A sophisticated phishing campaign is actively targeting users in India by disguising malware as a routine GST debit note.
The attack delivers a powerful remote access tool called Remcos RAT through a cleverly constructed multi-stage loader, giving attackers deep and persistent control over infected systems.
What makes this threat especially alarming is how the entire infection chain moves through computer memory alone, leaving almost no trace behind for traditional security tools to detect or stop in time.
The infection begins when an unsuspecting victim receives a phishing email carrying a malicious archive attachment. Once extracted, the archive drops a file named “GST Debit Note Apr_26.com,” which turns out to be a 32-bit .NET executable.
The file is both packed and unsigned, and it contains embedded Turkish-language artifacts while disguising itself as a legitimate brick-building game to appear completely harmless.
The decoy application is designed to run silently in the background right after launch, reducing any chance the victim might become suspicious about what is happening.
Analysts at K7 Security Labs identified the campaign during routine telemetry monitoring, spotting an unusual detection tied to the suspicious file.
According to a report shared with Cyber Security News (CSN), K7 Security Labs noted that the payload is a variant of the Remcos RAT family, distributed through a phishing campaign as an archive attachment.
The researchers highlighted that this infection chain relies entirely on in-memory execution techniques, making it far harder to detect compared to traditional disk-based malware delivery methods.
Kill chain of Remcos RAT (Source – K7 Security Labs)
The campaign does not stop at Remcos. Further investigation revealed that similar samples linked to the same infrastructure were also delivering Agent Tesla, Phantom Stealer, Dark Cloud, Red Line Stealer, MassLogger variants, Formbook, xworm, and Snake keyloggers.
This strongly points to a loader-as-a-service model, where the delivery infrastructure stays consistent and only the final payload changes. The sheer breadth of this operation makes it a serious and ongoing threat to businesses and individuals across the region.
Malicious GST Debit Note Attachment Deploys Remcos RAT
The attack chain is carefully layered and designed specifically to defeat most conventional security tools.
The malware hides its next-stage components inside resource sections of the executable using a steganographic technique, where payload data is embedded within a serialized .NET Bitmap object.
This approach effectively obscures the malicious content and makes static analysis significantly more difficult for security researchers to perform accurately.
The first extracted component is a DLL named Optimax.dll, which is loaded directly into memory without ever touching the disk.
This DLL then invokes a second-stage loader called “System Optimizer Ultimate.dll,” which in turn drops the final Remcos RAT payload, also entirely in memory.
Remcos then uses process hollowing to run under the victim’s default browser process name, blending smoothly into normal system activity and evading detection.
Persistence, Credential Theft, and C2 Communication
Once Remcos is running, it quickly establishes a firm foothold on the infected machine.
It creates a hidden copy of itself inside the AppData Roaming folder under a randomized name and sets a Run registry key so it launches automatically every time the victim logs into the system.
A mutex named “Remcos_Mutex_Inj” is also created during execution, directly confirming the active presence of the RAT on the compromised device.
The malware checks for sandbox and virtual machine environments before proceeding and bypasses User Account Control using eventviewer.exe.
It continuously monitors the active window, logs title changes, and tracks user idle time while also recording audio and webcam feeds. Beyond that, it steals stored credentials and cookies from Chrome and Firefox and saves all captured data into a file called logs.dat.
This information is then quietly exfiltrated to a remote command-and-control server at 62.102.148.212. Payload filenames referencing “NEFT,” “RTGS,” “IMPS,” and “GST” clearly tie this campaign to Indian targets.
Users are strongly advised to treat unexpected email attachments with caution, keep security software fully updated, and never open archive files received from unknown or unverified senders.
Indicators of Compromise (IoCs):-
TypeIndicatorDescriptionMD5 HashC2E25ABA8E2AD4CAFDD6C633B8CA0906Archive fileMD5 Hash897ABF678EDAD72998554EC18675092FGST Debit Note Apr_26.com (initial dropper)MD5 HashAFE085B7324D72673EEF749FF5F21A49Optimax.dll (first-stage loader)MD5 HashF3626A38FCF488C9EED54BEB8C7C116FSystem Optimizer Ultimate.dll (second-stage loader)MD5 Hash4924369C0BDAF73B21EB992EB9DB4DEARemcos RAT payloadIP Address62.102.148.212:37393Remcos C2 serverIP Address217.138.252.123:42830Associated C2 infrastructureIP Address146.70.244.90:37393Associated C2 infrastructure
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.
The post Malicious GST Debit Note Attachment Deploys Remcos RAT Through Multi-Stage Loader appeared first on Cyber Security News.
