~/f4n6 $ grep -r "From a VHDX File to a Remcos RAT, (Tue, Jun 16th)" ./investigations/ --include="*.md"

From a VHDX File to a Remcos RAT, (Tue, Jun 16th)

Jeff Davies 16 Jun 2026 6 min read

1. Executive summary

A multi-stage malware campaign delivers the Remcos remote access trojan (RAT) to Windows endpoints via a malicious ZIP archive containing a VHDX virtual hard disk image. The lure filename ("Partnerschaft_fur_neue_Angebotsanfrage.js" — "Partnership for new quotation request") and German-language theme indicate targeting of German-speaking business users, most likely as a business-email-compromise / quotation-fraud pretext. The chain uses WMI-launched PowerShell, a reflective .NET loader, and process injection into backgroundTaskHost.exe to evade EDR parent/child process telemetry. For EMEA financial services, the bottom-line risk is full endpoint compromise with persistent access: the loader establishes a Run-key foothold and the Remcos implant provides credential theft, keylogging, screen capture and remote command execution against any user that opens the attachment.

2. Regulatory framing

Article Trigger (fact in this item) Practical impact
DORA Art. 24 — digital operational resilience testing — general requirements The chain uses WMI-spawned PowerShell and reflective .NET loading, both of which evade conventional parent/child detection and require explicit testing of EDR coverage and behavioural analytics. Validate that tabletop and technical resilience tests include VHDX-mounted-script execution, WMI-launched PowerShell, and reflective .NET assembly loading scenarios.
DORA Art. 28 — ICT third-party risk — general principles Initial access is email-borne; email routing, sandboxing and attachment-handling are typically delivered by third-party providers. Confirm contractual right-to-audit and incident-notification clauses with email security providers covering this delivery vector.
NIS2 Art. 21(2)(d) — supply chain security measures The attack is delivered through the email supply chain (ZIP → VHDX → script) and uses a third-party hosting provider (cembusconfort[.]ro) for staging. Ensure supply-chain risk assessments cover email-borne VHDX attachments and that staging infrastructure is monitored/blocked.
UK NIS 2018 — OES/RDSP duties OES/RDSP endpoints receiving the same email-borne lure would be in scope of incident-handling duties. Ensure OES/RDSP incident playbooks cover VHDX-mounted-script execution and the IOCs listed in §5.

No specific DORA/NIS2 article is directly engaged by an active incident in this item; the framing above is for preparedness and supply-chain assurance.

3. Technical analysis & attack chain

The full infection path observed by the reporter is:

Email → ZIP → VHDX → JavaScript → PowerShell Decoder → PowerShell (.NET Loader) → Shellcode (Downloader) → Remcos

  1. Initial access — email-borne ZIP with VHDX. A malicious ZIP archive (a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094) is delivered to the victim. On modern Windows, double-click mounting of a VHDX is automatic, exposing the embedded JavaScript without explicit user action beyond opening the archive.
  2. Stage 1 — JavaScript launcher. The script Partnerschaft_fur_neue_Angebotsanfrage.js (f65b1271deedcbcbcdd750047f8eb3a5548145546fc2b7847b263a5e52570b33) is heavily obfuscated and padded with comment noise. It launches PowerShell via WMI using the COM chain WbemScripting.SWbemLocator → ConnectServer() → Win32_Process.Create(). This breaks the direct wscript.exe → powershell.exe parent/child relationship that most EDR heuristics key on.
  3. Stage 2 — PowerShell decoder. The reconstructed PowerShell is written to %LOCALAPPDATA%\Tamale. It uses two obfuscation tricks: (a) the literal string bubble is interleaved into variable names and removed at runtime; (b) payloads are reconstructed by picking every 4th character from garbage strings. A function named otidiform decrypts Base64-encoded strings using the fixed XOR key Identificational (constant across all stages). Example decoded output: $global:unfishlike=[Activator]::CreateInstance($formene).
  4. Stage 3 downloader. The script fetches hxxps://cembusconfort[.]ro/Exoticisms121.dsp and saves it to %APPDATA%\Endocoel.Pro (SHA256 9de90481e57ed0bc0f13bb24747e18cc133f497abe05cfac67517f98098048a1).
  5. Stage 3 — reflective .NET loader. The downloaded file is a composite: the first 143,577 bytes are the payload, the next 20,305 bytes (carved with .substring(143578, 20305)) are the PowerShell reflective loader using System.Reflection.Assembly.Load(). The loader fetches shellcode from hxxps://cembusconfort[.]ro/YoHtJ27.bin.
  6. Process injection. The shellcode is injected into backgroundTaskHost.exe (a legitimate Windows process) and beacons to animal342[.]duckdns[.]org:53552. Sandbox traffic analysis identifies the implant as Remcos RAT.
  7. Persistence. A Run-key entry is created via cmd.exe: REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /f /v "Startup key" /t REG_EXPAND_SZ /d "%Statskirken% -windowstyle 2 $Lnforhandlinger=(.'gp' 'HKCU:\Software\Weaverbird\').'Pardonnerer';%Statskirken% ($Lnforhandlinger)" The loader is invoked via the environment variable %Statskirken% (a Danish/Norwegian word for "state church"), reading its command from HKCU:\Software\Weaverbird\ under the value name Pardonnerer.

Unconfirmed / single-sourced claims. The reporter identifies the final payload as Remcos based on sandbox traffic fingerprinting; this is a single-source behavioural identification and should be treated as high-confidence but not formally attributed. No threat-actor attribution is provided in the source material; any attribution to a named actor would be unconfirmed.

4. Mitigation & containment

P1 — within 24 hours

  • Block at the email gateway: ZIP archives containing .vhdx or .vhd attachments, and any attachment named Partnerschaft_fur_neue_Angebotsanfrage.js or matching the IOCs in §5.
  • Add the following to EDR/web proxy blocklists:
  • Domains: cembusconfort.ro, animal342.duckdns.org
  • URLs: /Exoticisms121.dsp, /YoHtJ27.bin
  • TCP/53552 outbound to animal342.duckdns.org
  • Hunt for and remove the persistence artefacts:
  • HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Startup key (value data contains %Statskirken% and Pardonnerer)
  • HKCU:\Software\Weaverbird\ (any subkey/value)
  • Search endpoints for files at %LOCALAPPDATA%\Tamale\* and %APPDATA%\Endocoel.Pro\* and quarantine.

P2 — within 72 hours

  • Force a password reset and MFA re-enrolment for any user that opened the lure; review mailbox forwarding rules and OAuth/granted consents for the affected account.
  • Review EDR telemetry for backgroundTaskHost.exe with anomalous child behaviour, network beacons to port 53552, or unsigned code injection.
  • Review outbound network logs for connections to cembusconfort.ro or animal342.duckdns.org over the last 30 days.

P3 — within 7 days

  • Disable auto-mount of VHD/VHDX on user endpoints via Group Policy / Intune where business process allows (this is the primary evasion technique).
  • Update EDR rules to alert on wscript.exe/cscript.exe → WMI (Win32_Process.Create) → PowerShell chains, and on PowerShell invoking System.Reflection.Assembly.Load from a non-engineering context.
  • Add a user-awareness bulletin covering the German-language "quotation request" lure theme and the risk of double-clicking ZIP contents that mount disk images.

5. Indicators of compromise

Type Value Confidence Source
sha256 a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094 (ZIP archive) high SANS ISC diary 33080
sha256 f65b1271deedcbcbcdd750047f8eb3a5548145546fc2b7847b263a5e52570b33 (JavaScript) high SANS ISC diary 33080
sha256 9de90481e57ed0bc0f13bb24747e18cc133f497abe05cfac67517f98098048a1 (Stage 3 downloader) high SANS ISC diary 33080
url hxxps://cembusconfort[.]ro/Exoticisms121.dsp high SANS ISC diary 33080
url hxxps://cembusconfort[.]ro/YoHtJ27.bin high SANS ISC diary 33080
domain cembusconfort.ro high SANS ISC diary 33080
domain animal342.duckdns.org high SANS ISC diary 33080
ipv4-port animal342.duckdns.org:53552 (TCP) high SANS ISC diary 33080
filename Partnerschaft_fur_neue_Angebotsanfrage.js high SANS ISC diary 33080
filepath %LOCALAPPDATA%\Tamale\ high SANS ISC diary 33080
filepath %APPDATA%\Endocoel.Pro\ high SANS ISC diary 33080
registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Startup key high SANS ISC diary 33080
registry HKCU\Software\Weaverbird (value Pardonnerer) high SANS ISC diary 33080
process backgroundTaskHost.exe (injection target) medium SANS ISC diary 33080 
sha256  a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094
sha256  f65b1271deedcbcbcdd750047f8eb3a5548145546fc2b7847b263a5e52570b33
sha256  9de90481e57ed0bc0f13bb24747e18cc133f497abe05cfac67517f98098048a1
url     hxxps://cembusconfort[.]ro/Exoticisms121.dsp
url     hxxps://cembusconfort[.]ro/YoHtJ27.bin
domain  cembusconfort.ro
domain  animal342.duckdns.org
ipv4    animal342.duckdns.org:53552
filename Partnerschaft_fur_neue_Angebotsanfrage.js
filepath %LOCALAPPDATA%\Tamale\
filepath %APPDATA%\Endocoel.Pro\
registry HKCU\Software\Microsoft\Windows\CurrentVersion\Run\Startup key
registry HKCU\Software\Weaverbird
process backgroundTaskHost.exe

6. Detection

YARA rule

rule AT_Remcos_VHDX_Chain_2026_06_16
{
    meta
        author = "Adverse Trace"
        date = "2026-06-16"
        description = "Detects artefacts associated with the VHDX-delivered Remcos RAT chain (SANS ISC diary 33080)"
        reference = "https://isc.sans.edu/diary/rss/33080"

    strings:
        $a1 = "Partnerschaft_fur_neue_Angebotsanfrage" ascii wide
        $a2 = "otidiform" ascii wide
        $a3 = "Identificational" ascii wide
        $a4 = "Statskirken" ascii wide
        $a5 = "Weaverbird" ascii wide
        $a6 = "Pardonnerer" ascii wide
        $a7 = "Lnforhandlinger" ascii wide
        $a8 = "Endocoel.Pro" ascii wide
        $a9 = "Tamale" ascii wide
        $a10 = "cembusconfort" ascii wide
        $a11 = "animal342.duckdns.org" ascii wide
        $a12 = "backgroundTaskHost.exe" ascii wide
        $a13 = "bubble" ascii wide

    condition:
        4 of ($a1, $a2, $a3, $a4, $a5, $a6, $a7, $a8, $a9, $a10, $a11, $a12, $a13)
}

Sigma rule

title: VHDX Chain Remcos Loader Persistence via Run Key
id: AT-2026-06-16-108
status: experimental
description: |
    Detects the persistence mechanism used by the VHDX-delivered Remcos RAT chain
    (SANS ISC diary 33080): a Run-key value named "Startup key" that invokes a
    PowerShell loader via the %Statskirken% environment variable, reading its
    command from HKCU\Software\Weaverbird\Pardonnerer.
author: Adverse Trace
date: 2026-06-16
reference: https://isc.sans.edu/diary/rss/33080
logsource:
    product: windows
    category: process_creation
detection:
    selection_cmd:
        Image|endswith: '\cmd.exe'
        CommandLine|contains|all:

            - 'REG ADD'
            - 'HKCU\Software\Microsoft\Windows\CurrentVersion\Run'
            - 'Startup key'
            - '%Statskirken%'
    selection_powershell:
        Image|endswith: '\powershell.exe'
        CommandLine|contains|all:

            - '%Statskirken%'
            - 'Pardonnerer'
            - 'HKCU:\Software\Weaverbird'
    condition: selection_cmd or selection_powershell
falsepositives:

    - Unknown
level: high

7. Sources

  • SANS Internet Storm Center — From a VHDX File to a Remcos RAT (Xavier Mertens, 2026-06-16). https://isc.sans.edu/diary/rss/33080
  • VirusTotal file record — ZIP archive a0104921…. https://www.virustotal.com/gui/file/a0104921a2d37ab87482ac9a9f5c3713479c118846c3e999178e75b81620c094
  • VirusTotal file record — JavaScript f65b1271…. https://www.virustotal.com/gui/file/f65b1271deedcbcbcdd750047f8eb3a5548145546fc2b7847b263a5e52570b33
  • VirusTotal file record — Stage 3 downloader 9de90481…. https://www.virustotal.com/gui/file/9de90481e57ed0bc0f13bb24747e18cc133f497abe05cfac67517f98098048a1

8. Adverse Trace position

Severity: High. The chain delivers a fully-featured RAT (Remcos) with persistent Run-key foothold and process-injection-based evasion; any user that opens the lure is effectively compromised. The German-language "quotation request" pretext is consistent with business-email-compromise fraud patterns seen against EMEA financial services, and the use of WMI-spawned PowerShell plus reflective .NET loading means signature-only controls will miss it. Client impact: treat any confirmed execution as a major ICT-related incident under DORA Art. 18/19 classification criteria and trigger NIS2 Art. 23 reporting timers where in scope; force credential reset and review mailbox rules for affected users. Next steps: Adverse Trace will (1) monitor for re-use of the cembusconfort.ro and animal342.duckdns.org infrastructure across other campaigns, (2) track any actor reuse of the otidiform / Identificational XOR key as a clustering signal, and (3) update managed-detection content with the YARA and Sigma rules in §6. No threat-actor attribution is asserted in this advisory; the source material does not name an actor and no MITRE profile is associated with this item.

Read the original source →

Published via PulseTrace — Adverse Trace threat intelligence.

Post this to LinkedIn
Formatting is converted automatically — headings, bullets, a link back & hashtags. Paste straight in.
J
Jeff Davies