Remcos Malware Returns with Path-Poisoning Trickery to Fool Windows and Users Alike

In the ever-evolving chess match between malware authors and defenders, the Remcos remote access trojan (RAT) is back on the board with a clever new opening move: abusing Windows path-parsing logic to hide in plain sight.

Remcos, a persistent RAT with a long track record of espionage, keylogging, and credential theft, has resurfaced in a stealthy campaign leveraging legitimate-looking shortcuts, spoofed directories, and novel uses of obscure Windows features like the “\?\” namespace. The result? An effective toolkit for long-term compromise that evades both user suspicion and many conventional endpoint defenses.

A Familiar RAT in New Clothing

The latest wave of attacks begins with phishing emails sent from compromised accounts—typically belonging to schools or small businesses. These messages bypass basic email security by using real domains and familiar names. Attached is a compressed .tar archive containing a .lnk (Windows shortcut) file. On the surface, it looks harmless. Under the hood, it’s anything but.

“The Remcos RAT has always been about remote control and stealth,” said [Redacted Cyber Analyst], a threat researcher familiar with the campaign. “What makes this campaign particularly notable is the way it abuses native Windows behaviors to slip past defenses.”

Once the .lnk file is opened, a PowerShell command hidden within downloads a Base64-encoded executable disguised as a .dat file. This gets decoded and saved as a .pif file—a legacy format for executable shortcuts almost never used today—into the C:\ProgramData directory.

Masquerading as Windows Itself

That .pif file is where the real deception begins.

The malware runs and immediately replicates itself, creating a new set of directories that mimic Windows system folders. But here’s the catch: it uses the NT Object Manager path prefix “\?\” to create a directory like C:\Windows \SysWOW64—notice the subtle space after “Windows.” This one-character difference tricks users (and sometimes software) into seeing it as a legitimate Windows path, while bypassing standard system checks.

This spoofed path is then populated with batch files, URL shortcuts, and a renamed cmd.exe, which is copied there using the obscure but powerful esentutl utility. Each step of the chain is cloaked in obfuscation—Arabic characters, nonsense symbols, and intentionally bloated files are used to trip up antivirus engines.

“This isn’t just some copy-paste malware. The attackers went out of their way to use lesser-known features of Windows to make detection harder,” noted the analyst.

Staying Alive (and Quiet)

Persistence is maintained through scheduled tasks that run every 10 minutes, pointing to the malicious .url file. This file, when triggered, launches the .pif file again—reviving the infection even after reboot or removal attempts.

To avoid detection and privilege prompts, the malware tampers with User Account Control (UAC) settings in the Windows Registry, weakening the system’s defenses against unauthorized actions.

Once settled, the RAT injects itself into SndVol.exe, a legitimate Windows audio control process, to initiate stealthy communication with its command-and-control (C2) infrastructure. In this campaign, that infrastructure includes domains hosted on OVHcloud using nonstandard ports like 32583—another trick to bypass network security filters.

It checks for internet connectivity, locale settings, and region codes to tailor its operations, indicating potential geo-targeting or filtering logic on the server side.

“Like Living in the Walls”

Once Remcos is fully operational, attackers gain full control over the target system—allowing them to steal credentials, exfiltrate documents, take screenshots, or even activate webcams. It’s as if someone moved into the walls of your house, quietly watching and manipulating your environment without you ever knowing.

This campaign demonstrates that attackers no longer need advanced zero-day exploits to succeed. Instead, they’re mastering the art of abusing what’s already there.

Staying Ahead of the Curve

For defenders, spotting a Remcos infection means looking for the subtle: scheduled tasks with odd names, paths with hidden spaces, or files ending in .pif. Endpoint detection and response (EDR) tools tuned for behavior-based analysis are more likely to catch it than traditional antivirus.

In a world where attackers are blending in with the OS itself, vigilance is no longer optional—it’s the baseline. Every shortcut, script, or system folder must now be viewed with a critical eye.

In the war for digital control, Remcos reminds us that stealth, not brute force, remains the weapon of choice.