.005 technique | Sysmon Event ID 1 (Process Creation) with parent-child process relationships, EDR process telemetry | Execution | Low - mshta.exe spawning PowerShell is rare in normal enterprise environments |
| Consider hunting for .NET assemblies loaded via AppDomain.CurrentDomain.Load() in PowerShell context, which would indicate fileless DLL execution consistent with this campaign's payload delivery | PowerShell Script Block Logging (Event ID 4104), Sysmon Event ID 7 (Image Loaded), .NET ETW traces | Execution | Medium - legitimate administrative scripts may use .NET assembly loading, requiring additional context filtering |
| Consider hunting for HTA files with long concatenated lowercase English word filenames matching the motivational word-salad naming pattern described in the campaign | Sysmon Event ID 11 (File Creation), EDR file events, email gateway attachment logs | Initial Access | Low - this specific naming pattern is highly distinctive and unlikely to appear in legitimate software |
| Consider hunting for scheduled task creation with random-looking task names (e.g., CTCz2HtLqO) using Caspol as the executor, which would indicate persistence mechanism from this campaign | Sysmon Event ID 1 (Process Creation for schtasks.exe), Windows Task Scheduler logs, EDR process telemetry | Persistence | Low to Medium - Caspol as a scheduled task executor is unusual and warrants investigation |
| Consider hunting for network connections to *.workers.dev subdomains retrieving PNG files, which may indicate Cloudflare Workers being used for payload staging | DNS logs, HTTP proxy logs, firewall connection logs | Command and Control | Medium - Cloudflare Workers are used legitimately; focus on specific subdomain patterns and PNG retrieval context |
Control Gaps
- Fileless execution via AppDomain.CurrentDomain.Load() may bypass file-based AV and EDR detections that rely on on-disk scanning
- Cloudflare Workers domains blend with legitimate CDN traffic and may not be blocked by URL filtering or threat intelligence feeds
- URL shortener redirects can bypass simple domain-based allow/deny lists
- PNG steganography with embedded executables may not be detected by standard file type inspection
- Decoy URL parameters appended to legitimate-looking URLs may evade URL reputation checks
Key Behavioral Indicators
- mshta.exe as parent process of powershell.exe
- PowerShell executing [AppDomain]::CurrentDomain.Load() with byte array input
- HTA files with concatenated lowercase English motivational word filenames
- Scheduled tasks created with Caspol as executor and random task names
- WMI Win32_Process.Create with ShowWindow=0 for hidden process execution
- PNG files containing 'IN-'/'-in1' or 'INICIO'/'FIM' marker strings
- Network connections to *.workers.dev subdomains with auto-generated prefixes
- PowerShell scripts using .split('disor').join('') for string deobfuscation
- Files dropped to C:\Users\Public\Downloads\ with random alphanumeric names and .hta extension
False Positive Assessment
Low - The campaign uses distinctive indicators including the HTA motivational word-salad naming convention, Fiber.Program namespace, specific steganography markers, and Cloudflare Workers with auto-generated prefixes that are unlikely to appear in legitimate activity. However, blocking *.workers.dev domains broadly could generate false positives for legitimate Cloudflare Workers usage.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider blocking the identified C2 IPs (173.231.188.244, 192.227.219.79, 107.172.235.213, 107.172.135.60, 198.12.83.75) and domains (ffgfgjjddsgtrddhtjyfdsessxdssdfdfdfghfhg.duckdns.org, icy-lab-0431.guilherme-telecomunicacoes2024.workers.dev, dawn-bush-ddd1.yasminanthonyy.workers.dev, small-morning-8be0.fsocietyandtools.workers.dev) at your firewall and proxy if supported by your tooling
- Consider searching endpoint telemetry for the SHA256 hash 49c7b4eb6620917ee7ca796472b7af9f01ea6f7f80391ae7eb7bd8dabe0b7249 and the additional SHA256 hashes to identify potentially compromised hosts
- If your EDR supports it, consider hunting for mshta.exe spawning powershell.exe and for PowerShell processes invoking AppDomain.CurrentDomain.Load() to identify fileless execution chains
- Consider reviewing email gateway logs for attachments matching the identified URL shortener redirects (cuth.me, masuk.to) and quarantine any matching messages
Infrastructure Hardening
- Evaluate whether blocking URL shortener domains (cuth.me, masuk.to) at your web proxy is feasible given your organization's usage patterns
- Consider implementing network rules to flag or block *.workers.dev subdomains with auto-generated prefixes if your proxy supports pattern-based URL filtering
- If applicable, consider restricting outbound connections to direct IP-addressed web servers (non-FQDN HTTP/HTTPS) which is uncommon for legitimate enterprise traffic
- Evaluate whether your SIEM can alert on scheduled task creation using unusual executors like Caspol
User Protection
- Consider enforcing Microsoft Office macro security via Group Policy to disable macros from untrusted sources or require macro signing
- If supported by your EDR, consider enabling behavior-based detection for fileless .NET assembly loading from PowerShell
- Evaluate whether your endpoint protection can scan for steganographic markers in PNG files (IN-/-in1, INICIO/FIM, ##QqVT-in1)
- Consider deploying ASR (Attack Surface Reduction) rules if using Microsoft Defender, particularly those targeting Office macro abuse and mshta.exe execution
Security Awareness
- Consider incorporating this campaign's phishing themes (purchase orders, supplier registration, shipping documents, payment advice notes, supply contracts) into existing phishing simulation exercises
- Remind employees in sales, procurement, and vendor management roles to verify unexpected vendor-related attachments through out-of-band communication before opening
- Consider briefing staff on the multilingual nature of this campaign (English, Polish, Chinese, Thai) if your organization operates in affected regions
MITRE ATT&CK Mapping
Initial Access
Execution
Persistence
Command and Control
Additional IOCs
- Ips:
107[.]172[.]235[.]213- Server hosting PNG-named Remcos stager at path /87/img_015059.png107[.]172[.]135[.]60- Server hosting Remcos HTA file at path /96/ibredgoodforbestthingscomingbackform.hta198[.]12[.]83[.]75- Server hosting AsyncRAT PNG payload and HTA files at paths /98/img_194618.png and /98/recreatingmylifewithbestnetworkingskills.hta
- Domains:
dawn-bush-ddd1[.]yasminanthonyy[.]workers[.]dev- Cloudflare Worker hostname used for hosting campaign payloadssmall-morning-8be0[.]fsocietyandtools[.]workers[.]dev- Cloudflare Worker hostname used for hosting campaign payloads
- Urls:
hxxps://masuk[.]to/FdpxBG- URL shortener link redirecting to HTA payloadhxxp://107[.]172[.]135[.]60/96/ibredgoodforbestthingscomingbackform.hta- Direct URL hosting Remcos HTA file with motivational word-salad naming conventionhxxp://198[.]12[.]83[.]75/98/recreatingmylifewithbestnetworkingskills.hta- HTA file with decoy URL parameter appended for detection evasion
- File Hashes:
bb551faff31c0a2c073b8a8cde34b41b6aed6e3aa7ca190e4764fdbc037be2c3(SHA256) - Hash associated with HTA files givenmebreakwithbestthingsgood.hta and sleestak_payload_1.hta delivering Remcoseb5ec9fca46e31da933f3a52aed3e483aec25e59c7540b89740fbe6dc19b0bc8(SHA256) - Hash associated with HTA file goodthingsformebetterforme.hta delivering Remcos
- Registry Keys:
HKCU\Software\Microsoft\Windows\CurrentVersion\Run- Remcos persistence via Run key in HKCU as identified in configuration analysisHKLM\Software\Microsoft\Windows\CurrentVersion\Run- Remcos persistence via Run key in HKLM as identified in configuration analysis
- File Paths:
C:\Users\Public\Downloads\tANbAj85Pn.hta- Drop path and filename for next-stage HTA payload as configured in Fiber.Program.Main arguments
- Command Lines:
- Purpose: Decode Base64 payload from PNG file, reverse character array, perform character substitution, and load resulting .NET assembly into memory without writing to disk | Tools:
powershell.exe,mshta.exe| Stage: Execution |[AppDomain]::CurrentDomain.Load() - Purpose: Create scheduled task for persistence of dropped HTA payload using Caspol as executor | Tools:
schtasks.exe| Stage: Persistence |schtasks /create /tn <taskname> /tr - Purpose: Launch hidden process via WMI Win32_Process.Create with ShowWindow=0 for stealthy execution of decoded payload | Tools:
mshta.exe,powershell.exe| Stage: Execution |wmic process call create
- Purpose: Decode Base64 payload from PNG file, reverse character array, perform character substitution, and load resulting .NET assembly into memory without writing to disk | Tools:
- Other:
Rmc-B4NCF7- Mutex used by Remcos for instance tracking, associated with C2 192.227.219.79MILLIONS- Mutex and botnet ID used by Remcos, associated with C2 ffgfgjjddsgtrddhtjyfdsessxdssdfdfdfghfhg.duckdns.orgCTCz2HtLqO- Scheduled task name used for persistence of dropped HTA payload##QqVT-in1- String marker at end of PNG files indicating an embedded executable payload is presentFiber.Program- .NET namespace consistently used across campaign payloads as entry point for in-memory DLL execution