\nCybercriminals are progressively turning PowerShell to launch stealthy attacks that evade traditional antivirus and endpoint defenses. By running code directly in memory, these threats leave minimal evidence on disk, making them particularly challenging to detect.<\/p>\n
A recent example is Remcos RAT, a well-known remote access trojan recognized for its persistence and stealth. It provides attackers with full control over compromised systems, making it a preferred go-to tool for cyber espionage and data theft. In a recent campaign, threat actors delivered malicious LNK files embedded within ZIP archives, often disguised as Office documents. The attack chain leverages mshta.exe for proxy execution during the initial stage.<\/p>\n
Unconfirmed reports suggest this new sample is named “K-Loader,” although no conclusive findings have been made.****<\/p>\n
## **Execution Flow**<\/p>\n
Qualys Threat Research Unit (TRU) has discovered a new PowerShell-based shellcode loader, designed to load and execute a variant of Remcos RAT. In this blog, we will explore some of the most intriguing aspects of this stealthy malware sample.<\/p>\n
Figure 1: Attack Flow<\/p>\n
## Technical Analysis<\/p>\n
<\/p>\n
> > _SHA-256: 85dcc4bafccb5b9e255f75c2cd96fec1b4a5b30d09ae0d8eb571b312511d7df7_<\/p>\n
**Initial Execution via MSHTA**<\/p>\n
* MSHTA.exe executes obfuscated hta file.<\/p>\n
<\/p>\n
* The hta file contains obfuscated VBScript code. This script bypass Windows Defender and downloads PowerShell script into the \u201c _C:\/Users\/Public\/\u201d_ directory, which is added under exclusion folder using \u201cAdd-MpPreference -ExclusionPath\u201d.
* The script sets PowerShell execution policy to bypass, runs in hidden mode, and creates a registry entry to maintain persistence. The malware modifies the Windows Registry using the following command:<\/p>\n
<\/p>\n
* The hta downloads multiple payloads into \u201cC:\/Users\/Public\/\u201d directory:
* pp1.pdf (Decoy file)
* 311.hta
* 24.ps1<\/p>\n
The 311.hta file is executed on system startup. Its code is almost similar to xlab22.hta.<\/p>\n
Figure 2: De-obfuscated xlab22 and 311.hta<\/p>\n
## PowerShell Analysis<\/p>\n
The downloaded PowerShell payload 24.ps1 is heavily obfuscated and contains numerous functions and variables. It reconstructs two blobs of byte arrays from obfuscated base64 content using a custom string join\/replace de-obfuscation technique. The script then leverages Win32 APIs to allocate memory and execute binary code directly in memory.<\/p>\n
Figure 3: First Chunk of Base64 Data<\/p>\n
Figure 4: Second Chunk of Base64 Data<\/p>\n
The first chunk we obtained is a shellcode Loader of 104 KB, padded with numerous null bytes. The second chunk revealed a 484 KB PE file. The following APIs are involved in executing both payloads:<\/p>\n
Figure 5: Shellcode Copied for Execution by Marshal Copy Method<\/p>\n
First, it allocates memory using \u201cVirtuallAlloc()\u201d as per the size of shellcode. The Marshal.Copy() method is then used to copy the shellcode into allocated memory. Finally, the code is executed using the function \u201cCallWindowProcW()\u201d, which acts as a callback function.<\/p>\n
\u201cCallWindowProc (hPrevWndFunc, hWnd, iMsg, wParam, lParam)\u201d.<\/p>\n
1. **Loader Analysis:**<\/p>\n
After decrypting the first chunk, we obtain a shellcode loader with a total size of 104 KB, though the actual executable code is only about 4 KB \u2014 the rest is padded with null bytes.<\/p>\n
> _SHA256: ce5ee4a1991fa0a9030dc9e2e0601dc0f14c7961e6550921d8fd2cc4ec53a042_<\/p>\n
To execute a binary in memory, the loader walks the Process Environment Block (PEB) to dynamically resolve necessary API addresses. <\/p>\n
The process follows these key steps:<\/p>\n
* Locate the PEB structure.
* Access the PEB_LDR_DATA via PEB->Ldr.
* Traverse the module list to locate the ntdll.dll module.
* Retrieve the export table of the module.
* Parse the table to resolve the required function addresses.<\/p>\n
This method allows the shellcode to dynamically find and invoke system APIs without importing them statically, which helps it evade detection.<\/p>\n
Below we can see how it resolves the function addresses.<\/p>\n
Figure 6: Loader walks the PEB and resolves module names and function names on the stack.<\/p>\n
Next, it accesses and walks through the PEB (Process Environment Block) of ntdll.dll.<\/p>\n
The shellcode gets a handle to the in-memory PE using GetModuleHandle(). It then parses the PE headers, section headers, and applies relocations, making the PE ready for execution entirely in memory, helping it evade file-based detections.<\/p>\n
Figure 7: Stack String Formation for Module Names and API Names<\/p>\n
* **PE File Analysis: (Remcos RAT)**<\/p>\n
The analyzed PE file is a 32-bit Remcos RAT, compiled using Visual Studio C++ 8. It\u2019s designed for stealth and control, featuring:<\/p>\n
* Modular structure with multiple threads for execution and command handling.
* Overlay section: An 800-byte region filled with null bytes\u2014commonly used for obfuscation or extra data.
* Subsystem: GUI-based with Terminal Server Aware flag enabled, allowing interaction even in remote sessions.
* The resource section has encrypted data in \u201cRCData->setting\u201d section.<\/p>\n
> _SHA256: ab8caac901b477c08934ec63978400eb369efb655114805ccba28c48272e5dad_<\/p>\n
Figure 8: Loading Resource to Decrypt<\/p>\n
After loading resource data, it starts decrypting the resource with a custom function.<\/p>\n
Figure 9: Remcos Decrypted RCData contains config information<\/p>\n
The resource settings are decrypted as needed and contain details like the remote server, version info, and more. It connects to **_readysteaurants[.]com_** over TLS (port 2025, TLS flag set to 1).<\/p>\n
The config also holds the malware name \u201cRemcos\u201d and a mutex \u201c** _Rmc-7SY4AX_** \u201d.<\/p>\n
Additionally, config contains a keylogger log file named **_logs.dat_** , certificates, and command-and-control strings like Screenshot, Micrecord, etc., are also present in it. Remcos operates through multiple modules, each started via separate threads. Before execution, it checks for the mutex\u2014if found, it exits. If mutex is not present, it will create mutex \u201cRmc-7SY4AX\u201d in the registry.<\/p>\n
Figure 10: Check if it has already infected this machine<\/p>\n
To ensure persistence, the malware stores the executable path, license key, and timestamp in the registry Rmc-7SY4AX. Then it will start a thread where it will perform process injection of its own file into svchost.exe. While doing process injections, it uses the concept of **Process Hollowing** to achieve evasion.<\/p>\n
It gathers system details like OS version, files, and installed applications present on the machine. It attempts to bypass User Account Control (UAC) by leveraging \u201cICMLuaUtil Elevated\u201d and COM object techniques. And check if it has bypass UAC by calling ShellExec twice.<\/p>\n
Figure 11: UAC Bypass using ICMLuaUtil<\/p>\n
It verifies the UAC bypass by executing cmd.exe using CreateProcess both before and after the attempt. In the second thread, Remcos starts the “Watchdog Module” which ensures the malware stays active and restarts if needed. It also adds a “wd” entry in the same registry path used earlier to maintain persistence. After starting the “Watchdog Module”, Remcos sends a notification confirming successful initialization.<\/p>\n
Figure 12: Remcos Successfully Initialized<\/p>\n
It attempts to connect to \u201c _readystearants[.]com_ \u201d over TLS, if enabled.<\/p>\n
Figure 13: Establish a network connection with the server through TLS<\/p>\n
Once the connection is established over TLS, the Remcos server continues sending packets with a \u201cKeep-alive\u201d connection. The C2 packet command and data have the same format as we saw above after decryption of \u201cResource \u00e0Setting data\u201d, it also uses the same separator, i.e., \u201c7C1E1E7C\u201d, we can see below.<\/p>\n
Figure 14: Wireshark View of Command, Packets, and Data<\/p>\n
Where \u201c2404ff00\u201d is packet magic, 0xff is size 4C command number, and the remaining is Command data split by separator.<\/p>\n
The following are a few commands used by C&C:<\/p>\n
* 03h \u2192 Retrieve a list of all installed programs on the system
* 06h \u2192 Retrieve a list of all running processes
* 98h, 8Fh \u2192 Monitor files and perform various file operations
* 0Eh \u2192 Execute a specified command using cmd.exe
* 2Fh \u2192 Modify registry keys or values
* 13h \u2192 Start or stop keylogging functionality
* 28h \u2192 Access or copy clipboard data<\/p>\n
After initialization, Remcos starts the keylogger module in a new thread.<\/p>\n
It logs keystrokes (online and offline), captures clipboard data, screenshots, and both active and background window details. It has the access to record window text, can track user idle time, access the webcam to capture frames, and use the microphone to record audio.<\/p>\n
Figure 15: Access User Camera<\/p>\n
It logs keystrokes by setting a keyboard hook using _SetWindowsHookExA_. Logged data is saved in a file and sent to the C&C server.<\/p>\n
For anti-analysis, Remcos uses techniques like vectored exception handling, _GetProcessHeap_(), _GetTickCount_(), and _IsDebuggerPresent_() to detect debugging or analysis environments.<\/p>\n
Figure 16: Vectored Exception Handler for Anti-analysis<\/p>\n
Remcos scans browser directories using _FindFirstFile_() and _FindNextFile_(). It targets files like logins.json and key3.db to steal saved credentials and cookies from browsers such as Chrome, Firefox, and Internet Explorer.<\/p>\n
Figure 17: Remcos enumerates browser files for stealing credentials<\/p>\n
Remcos also includes a sound module that can trigger an alarm to alert or distract the user.<\/p>\n
**Operations and controls:**<\/p>\n
Fig-18. Operations and Controls<\/p>\n
The Final window visible looks like below which has Remcos version number V6.0.0 Pro.<\/p>\n
Figure 19: Final Window of Remcos<\/p>\n
**What\u2019s Newly Added in Remcos V6.0.0 PRO:**<\/p>\n
* Group View: Allows attackers to organize and manage victim machines in groups.
* Unique UID: Each instance has a UID for easier agent tracking via C&C server.
* Privilege Display: Shows whether the agent has admin or user rights.
* Public IP Access: Displays the victim’s public IP directly in the panel.
* Accurate Idle Time: Improved tracking of user inactivity.
* Bug Fixes: Enhanced geolocation accuracy and other minor fixes from earlier versions.<\/p>\n
We have referred to this site mentioned in the Remcos section above: https:\/\/breakingsecurity.net\/<\/p>\n
## **Qualys EDR Detections & Advanced Hunting**<\/p>\n
Qualys EDR and EPP solutions offer strong protection against advanced threats.<\/p>\n
The PowerShell-based Loader is instantly detected and quarantined\/deleted upon arrival on the victim\u2019s machine.<\/p>\n
Figure 20: The threat was detected and deleted by Qualys EPP<\/p>\n
Qualys EPP effectively detects and disinfects malicious LNK files, preventing their execution (Fig.24). To enhance protection, ensure PowerShell logging, AMSI monitoring, and a robust EDR solution are in place. Early detection remains critical in stopping threats like Remcos.<\/p>\n
Figure 21: Qualys EDR Process Tree<\/p>\n
## **Advanced Hunting Queries**<\/p>\n
Qualys EDR includes behavioral detections to identify threats like Loader and Remcos RAT. Customers can use the following Threat Hunting QQLs to search their environment for related TTPs.<\/p>\n
**Description******| **Query (QQL)******
—|—
Highly malicious File Detection.| platform:Windows and event.isdetectedbyepp:true and type:`FILE` and indicator.severityscore >=4
Registry Run Key Modification in the last 2 days.| type:registry and platform:’windows’ and action:’write’ and registry.key:”SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\run” and event.dateTime:[now-2d .. now-1s]
Network connections by PowerShell in the last 3 days on Non-standard ports 2025.| platform:’windows’ and type:`network` and action:`established` and parent.name:”Powershell.exe” and not (network.remote.address.port:443 or network.remote.address.port:80) and event.dateTime:[now-3d .. now-1s]
Highly suspicious HTML file detection in last 3 days.| platform:’windows’ and parent.name:”mshta.exe” and type:`file` and file.type:”html” and indicator.severityscore >=4 and event.dateTime:[now-3d .. now-1s] <\/p>\n
## **Conclusion**<\/p>\n
The emergence of this PowerShell-based shellcode loader underscores a broader trend: threat actors are increasingly relying on fileless techniques to bypass traditional detection mechanisms. By executing malicious code in memory and leveraging trusted system binaries like `mshta.exe`, adversaries minimize their on-disk footprint\u2014leaving little forensic residue to trace.<\/p>\n
Remcos RAT exemplifies this evolution. It\u2019s a stealthy, PowerShell-based malware that uses advanced evasion techniques to operate entirely in memory, avoiding most conventional security tools. Delivered via weaponized LNK files in ZIP archives and triggered using proxy execution, it exploits native system behavior for persistence and remote control.<\/p>\n
This reinforces the need to monitor key attack surfaces\u2014LNK file execution, MSHTA abuse, suspicious registry changes, and anomalous PowerShell activity. Foundational controls like PowerShell logging, AMSI monitoring, and robust EDR are essential to detect malicious behavior before it escalates. Early detection is critical to stopping threats like Remcos.<\/p>\n
### **MITRE TTPs:**<\/p>\n
**Technique**| **ID**
—|—
Registry Run Keys \/ Startup Folder| T1547.001
System Binary Proxy Execution: Mshta| T1218.005
Ingress Tool Transfer| T1105
Credentials from Password Stores: Credentials from Web Browsers| T1555.003
Screen Capture| T1513
Video Capture| T1512
Archive Collected Data| T1560
Command and Scripting Interpreter: PowerShell| T1059.001
Process Injection: Process Hollowing| T1055.012
Obfuscated Files or Information| T1027
Automated Exfiltration| T1020
Keylogging| T1417.001
Binary Padding| T1027.001
Abuse Elevation Control Mechanism: Bypass User Account Control| T1548.002
Obfuscated Files or Information: Dynamic API Resolution| T1027.007
Obfuscated Files or Information: Encrypted\/Encoded File| T1027.013 <\/p>\n
### **Indicators of Compromise:******<\/p>\n
**Name**| **Indicator**
—|—
Zip file| bf32ff64ac0cfee67f4b2df27733576a
Remcos (PE)| b63178f562b948b850f4676d4b8db1c0
24.ps1| dd7f049a4b573cc48e0412902a2c14b5
xlab22.hta| 1b26f7e369e39312e4fcbc993d483b17
Domain| readysteaurants[.]com
URL| https:\/\/mytaxclientcopy[.]com\/xlab22.hta
IP| 193(.)142(.)146(.)101, 162(.)254(.)39(.)129
Mutex| Rmc-7SY4AX <\/p>\n
For defenders, this emphasizes the urgency of shifting from static indicators and legacy detection approaches to more dynamic behavioral analytics. Monitoring for abnormal parent-child process relationships, PowerShell activity outside of administrative tasks, and signs of proxy execution is critical to detecting these stealthy intrusions early.<\/p>\n
Ultimately, the ability to detect and respond to fileless attacks isn\u2019t just about having the right tools. It\u2019s about understanding how attackers think, how they chain together seemingly benign components, and how they abuse trust to operate in plain sight. Staying ahead requires not just technology, but threat-informed vigilance and a proactive security mindset.<\/p>\n
### Contributors<\/p>\n
**Prashant Pawar, Lead, Threat Research Engineer, Qualys.**\n<\/p><\/div>\n
View Advisory Details<\/a><\/p>\n","protected":false},"excerpt":{"rendered":"Security Update News Update Information Title Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT Update ID QUALYSBLOG:0BEFC7116CE254963C97044701816D0C Type qualysblog Published 2025-05-15T16:22:39 Last Updated 2025-05-15T16:22:39…<\/p>\n","protected":false},"author":1,"featured_media":0,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[4],"tags":[6,8,34,12,13,33,120,7,11,5],"class_list":["post-4629","post","type-post","status-publish","format-standard","hentry","category-category_news","tag-cve","tag-cvss","tag-cvss-00","tag-exploit","tag-news","tag-none","tag-qualysblog","tag-security","tag-tapic","tag-vulnerability"],"yoast_head":"\n
Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT - zero redgem<\/title>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/zero.redgem.net\/?p=4629\" \/>\n<meta property=\"og:locale\" content=\"en_US\" \/>\n<meta property=\"og:type\" content=\"article\" \/>\n<meta property=\"og:title\" content=\"Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT - zero redgem\" \/>\n<meta property=\"og:description\" content=\"Security Update News Update Information Title Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT Update ID QUALYSBLOG:0BEFC7116CE254963C97044701816D0C Type qualysblog Published 2025-05-15T16:22:39 Last Updated 2025-05-15T16:22:39...\" \/>\n<meta property=\"og:url\" content=\"https:\/\/zero.redgem.net\/?p=4629\" \/>\n<meta property=\"og:site_name\" content=\"zero redgem\" \/>\n<meta property=\"article:published_time\" content=\"2025-05-15T13:37:43+00:00\" \/>\n<meta name=\"author\" content=\"invoker\" \/>\n<meta name=\"twitter:card\" content=\"summary_large_image\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"invoker\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"12 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\\\/\\\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4629#article\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4629\"},\"author\":{\"name\":\"invoker\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\"},\"headline\":\"Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT\",\"datePublished\":\"2025-05-15T13:37:43+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4629\"},\"wordCount\":2475,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"keywords\":[\"CVE\",\"CVSS\",\"CVSS-0.0\",\"exploit\",\"news\",\"NONE\",\"qualysblog\",\"Security\",\"tapic\",\"Vulnerability\"],\"articleSection\":[\"category_news\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=4629#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4629\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4629\",\"name\":\"Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT - zero redgem\",\"isPartOf\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\"},\"datePublished\":\"2025-05-15T13:37:43+00:00\",\"breadcrumb\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4629#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\\\/\\\/zero.redgem.net\\\/?p=4629\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/?p=4629#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\\\/\\\/zero.redgem.net\\\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#website\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"name\":\"zero redgem\",\"description\":\"\",\"publisher\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\\\/\\\/zero.redgem.net\\\/?s={search_term_string}\"},\"query-input\":{\"@type\":\"PropertyValueSpecification\",\"valueRequired\":true,\"valueName\":\"search_term_string\"}}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#organization\",\"name\":\"zero redgem\",\"url\":\"https:\\\/\\\/zero.redgem.net\\\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\",\"url\":\"\",\"contentUrl\":\"\",\"width\":191,\"height\":188,\"caption\":\"zero redgem\"},\"image\":{\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/logo\\\/image\\\/\"}},{\"@type\":\"Person\",\"@id\":\"https:\\\/\\\/zero.redgem.net\\\/#\\\/schema\\\/person\\\/fbfeae8dfad117ac08a7621bee1a1dca\",\"name\":\"invoker\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"url\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"contentUrl\":\"https:\\\/\\\/secure.gravatar.com\\\/avatar\\\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g\",\"caption\":\"invoker\"},\"sameAs\":[\"https:\\\/\\\/zero.redgem.net\"],\"url\":\"https:\\\/\\\/zero.redgem.net\\\/?author=1\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT - zero redgem","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/zero.redgem.net\/?p=4629","og_locale":"en_US","og_type":"article","og_title":"Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT - zero redgem","og_description":"Security Update News Update Information Title Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT Update ID QUALYSBLOG:0BEFC7116CE254963C97044701816D0C Type qualysblog Published 2025-05-15T16:22:39 Last Updated 2025-05-15T16:22:39...","og_url":"https:\/\/zero.redgem.net\/?p=4629","og_site_name":"zero redgem","article_published_time":"2025-05-15T13:37:43+00:00","author":"invoker","twitter_card":"summary_large_image","twitter_misc":{"Written by":"invoker","Est. reading time":"12 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/zero.redgem.net\/?p=4629#article","isPartOf":{"@id":"https:\/\/zero.redgem.net\/?p=4629"},"author":{"name":"invoker","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca"},"headline":"Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT","datePublished":"2025-05-15T13:37:43+00:00","mainEntityOfPage":{"@id":"https:\/\/zero.redgem.net\/?p=4629"},"wordCount":2475,"commentCount":0,"publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"keywords":["CVE","CVSS","CVSS-0.0","exploit","news","NONE","qualysblog","Security","tapic","Vulnerability"],"articleSection":["category_news"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/zero.redgem.net\/?p=4629#respond"]}]},{"@type":"WebPage","@id":"https:\/\/zero.redgem.net\/?p=4629","url":"https:\/\/zero.redgem.net\/?p=4629","name":"Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT - zero redgem","isPartOf":{"@id":"https:\/\/zero.redgem.net\/#website"},"datePublished":"2025-05-15T13:37:43+00:00","breadcrumb":{"@id":"https:\/\/zero.redgem.net\/?p=4629#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/zero.redgem.net\/?p=4629"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/zero.redgem.net\/?p=4629#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/zero.redgem.net\/"},{"@type":"ListItem","position":2,"name":"Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT"}]},{"@type":"WebSite","@id":"https:\/\/zero.redgem.net\/#website","url":"https:\/\/zero.redgem.net\/","name":"zero redgem","description":"","publisher":{"@id":"https:\/\/zero.redgem.net\/#organization"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/zero.redgem.net\/?s={search_term_string}"},"query-input":{"@type":"PropertyValueSpecification","valueRequired":true,"valueName":"search_term_string"}}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/zero.redgem.net\/#organization","name":"zero redgem","url":"https:\/\/zero.redgem.net\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/","url":"","contentUrl":"","width":191,"height":188,"caption":"zero redgem"},"image":{"@id":"https:\/\/zero.redgem.net\/#\/schema\/logo\/image\/"}},{"@type":"Person","@id":"https:\/\/zero.redgem.net\/#\/schema\/person\/fbfeae8dfad117ac08a7621bee1a1dca","name":"invoker","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","url":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/f17c01d7338e6932bcde121cf83569393df3374625d25afd62677cfb528f2e3e?s=96&d=mm&r=g","caption":"invoker"},"sameAs":["https:\/\/zero.redgem.net"],"url":"https:\/\/zero.redgem.net\/?author=1"}]}},"_links":{"self":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/4629","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/users\/1"}],"replies":[{"embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=4629"}],"version-history":[{"count":0,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=\/wp\/v2\/posts\/4629\/revisions"}],"wp:attachment":[{"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=4629"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=4629"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/zero.redgem.net\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=4629"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}