The Qualys Threat Research Unit (TRU) recently uncovered a sophisticated new malware campaign that exemplifies the growing threat of fileless attacks. The culprit is a novel PowerShell-based shellcode loader, informally known as “K-Loader,” that delivers the Remcos remote access trojan (RAT) without writing traditional executables to disk.
This stealthy approach uses increased living-off-the-land techniques and native tools to enable threat actors to evade detection. As fileless malware becomes more advanced, traditional security defenses often struggle to keep pace, making proactive detection and real-time endpoint monitoring more critical than ever.
“PowerShell continues to play a role in these types of campaigns,” said Xiaopeng Zhang, IPS Analyst and Security Researcher with Fortinet’s FortiGuard Labs. “However, the latest variant adopts a fileless approach, using PowerShell to parse and execute Remcos directly in memory via the CallWindoProc( ) API. This marks a shift from previous methods, where Remcos was downloaded as a file before execution.”
Infection Chain Breakdown
The attack begins with the delivery of a malicious ZIP archive, which contains a shortcut (LNK) file disguised as a legitimate tax document. This social engineering tactic is designed to lure victims into executing the file, triggering the next phase of the attack. Once clicked, the LNK file uses mshta.exe – a legitimate Windows utility used to execute Microsoft HTML Application (HTA) files – to launch a heavily obfuscated VBScript. This script, in turn, calls PowerShell commands that initiate the shellcode loader.
The use of mshta.exe and native scripting languages allows the attackers to bypass many traditional antivirus solutions, which tend to rely on detecting known binaries or behaviors on disk. The shellcode is decoded and executed directly in memory, the telltale sign of fileless malware that leaves few forensic traces.
Once active, the loader deposits its payload into the publicly accessible directory, C:/Users/Public/, using PowerShell policy bypass techniques to execute without restrictions. It also modifies the Windows Registry to establish persistence, ensuring that the malware reloads with each system reboot. This seamless and stealthy chain of execution reflects a growing preference among threat actors for evasive, in-memory attack techniques that are difficult to detect and analyze.
“One under-appreciated angle to this story is the compliance irony,” said Jason Soroko, Senior Fellow at Sectigo, a leading provider of comprehensive certificate lifecycle management (CLM). “Tax season forces enterprises to relax their tightest content-filtering rules so employees can exchange government templates, PDF forms, and yes, LNK shortcuts that many payroll systems still ship by default. The very policies intended to keep auditors happy can now become the opening gambit for a fileless breach.”
Inside the Loader: K-Loader’s Stealthy Architecture
At the core of the attack lies a PowerShell script named 24.ps1, which serves as the primary component of the shellcode loader. The script is heavily obfuscated using base64 encoding, making it difficult for traditional security tools to analyze. Once decoded, the script uses Windows-native functions and Win32 API calls to execute its payload covertly.
More specifically, K-Loader uses a combination of VirtualAlloc, Marshal.Copy, and CallWindowProcW to decrypt and execute the shellcode directly in memory. This approach avoids writing executable files to disk, helping reduce the chance of detection and enabling the malware to operate under the radar. The use of direct Win32 API calls also helps bypass behavior-based defenses that monitor standard PowerShell activity, making K-Loader an advanced and stealthy tool for delivering malware like Remcos RAT.
Remcos RAT v6.0.0 Pro: Capabilities and Threats
The final payload delivered by K-Loader is a professional-grade variant of Remcos RAT, identified as version 6.0.0 Pro. Compiled as a Visual Studio C++ binary with a GUI subsystem, the malware uses modular threads to manage its wide range of capabilities efficiently. It establishes secure communication with its command-and-control (C2) server using TLS encryption and registers a unique mutex (Rmc-7SY4AX) to avoid multiple instances running simultaneously.
Once active, Remcos grants attackers full control over the infected system. Its command set includes keylogging, clipboard monitoring, registry edits, and remote shell access. Surveillance features extend to webcam and microphone activation, idle tracking, and triggering sound-based alerts. It also incorporates anti-analysis techniques such as code obfuscation and sandbox evasion. Additionally, Remcos can even harvest credentials from web browsers, giving threat actors access to sensitive accounts and systems.
This combination of stealth, persistence, and control makes it a formidable tool for cyber espionage and data theft.
Detection and Mitigation Strategies
Qualys Endpoint Detection and Response (EDR) and Endpoint Protection Platform (EPP) solutions are equipped to detect both K-Loader and the Remcos RAT through behavioral analysis and in-memory monitoring. These tools identify suspicious use of PowerShell, registry modifications, and process hollowing – all key indicators of this fileless attack. In particular, Qualys detects anomalies tied to mshta.exe invoking obfuscated scripts and unauthorized memory allocation patterns commonly associated with shellcode execution.
To support proactive defense, Qualys provides advanced hunting queries that help analysts surface related tactics, techniques, and procedures (TTPs) across enterprise environments. These queries can flag indicators such as abnormal script executions, base64-encoded commands, and unusual mutex creation.
The campaign maps to several MITRE ATT&CK techniques, including T1059 (Command and Scripting Interpreter), T1027 (Obfuscated Files or Information), T1055 (Process Injection), and T1547 (Boot or Logon Autostart Execution). Recognizing these patterns is critical for early detection, containment, and mitigation of similar threats in evolving threat landscapes.
Implications for Security Teams: Evolving Threats Require Evolving Defenses
The discovery of K-Loader and its use in delivering Remcos RAT highlights a growing shift in attacker strategies – away from traditional malware that writes to disk and toward highly evasive, fileless techniques. By abusing trusted Windows utilities like mshta.exe and embedding malicious code in PowerShell scripts, attackers can slip past many signature- and rule-based detection systems.
Security teams must focus on behavior-based detection, memory analysis, and proactive threat hunting. EDR tools that monitor process injection, script execution, and anomalous API calls can help surface these stealthy attacks. Additionally, restricting or monitoring the use of scripting engines and tools like mshta.exewithin enterprise environments can reduce the attack surface.
As fileless malware continues to evolve, so must the defenses designed to stop it before damage is done. “The rise of PowerShell-based attacks like the new Remcos RAT variant demonstrates how threat actors are evolving to evade traditional security measures,” said J Stephen Kowski, Field CTO at SlashNext. “Organizations need multi-layered protection that combines email security, endpoint monitoring, and behavioral analysis to effectively combat these sophisticated memory-resident threats.”
