{"id":5490,"date":"2025-05-17T05:57:54","date_gmt":"2025-05-16T21:57:54","guid":{"rendered":"https:\/\/cicserver.com\/stealth-rat-uses-a-powershell-loader-for-fileless-attacks\/"},"modified":"2025-05-17T05:57:54","modified_gmt":"2025-05-16T21:57:54","slug":"stealth-rat-uses-a-powershell-loader-for-fileless-attacks","status":"publish","type":"post","link":"https:\/\/cicserver.com\/de\/stealth-rat-uses-a-powershell-loader-for-fileless-attacks\/","title":{"rendered":"Stealth RAT uses a PowerShell loader for fileless attacks"},"content":{"rendered":"<p><br \/>\n<br \/><img decoding=\"async\" src=\"https:\/\/www.csoonline.com\/wp-content\/uploads\/2025\/05\/3986671-0-37053400-1747331299-shutterstock_680078968.jpg?quality=50&amp;strip=all\" \/><\/p>\n<div>\n<h2 class=\"wp-block-heading\"><a\/>Running shellcode entirely in memory<\/h2>\n<p>Once the obfuscated PowerShell script is executed, it decodes and reconstructs two chunks of base64-encoded data\u2013one is a shellcode loader, the other a PE file (Remcos RAT).<\/p>\n<p>To run this entirely in memory, the script relies heavily on native Windows API functions, such as VirtualAlloc, Marshal.Copy, and CallWindowProcW, accessed via PowerShell\u2019s ability to interface with unmanaged code.<\/p>\n<p>Additionally, to stay under the radar, the malware takes a sneakier route: instead of openly listing the Windows tools (APIs) it plans to use, it hunts them down in memory on the fly. This trick, known as \u201cwalking the process environment block (PEB),\u201d helps it escape scanners that look for obvious clues, like known file names or function calls.<\/p>\n<p>\u201cThis loader re-frames Remcos as an ephemeral plug-in rather than a resident implant,\u201d Soroko added. \u201cBy shifting every stage of the tool-chain into transient memory and dissolving the loader itself once the session ends, the operators make forensic artifacts nearly as disposable as the lure ZIP.\u201d<\/p>\n<\/div>","protected":false},"excerpt":{"rendered":"<p>Running shellcode entirely in memory Once the obfuscated PowerShell script is executed, it decodes and reconstructs two chunks of base64-encoded data\u2013one is a shellcode loader, the other a PE file (Remcos RAT). To run this entirely in memory, the script relies heavily on native Windows API functions, such as VirtualAlloc, Marshal.Copy, and CallWindowProcW, accessed via [&hellip;]<\/p>","protected":false},"author":3,"featured_media":5491,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"_seopress_robots_primary_cat":"","_seopress_titles_title":"","_seopress_titles_desc":"","_seopress_robots_index":"","footnotes":""},"categories":[1],"tags":[],"class_list":{"0":"post-5490","1":"post","2":"type-post","3":"status-publish","4":"format-standard","5":"has-post-thumbnail","7":"category-blog"},"_links":{"self":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts\/5490","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/users\/3"}],"replies":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/comments?post=5490"}],"version-history":[{"count":0,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/posts\/5490\/revisions"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/media\/5491"}],"wp:attachment":[{"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/media?parent=5490"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/categories?post=5490"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/cicserver.com\/de\/wp-json\/wp\/v2\/tags?post=5490"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}