Security Arsenal has identified an active global phishing campaign targeting business functions, leveraging macro-enabled Microsoft Excel documents to deploy Remote Access Trojans (RATs)—specifically AsyncRAT and Remcos. The threat actors employ a sophisticated multi-stage infection chain characterized by heavy obfuscation and "living-off-the-land" binaries (LoLBins).
The attack sequence begins with a phishing email carrying a malicious Excel attachment. Once the victim enables macros, the document executes an HTA (HTML Application) script. This script invokes PowerShell to download and decode payloads. Notably, the campaign utilizes steganography, hiding malicious code within benign-looking PNG image files to evade network signature detection. The final payload delivers AsyncRAT or Remcos, establishing a C2 channel for remote control, data exfiltration, and lateral movement.
Threat Actor / Malware Profile
AsyncRAT
- Type: Open-Source Remote Access Trojan.
- Capabilities: Keylogging, screen capture, remote desktop control, file management, and downloading additional payloads.
- Communication: Typically uses raw TCP or HTTP/HTTPS to communicate with C2 servers.
Remcos
- Type: Commercial RAT (often abused maliciously).
- Capabilities: Webcam/microphone recording, password recovery, clipboard theft, and persistence mechanisms.
- Communication: Uses HTTP/HTTPS with specific headers to blend in with web traffic.
Distribution & Techniques
- Vector: Phishing emails with Excel attachments containing VBA macros.
- Evasion: Steganography (payloads hidden in PNG files), heavy string obfuscation, and fileless execution via PowerShell.
- Persistence: Likely achieved via Registry Run keys, Scheduled Tasks, or Service creation upon execution.
IOC Analysis
The provided OTX pulse reveals infrastructure primarily hosted in the US (ASN AS36352 Colocrossing).
- IPv4 / Network Indicators: The IP addresses (e.g.,
107.172.235.213,198.12.83.75,192.227.219.79) serve as Command and Control (C2) servers.- Action: Block these IPs at the perimeter firewall and proxy level. Monitor outbound connections to port
4550and non-standard HTTP ports associated with these IPs.
- Action: Block these IPs at the perimeter firewall and proxy level. Monitor outbound connections to port
- URLs:
http://192.227.219.79:4550is a confirmed C2 endpoint.- Action: Block this URL in secure web gateways.
- File Hashes (SHA256):
614115669d093c58539e8183617a62a59aefd1a9a1fddcc7a67508f2fb9e36ab0b47f8d79e37ebec7edd2333ab70caa1e3e710b310b8201c5447820886ce8d49248da1553ce35bb6c499a660fcd92bde6e3545b56b65b63308e7b7630f376bfc- Action: These hashes likely correspond to the initial Excel droppers, intermediate HTA/PowerShell scripts, or the DLL payloads. Utilize EDR solutions to hunt for these specific hashes on endpoints.
Detection Engineering
Sigma Rules
title: Excel Macro Spawning HTA or PowerShell - AsyncRAT/Remcos Campaign
id: 2026-07-05-asyncrat-excel-hta
status: experimental
description: Detects Excel processes spawning mshta.exe or powershell.exe, a common pattern in macro-based malware campaigns delivering RATs.
references:
- https://www.levelblue.com/blogs/spiderlabs-blog/asyncrat-and-remcos-delivered-in-multi-stage-phishing-campaign
author: Security Arsenal
date: 2026/07/05
tags:
- attack.initial_access
- attack.t1566.001
- attack.execution
- attack.t1059.001
logsource:
category: process_creation
product: windows
detection:
selection:
ParentImage|endswith: '\EXCEL.EXE'
NewImage|endswith:
- '\powershell.exe'
- '\mshta.exe'
condition: selection
falsepositives:
- Legitimate administrative scripts
level: high
---
title: PowerShell Steganography Pattern - Image Download
id: 2026-07-05-powershell-stego-image
description: Detects PowerShell scripts attempting to download image files (PNG/JPG) which may contain steganographic payloads used by AsyncRAT/Remcos campaigns.
references:
- Internal Research
author: Security Arsenal
date: 2026/07/05
tags:
- attack.defense_evasion
- attack.t1027
logsource:
category: process_creation
product: windows
detection:
selection_img:
Image|endswith: '\powershell.exe'
CommandLine|contains:
- '.png'
- '.jpg'
- 'Invoke-WebRequest'
- 'DownloadFile'
selection_obfu:
CommandLine|contains:
- 'FromBase64String'
- 'IEX'
condition: all of selection_*
falsepositives:
- Legitimate image manipulation scripts
level: medium
---
title: Suspicious Outbound Connection to AsyncRAT C2 Infrastructure
id: 2026-07-05-asyncrat-c2-connection
status: experimental
description: Detects outbound network connections to known AsyncRAT/Remcos C2 IP addresses associated with the Colocrossing ASN.
references:
- https://otx.alienvault.com/pulse/614115669d093c58539e8183617a62a59aefd1a9a1fddcc7a67508f2fb9e36ab
author: Security Arsenal
date: 2026/07/05
tags:
- attack.command_and_control
- attack.t1071.001
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationIp:
- '107.172.235.213'
- '198.12.83.75'
- '192.227.219.79'
- '173.231.188.244'
DestinationPort|endswith:
- '4550'
- '80'
- '443'
condition: selection
falsepositives:
- Unknown
level: critical
KQL (Microsoft Sentinel)
// Hunt for connections to known malicious IPs from the pulse
DeviceNetworkEvents
| where RemoteIP in ("107.172.235.213", "198.12.83.75", "192.227.219.79", "173.231.188.244")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteIP, RemotePort, InitiatingProcessFileName
// Hunt for process chain: Excel spawning PowerShell
DeviceProcessEvents
| where InitiatingProcessFileName =~ "excel.exe" and (FileName =~ "powershell.exe" or FileName =~ "mshta.exe")
| project Timestamp, DeviceName, AccountName, FileName, ProcessCommandLine, InitiatingProcessCommandLine
PowerShell Hunt Script
# IOC Hunt Script for AsyncRAT/Remcos Campaign
# Checks for specific file hashes and suspicious persistence mechanisms
$MaliciousHashes = @(
"614115669d093c58539e8183617a62a59aefd1a9a1fddcc7a67508f2fb9e36ab",
"0b47f8d79e37ebec7edd2333ab70caa1e3e710b310b8201c5447820886ce8d49",
"248da1553ce35bb6c499a660fcd92bde6e3545b56b65b63308e7b7630f376bfc"
)
Write-Host "[+] Scanning for malicious file hashes..." -ForegroundColor Cyan
# Scan C:\ Drive for specific hashes (Note: This can be resource intensive)
Get-ChildItem -Path C:\ -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
$hash = (Get-FileHash -Path $_.FullName -Algorithm SHA256 -ErrorAction SilentlyContinue).Hash
if ($hash -in $MaliciousHashes) {
Write-Host "[!] MALICIOUS FILE FOUND: $($_.FullName)" -ForegroundColor Red
}
}
# Check Registry for common RAT persistence paths
Write-Host "[+] Scanning Registry for persistence keys..." -ForegroundColor Cyan
$RunPaths = @(
"HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
"HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)
foreach ($path in $RunPaths) {
if (Test-Path $path) {
Get-Item -Path $path | Select-Object -ExpandProperty Property | ForEach-Object {
$value = (Get-ItemProperty -Path $path -ErrorAction SilentlyContinue).$_
if ($value -match "powershell" -or $value -match "mshta" -or $value -match ".exe") {
Write-Host "[+] Suspicious Value in $path : $_ = $value" -ForegroundColor Yellow
}
}
}
}
Write-Host "[+] Hunt complete." -ForegroundColor Green
# Response Priorities
1. **Immediate**:
* **Block IOCs**: Immediately block the listed IPv4 addresses and the URL at the network perimeter and proxy servers.
* **Quarantine**: Scan email gateways for Excel attachments matching the provided file hashes and quarantine them.
2. **24 Hours**:
* **Hunt Artifacts**: Execute the provided PowerShell script across the enterprise to identify any dropped files or persistence keys.
* **Network Forensics**: Review firewall/proxy logs for any successful connections to the C2 IPs to identify potentially compromised hosts.
3. **1 Week**:
* **Hardening**: Disable macros for users who do not have a specific business requirement. Implement Attack Surface Reduction (ASR) rules to block Office applications from creating child processes.
* **Training**: Conduct security awareness training focused on identifying phishing emails with unexpected attachments.
Related Resources
Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.