Threat Overview

On 19 January 2026, AlienVault released a detailed threat report titled ‘New Remcos Campaign Distributed Through Fake Shipping Document’. The report describes a phishing operation that delivers a fileless variant of the Remcos RAT, a well‑known remote access trojan that has been active in the wild for several years. The attackers use a convincing front of a Vietnamese shipping company to lure victims into opening a malicious Microsoft Word document. The document, once opened, automatically retrieves a remote Rich Text Format (RTF) file, exploits a known vulnerability in the RTF parser, and then executes a combination of VBScript and PowerShell code. The code in turn loads a .NET module entirely into memory, acting as both a loader and a persistence mechanism for the Remcos payload.

Infection Chain

The infection chain can be broken down into the following stages:

• Phishing email with a subject that mimics a shipping notice.
• Embedded malicious Word document containing a macro that downloads a remote RTF file.
• Exploitation of a CVE in the RTF engine to gain code execution.
• Execution of VBScript and PowerShell scripts that load a .NET DLL into memory.
• In-memory injection of Remcos version 7.0.4 Pro into a legitimate system process via process hollowing.
• Establishment of a persistent backdoor that can be re‑established on system reboot.

Remcos Capabilities

Remcos is a versatile RAT that offers a wide range of capabilities across six functional categories:

• System management – file operations, process enumeration, and remote execution.
• Surveillance – keylogging, screenshot capture, and webcam access.
• Networking – port scanning, packet sniffing, and proxy configuration.
• Communication – encrypted command and control channels.
• Agent control – dynamic module loading and self‑update.
• Persistence – registry modifications and scheduled task creation.

The version identified in this campaign (7.0.4 Pro) is specifically designed to remain in memory, making it harder to detect with traditional signature‑based scanners.

Detection and Indicators

Security analysts should look for the following indicators of compromise (IOCs):

• Unusual outbound traffic to the IP addresses associated with the Remcos command‑and‑control servers.
• Execution of PowerShell scripts that load .NET assemblies from memory.
• Presence of a hidden process that matches the Remcos process name but is running under a legitimate system account.
• Registry keys created under HKCU\Software\Microsoft\Windows\CurrentVersion\Run with values pointing to the Remcos DLL.
• Unexpected fileless activity in the Windows Sysmon logs, particularly process creation events with the CommandLine field containing PowerShell or VBScript execution.

Mitigation Recommendations

To defend against this campaign, organizations should implement a layered approach that includes the following controls:

1. Deploy an advanced email filtering solution that detects phishing signatures and blocks attachments from unknown or suspicious senders.
2. Enforce a strict macro policy on Microsoft Office, disabling all macros by default and allowing only digitally signed macros from trusted sources.
3. Apply the latest patches for Windows and Office, especially those that address the RTF vulnerability exploited by the attackers.
4. Implement endpoint detection and response (EDR) tools that can detect fileless execution patterns, such as PowerShell scripts loading .NET assemblies into memory.
5. Use application whitelisting to prevent unauthorized binaries from executing, even if they are injected into legitimate processes.
6. Conduct regular security awareness training focused on phishing recognition, emphasizing that legitimate shipping notifications can be used as a lure.
7. Monitor network traffic for anomalous connections to external IPs, particularly those using uncommon ports or encrypted protocols.
8. Maintain up‑to‑date incident response playbooks that include steps for isolating compromised hosts, removing in‑memory payloads, and restoring systems from clean backups.

Conclusion

The new Remcos campaign demonstrates how threat actors continue to evolve their delivery mechanisms, moving from traditional file‑based malware to sophisticated fileless techniques that exploit legitimate software components. By understanding the infection chain, capabilities, and indicators of compromise, security analysts can better detect and respond to this threat. A proactive, multi‑layered defense strategy that combines email filtering, patch management, endpoint detection, and user education is essential to mitigate the risk posed by this campaign.