Cybersecurity experts at Forcepoint’s X-Labs are raising alarms about the ongoing and evolving threat posed by Remcos malware. Their research highlights that Remcos remains highly active through 2024 and into 2025, with attackers continually adapting their techniques to bypass security measures and maintain a stealthy presence on infected computers.
Remcos is typically delivered via sophisticated phishing campaigns, where attackers use compromised email accounts from small businesses or schools to send out deceptive emails. These emails often contain malicious Windows shortcut (.LNK) files hidden inside compressed archive attachments, which makes them appear more legitimate and less likely to be flagged as suspicious. Once a user opens the malicious file, Remcos installs itself quietly, creating hidden folders on the victim’s computer.
A notable tactic used by Remcos is the exploitation of path-parsing bypass techniques, such as prefixing paths with special NT Object Manager syntax (e.g., \?\ ), which allows the malware to mimic legitimate system directories and further evade detection. This advanced evasion helps the malware establish long-term access to systems, enabling attackers to steal credentials and maintain persistent control.
Forcepoint’s X-Labs emphasizes the need for heightened vigilance and robust detection mechanisms to counter these increasingly sophisticated and stealthy attacks. Their warnings are part of a broader trend observed by multiple cybersecurity firms, as Remcos continues to be a top threat due to its adaptability, persistence, and ability to blend in with normal system activity.
