An active multi-stage phishing campaign distributes AsyncRAT and Remcos RATs through weaponized Excel attachments targeting sales, procurement, and vendor management staff globally. The infection chain uses VBA macros to retrieve HTA payloads via URL shorteners and Cloudflare Workers, with final payloads hidden via PNG steganography and loaded filelessly into memory via .NET assembly loading. The campaign demonstrates high-volume, automated payload generation with consistent obfuscation patterns including Base64 encoding, character substitution, and string reversal.