Fileless Execution: PowerShell Based Shellcode Loader Executes Remcos RAT

A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade traditional defenses. It leverages Windows APIs to allocate memory and execute binary code. The Remcos RAT provides full system control, featuring keylogging, screen capture, and credential theft capabilities. It uses advanced evasion techniques like process hollowing and UAC bypass. The malware establishes persistence through registry modifications and connects to a command and control server over TLS. This sophisticated attack emphasizes the need for behavioral analytics and proactive security measures to detect and mitigate such stealthy threats.

Pulse ID: 68264a9c6f5993a7d13fcfbc
Pulse Link: https://otx.alienvault.com/pulse/68264a9c6f5993a7d13fcfbc
Pulse Author: AlienVault
Created: 2025-05-15 20:12:12

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #ICS #InfoSec #LNK #Malware #OTX #OpenThreatExchange #PowerShell #RAT #Remcos #RemcosRAT #ShellCode #TLS #Windows #ZIP #bot #AlienVault

→ #Speedrunners are #vulnerability researchers, they just don't know it yet
https://zetier.com/speedrunners-are-vulnerability-researchers/

“Super Mario World runners will place items in extremely precise locations so that the X,Y coordinates form #shellcode they can jump to with a dangling reference. Legend of #Zelda: Ocarina of Time players will do heap grooming and write a #function pointer […] so the game “wrong warps” directly to the #end #credit sequence… with nothing more than a #game #controller and a steady #hand”

#Mario

Decai decompiling a malicious shellcode.
The instructions are not so readable, if you're not used to syscalls int 0x80. AI does it for you.

https://asciinema.org/a/4PY8wn2TPg2oBdDQ0Q5bgMYjk

#r2ai #decai #r2 #malware #shellcode #syscall #linux

What are people using as a syscall database?

#reverseengineering #assembly #asm #shellcode

The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:

https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/

I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.

Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).

Have a great day.

#shellcode #malware #reverseengineering

The nineth article (38 pages) of the Malware Analysis Series (MAS) is available on:

https://exploitreversing.com/2025/01/08/malware-analysis-series-mas-article-09/

I would like to thank Ilfak Guilfanov @ilfak and @HexRaysSA (on X) for their constant and uninterrupted support, which have helped me write these articles.

Even though I haven't been on this subject for years, I promised I would write a series of ten articles, and the last one will be released next week (JAN/15).

Have a great day.

#windows #shellcode #malware #reverseengineering #reversing #idapro #malwareanalysis

Is there an example of shellcode or other malware needing to use Floating Point assembly instructions?

#shellcode #asm #malware

World’s First MIDI #RCE #Shellcode https://psi3.ru/blog/swl01u/

Basics of Windows shellcode writing

Dive into crafting Windows shellcode, from assembly basics to execution techniques. Essential for exploit development and system understanding.

https://idafchev.github.io/exploit/2017/09/26/writing_windows_shellcode.html

#shellcode #windows

[Перевод] Создание Powershell Shellcode Downloader для обхода Defender (Без обхода Amsi)

Сегодня я покажу, как модифицировать powershell shellcode runner для загрузки и выполнения нагрузки в обход Windows Defender. Я буду использовать shellcode runner, который применял ранее: https://github.com/dievus/PowerShellRunner/blob/main/runner.ps1 Для демонстрации я использую виртуальную машину Windows с временно отключённым Defender. Я скопирую код и создам на его основе новый файл, используя PowerShell ISE.

https://habr.com/ru/articles/868622/

#paylaoad #shellcode #av #bypass #информационная_безопасность #хакинг

From C to shellcode (simple way)

This post explains the journey of turning C code into shellcode, including techniques to create compact and executable shellcode suitable for exploitation.

https://print3m.github.io/blog/from-c-to-shellcode

#shellcode #c

Thread execution hijacking. Исполнение шелл-кода в удаленном процессе

В статье разберем технику T1055.003 Подменим контекст потока удаленного процесса и рассмотрим способ доставки шелл-кода в процесс с помощью удаленного маппинга. В ОС Windows существует возможность получения контекста потока и последующего управления значениями регистров. Это дает возможность изменения потока выполнения, например, с помощью модификации регистра rip. Этим и будем пользоваться.

https://habr.com/ru/articles/855710/

#hijacking #shellcode #mapping #thread

Ready to navigate the treacherous waters of buffer overflows?

Check my latest blog post: "Wherein We Study A Buffer Overflow And Ready Our Aim: testing the waters"

We'll now be ready to actually exploit the return address and use it for our own means.

Consider this the first step before shellcoding gallore.

🦶 Dip your toe here: https://dreaming-of-dragons.blogspot.com/2024/10/wherein-we-study-buffer-overflow.html

#Shellcode #CyberSecurity #ReverseEngineering #LowLevelProgramming #TechBlog #ExploitDevelopment

Ready for the troubled waters of shellcode? I'm not. Not just yet, at least. But I'm by the shore and telling you about it in my latest blog post: "Wherein We Wade Through A Shellcode Shore: before the dive

"

Spoiler alert: shellcode remains relevant (and fun).

👉 Check out: https://dreaming-of-dragons.blogspot.com/2024/10/wherein-we-wade-through-shellcode-shore.html

#Shellcode #CyberSecurity #ReverseEngineering #LowLevelProgramming #TechBlog #ExploitDevelopment

See Sharem in action, emulating a Windows shellcode: https://www.youtube.com/watch?v=S1PI9O-q6eM

I don't think it supports Linux shellcodes, does it? Also, I wonder what disassembler it uses.

NB. AI for Sharem was presented @VirusBulletin

#vb2024 #shellcode #emulation #disassembly

En el número #ROOR07 iniciamos una nueva sección llamada #AprendeHacking escribiendo tus propias herramientas. En este primer artículo escribimos una herramienta para volcar shellcodes

#Hacking #Shellcode #Capstone #desensamblador #programming #C #programacion

https://ibolcode.net/roor/2024-08-volcando-shellcodes--desensamblador-basico

Algunas mejoras en la salida... Esta semana os contamos todos los detalles

#desensamblador #shellcode #x86
#assembler #hacking #Ensamblador #reverse

[ #Shellcode x64] Find and execute WinAPI functions with Assembly https://print3m.github.io/blog/x64-winapi-shellcoding #Pentesting #CyberSecurity #Infosec

Shellcode: Modular Exponentiation for Diffie-Hellman Key Exchange.

https://modexp.wordpress.com/2024/07/21/modexp_key_xchg/

#shellcode #crypto #exploitation #dh #informationsecurity #cybersecurity #exploit #redteam

Shellcode: Modular Exponentiation for Diffie-Hellman Key Exchange.

https://modexp.wordpress.com/2024/07/21/modexp_key_xchg/

#shellcode #crypto #exploitation #dh #informationsecurity #cybersecurity #exploit #redteam