Remcos, a commercial remote access tool marketed as legitimate surveillance software, has become the leading infostealer in malware campaigns during the third quarter of 2025, accounting for approximately 11 percent of detected cases.

In a notable shift from traditional deployment methods, threat actors are now weaponizing this remote control and surveillance platform through sophisticated fileless attack chains that successfully evade endpoint detection and response systems.

The malware’s primary motivation centers on credential theft through opportunistic targeted attacks, with particular focus on the financial sector, though recent evidence suggests attackers have compromised legitimate websites to host additional malicious payloads supporting the broader operation.

The attack begins deceptively with users receiving emails containing seemingly innocent business attachments. A file named “EFEMMAK TURKEY INQUIRY ORDER NR 09162025.gz” initiates the infection chain.

Once extracted, this archive deploys a batch file into the Windows temporary directory, which subsequently executes a heavily obfuscated PowerShell script employing custom string de-obfuscation functions named “Lotusblo” and “Garrots.”

CyberProof analysts identified the PowerShell script initiating hidden processes while configuring web requests to use TLS 1.2 and custom User-Agent strings for legitimate-appearing network traffic.

The script constructs a target file path at C:\Users\\AppData\Roaming\Hereni.Gen and enters a continuous download loop, attempting to retrieve files from a malicious C2 domain every four seconds.

Upon successful download, the script Base64 decodes and GZip decompresses the retrieved payload before executing it through Invoke-Expression, enabling dynamic command execution while leaving no traces on disk.

Process Injection and Detection Evasion

The sophisticated technique deployed by attackers involves leveraging msiexec.exe, a legitimate Windows installer executable, to perform process injection into RmClient.exe, a Microsoft-distributed file.

This fileless approach proves effective against traditional EDR solutions because RmClient.exe carries legitimate digital signatures, causing many detection systems to overlook the injected Remcos payload.

Once injected, the malware immediately begins accessing browser credential stores, targeting key4.db, logins.json, and Login Data files containing saved passwords and sensitive authentication information.

Network communications from the compromised RmClient.exe process directed to command-and-control servers at ablelifepurelife.ydns.eu and icebergtbilisi.ge on non-standard ports like 57864 and 50807 reveal the attacker’s infrastructure.

The malware demonstrates persistence through multiple RmClient.exe instances spawning with random parameters stored in the temporary directory, multiplying detection complexity and enabling the threat actor to maintain long-term access for subsequent, more destructive operations.

Organizations must enhance detection capabilities to identify process injection patterns and monitor unusual credential access activities, particularly when involving legitimate system binaries.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post New Fileless Remcos Attacks Bypassing EDRs Malicious Code into RMClient appeared first on Cyber Security News.

Cybersecurity researchers have identified a sophisticated campaign where threat actors are leveraging compromised credentials to infiltrate Azure Blob Storage containers, targeting organizations’ critical code repositories and sensitive data.

This emerging threat exploits misconfigured storage access controls to establish persistence and exfiltrate valuable intellectual property.

The attack vector represents a significant shift in how threat actors are approaching cloud infrastructure, moving beyond traditional endpoint-focused attacks toward enterprise storage systems.

The campaign has been linked to multiple threat groups operating across different sectors, including finance, technology, and critical infrastructure.

Microsoft analysts noted that the attacks typically begin with credential harvesting through phishing campaigns and malware-based information stealers.

Once initial access is established, operators conduct reconnaissance to identify accessible Azure Blob Storage instances with weak or default access policies.

The threat actors then systematically enumerate containers to locate valuable repositories, configuration files, and backup data.

Microsoft researchers identified a critical component of this operation involving SharkStealer, a Golang-based infostealer that employs an advanced communication technique called EtherHiding to evade traditional detection mechanisms.

This malware family utilizes the BNB Smart Chain Testnet as a command-and-control dead-drop, retrieving encrypted command instructions through smart contract calls rather than direct domain-based communications.

Technical Analysis of EtherHiding Pattern in Azure Attacks

The sophistication of these operations lies in how threat actors combine traditional credential theft with blockchain-based obfuscation techniques. SharkStealer initiates contact with BNB Smart Chain nodes using Ethereum JSON-RPC calls targeting specific smart contracts.

The malware executes eth_call requests to predetermined contract addresses, receiving tuples containing an initialization vector and encrypted payload.

Using a hardcoded AES-CFB encryption key embedded within the binary, the malware decrypts the returned data to extract current C2 server coordinates.

This methodology creates significant detection challenges because network traffic analysis reveals only legitimate blockchain node communications, making it extremely difficult to distinguish malicious activity from benign cryptocurrency wallet interactions.

The use of public blockchain infrastructure as a dead-drop mechanism provides threat actors with remarkable resilience against traditional takedown operations and domain blocking strategies.

In observed campaigns, once SharkStealer compromises a system, it harvests Azure credentials stored in browser caches, configuration files, and credential managers.

These stolen credentials grant direct access to Azure Blob Storage containers without triggering standard access controls.

Threat actors then establish secondary connections to Azure Storage, downloading entire repositories containing source code, API keys, and sensitive configuration data.

The combination of EtherHiding-based command infrastructure with Azure Storage access creates a particularly dangerous threat profile that organizations must actively defend against through credential rotation, access reviews, and monitoring for anomalous blockchain-based communications originating from internal networks.

Organizations should implement strict Azure Storage authentication policies, enforce multi-factor authentication on administrative accounts, and deploy behavioral monitoring to detect unusual API access patterns.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.

The post Threat Actors Attacking Azure Blob Storage to Compromise Organizational Repositories appeared first on Cyber Security News.