Remcos

Adversaries may buy, steal, or download malware that can be used during targeting. Malicious software can include payloads, droppers, post-compromise tools, backdoors, packers, and C2 protocols. Adversaries may acquire malware to support their operations, obtaining a means for maintaining control of remote machines, evading defenses, and executing post-compromise behaviors.

A newly discovered supply chain attack has put thousands of e-commerce websites at risk after a popular third-party reviews widget was quietly turned into a malware delivery tool.

The campaigns in Italian analyzed by the TG Soft C.R.A.M. were grouped according to macro categories, obtained from the subject of the email message used for malware distribution (malspam).

15/06/2026 AgentTesla - spread through five campaigns themed around: ‘Documents’, ‘Invoices’, 'Orders' (two) and ‘Requests’. ... FormBook - spread through two campaigns themed around ‘Payments’ and ‘Requests’.

the JavaScript... will launch a PowerShell script through WMI: WbemScripting.SWbemLocator → ConnectServer() → Win32_Process.Create()

That command then pulled down a PowerShell script or HTML Application file, which installed a remote access tool or information stealer on the victim’s machine.

Compressed MS Excel documents containing macros which, if enabled, download malware

In this incident, the SmartApeSG injected JavaScript behaved as a staged loader, and did not attempt to execute every action immediately.

Victims who passed these filters were shown a fake CAPTCHA or verification screen, a technique known as ClickFix. These prompts instructed users to open the Windows Run menu and paste a command that was already copied silently to their clipboard.

The top-ranking samples this week are Script files accounting for 65,22%. MSIL files follow in second place with 20,65%. As for third place, we find Office documents (Word, Excel, PowerPoint) with 14,13%.

It creates a hidden copy of itself inside the AppData Roaming folder under a randomized name and sets a Run registry key so it launches automatically every time the victim logs into the system.

The malware will be injected in a process "backgroundTaskHost.exe"

Remcos then uses process hollowing to run under the victim’s default browser process name, blending smoothly into normal system activity and evading detection.

It creates a hidden copy of itself inside the AppData Roaming folder under a randomized name and sets a Run registry key so it launches automatically every time the victim logs into the system.

and bypasses User Account Control using eventviewer.exe.

In the first stage, the JavaScript (obfuscated and hidden in many comments)... The string “bubble” pollutes the code and is removed during execution.

HeartCrypt was originally discovered through underground forums... it has been used to pack over 2,000 malicious payloads... The packed payload was consistently added as a resource to a legitimate binary... Each resource embedded in the binary contains PIC disguised as a bitmap (BMP) image file. This begins with a standard BMP header followed by a repeating hexadecimal pattern for padding.

The malware hides its next-stage components inside resource sections of the executable using a steganographic technique, where payload data is embedded within a serialized .NET Bitmap object.

The malware will be injected in a process "backgroundTaskHost.exe"

Remcos then uses process hollowing to run under the victim’s default browser process name, blending smoothly into normal system activity and evading detection.

That command then pulled down a PowerShell script or HTML Application file, which installed a remote access tool or information stealer on the victim’s machine.

The malware checks for sandbox and virtual machine environments before proceeding

it contains a VHDX file that discloses a malicious JavaScript after being mounted (which is automatic on modern Windows OSs)

The first extracted component is a DLL named Optimax.dll, which is loaded directly into memory without ever touching the disk.

It continuously monitors the active window, logs title changes, and tracks user idle time

Beyond that, it steals stored credentials and cookies from Chrome and Firefox

The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").

The malware checks for sandbox and virtual machine environments before proceeding

It continuously monitors the active window, logs title changes, and tracks user idle time

Agent Tesla can steal data from the victim’s clipboard. APT38 used a Trojan called KEYLIME to collect data from the clipboard. APT39 has used tools capable of stealing contents of the clipboard.

while also recording audio and webcam feeds.

while also recording audio and webcam feeds.

Beyond that, it steals stored credentials and cookies from Chrome and Firefox and saves all captured data into a file called logs.dat.

Yesterday, a reader reported to us a malicious ZIP archive... Once unzipped, it contains a VHDX file...

This information is then quietly exfiltrated to a remote command-and-control server at 62.102.148.212.

The script downloads the next stage from: hxxps://cembusconfort[.]ro/Exoticisms121.dsp and saves it to %APPDATA%\Endocoel.Pro... The shellcode will fetch the malware itself from: hxxps://cembusconfort[.]ro/YoHtJ27.bin

Deploy remote access tools or information stealers.