During the routine telemetry monitoring, we identified a detection on a suspicious file named “GST Debit Note Apr_26.com”, based on the telemetry data observed. This prompted us to investigate the sample further.
Our analysis revealed that the payload was a variant of the Remcos RAT malware family, distributed via a phishing campaign as an archive attachment. One notable characteristic of this infection chain was its reliance on in-memory execution techniques / fileless malware & Steganography. By avoiding disk-based artifacts, the threat reduces forensic evidence and increases its ability to evade traditional security tools and signature-based detection methods.
Upon downloading and extracting the archive, it drops a file named “GST Debit Note Apr_26.com”. Initial triage revealed that the file is a 32-bit .NET executable. Further inspection using Detect It Easy indicated that the binary was packed. Additionally, the sample was found to be unsigned.
Interestingly, the sample contains embedded Turkish-language artifacts, and the executable masquerades as a legitimate brick-building game. The decoy application is intended to run in the background after launch, likely to reduce user suspicion.
Upon reversing the binary, we observed that it leverages embedded resource content for payload delivery. The malware hides and retrieves its next-stage components from resource sections, effectively using a steganographic-style delivery technique to obscure malicious content and complicate static analysis.
Upon extracting the embedded resource identified as SR1, we found that it contains a serialized .NET Bitmap object. The malware abuses this object as a container for hidden payload data, reinforcing the use of steganographic techniques for payload concealment and staged delivery.
The above script extracts the next-stage loader, Optimax.dll, and loads it directly into memory during execution without writing it to disk.
After extracting the next-stage loader – Optimax.dll, which is a 32-bit .NET DLL. On reversing using dnspy, the 1st load – The code dynamically loads a .NET assembly directly from an in-memory byte array using reflection and late binding. Instead of loading a DLL from disk, the payload is reconstructed in memory (this.pf.ToArray<byte>()) and executed through AppDomain.Load, a technique commonly seen in packers, loaders, and fileless malware.
This DLL invokes another DLL in memory, which is named “System Optimizer Ultimate.dll,” which is a second-stage loader that drops a final payload, which is also in memory. The final payload – Remcos, uses the process hollowing technique to run as a default browser process name, whichever the user has set.
Further behavioral analysis showed that, upon execution, the malware creates a copy of itself inside the AppData\Roaming directory under a randomized name, which is superhidden. It also has the capability of a complete cleanup to erase all its footprints.
During execution, the malware drops an obfuscated PowerShell script (.ps1) along with an executable into the temporary directory.
The dropped executable is then configured for persistence through a Run registry key, ensuring that it is automatically launched whenever the victim logs into the system.
Once persistence is established, the malware begins collecting victim data, and it also creates a mutex named “Remcos_Mutex_Inj”, thus confirming that the payload is Remcos RAT.
It checks for Sandbox & VM presence and proceeds: sandbox through “sbiedll.dll” and VM presence via this registry “hardware/acpi/dsdt/vbox_”. It also bypasses UAC by using eventviewer.exe. User activity monitoring – The code is continuously:
- Monitors the active (foreground) window
- Detects window title changes
- Logs the new window title
- Tracks user idle time
- Reports when the user becomes active again
Also has the capability of audio and webcam recording.
The final payload achieves its persistence through the Run entry, winlogon.exe, & userinit. Also, it has browser credential theft, process hollowing, command execution, and self-management capabilities.
The sample contains dedicated functionality for handling browser artifacts, including Chrome stored logins, Chrome cookies, and Firefox stored credentials, indicating credential theft. It also has a full cleanup routine.
It stores the captured information in a file named logs.dat, which is subsequently exfiltrated to its command-and-control (C2) server at 62.102.148.212.
Further pivoting through VirusTotal revealed that similar samples associated with this campaign were also observed delivering additional malware families, including Agent Tesla, commodity stealers, MassLogger variants, Phantom Stealer, Dark Cloud, and Red Line Stealer, and Snake keyloggers, Formbook, xworm, strongly suggesting that it’s a loader-as-a-service functionality; only the payload differs. This suggests that the infrastructure is likely being used as part of a broader malware distribution ecosystem rather than being exclusive to a single payload family.
While browsing the metadata “TuglaInsaatci”, we found several samples that use MassLogger & Remcos as their final payloads.
Payload filenames containing “NEFT”, “RTGS”, “IMPS”, and “GST” tie this campaign to India, where the Remcos RAT was deployed as the final payload.
With the increasing risk of malware attacks, it’s important to take steps to protect your data. Using a reliable security product like K7 Total Security and keeping it updated is crucial to defending against these threats.
IOCs
| Names | Hash |
| Archive file | C2E25ABA8E2AD4CAFDD6C633B8CA0906 |
| Gst debit bill Apr 2026.com | 897ABF678EDAD72998554EC18675092F |
| Optimax.dll | AFE085B7324D72673EEF749FF5F21A49 |
| System Optimizer Ultimate.dll | F3626A38FCF488C9EED54BEB8C7C116F |
| Remcos payload | 4924369C0BDAF73B21EB992EB9DB4DEA |
| 62.102.148.212:37393 | Remcos C2 |
| 217.138.252.123:42830 | |
| 146.70.244.90:37393 |
