New Stealthy Remcos Malware Campaigns Target Businesses and Schools

Forcepoint’s X-Labs reveals Remcos malware using new tricky phishing emails from compromised accounts and advanced evasion techniques like path bypass to infiltrate systems, steal credentials, and maintain long-term control. Learn how to spot the signs.

Cybersecurity experts at Forcepoint’s X-Labs are warning about the continued activity of Remcos malware, a sophisticated threat that consistently adapts to bypass security measures and maintain a hidden presence on infected computers. This malware, often delivered through convincing phishing attacks, allows attackers to establish long-term access.

Reportedly, campaigns observed between 2024-2025 show Remcos malware remains highly active, continually adapting to stay hidden, researchers noted in the blog post shared with Hackread.com.

The initial infection typically begins with a deceptive email originating from compromised accounts of small businesses or schools. These are legitimate accounts that have been hacked, making the emails appear trustworthy and less likely to be flagged as suspicious.

These emails carry malicious Windows shortcut (.LNK) files, disguised and hidden inside compressed archive attachments. Once a user falls for the trick and opens the malicious file, Remcos quietly installs itself, creating hidden folders on the victim’s computer.

What makes these folders particularly tricky is that they are “spoofed Windows directories by exploiting path-parsing bypass techniques like prefixing paths with \\?.” This technique, which involves using a special NT Object Manager path prefix, allows the malware to mimic legitimate system directories like C:\Windows\SysWOW64, making it incredibly difficult for security tools to spot.

After initial installation, Remcos sets up ways to stay on the system for a long time without being detected. It achieves this by creating scheduled tasks and other stealthy methods, ensuring it can keep a backdoor open for attackers. The malware even tries to weaken Windows’ User Account Control (UAC) by changing a registry setting, allowing it to run with higher privileges without the usual secure prompts.

The malicious LNK files themselves contain hidden PowerShell code, which downloads a .dat file containing an executable program in Base64 format – a method of encoding data to make it look like regular text, often used by malware to bypass detection.

This file then decodes into an executable program, typically disguised with a PDF icon but using a .pif extension, an unusual and rarely used shortcut file type. This executable then creates copies of itself, a .URL shortcut file, and four heavily disguised batch files with special symbols and meaningless foreign text, all designed to bypass antivirus detection.

Once fully operational, Remcos gives attackers complete control, enabling them to steal passwords, capture screenshots, copy files, and monitor user activity, including checking internet connection, system language, and country codes to refine their targeting.

Organizations and individuals are urged to be alert, looking out for unusual shortcuts, strange file paths, and changes in folder names, as these can be indicators of a Remcos infection.