highPhishing

RemcosRAT Four-Stage JavaScript Dropper: Rotational XOR, Process Hollowing, and a Staging Server the Operator Forgot to Lock

PublishedMarch 12, 2026

Threat Actors:Attribution

phishingsocial-engineeringcredential-theftc2botnetexploitdgaaptspearphishing

TL;DR: A 3.2MB JavaScript file masquerading as a "Purchase Inquiry" email attachment kicks off a four-stage infection chain that ends with RemcosRAT hollowed into a legitimate Microsoft binary. The dropper decodes a Base64 blob into PowerShell, which applies a rotational XOR cipher with a 32-byte key and non-linear feedback loop to decrypt a .NET reflective loader (DEV.dll), which then process-hollows RemcosRAT into Aspnet_compiler.exe. The RAT -- compiled February 3, 2026 -- phones home to a dedicated C2 at 216.250.249.222 on ports 80 and 443 using Remcos proprietary protocol (not HTTP, not TLS -- raw TCP masquerading on web ports). A parallel HTA delivery variant stages payloads on a live XAMPP server at 96.44.159.218 with the default dashboard still exposed. Imphash pivoting across MalwareBazaar reveals 10 related RemcosRAT builds produced over a 3-week campaign window, with at least three delivery vectors (JS, HTA, XLS) and three distinct infrastructure IPs. The operator has the technical skill to build multi-layer encryption but left RDP open on the C2 and a default XAMPP install facing the internet.

A "Purchase Inquiry" That Costs More Than Expected

It arrived the way most of them do: a business-themed email with an attachment that no one asked for. The file was called Purchase Inquiry _.js -- note the trailing underscore, a formatting artifact that suggests automated generation rather than careful social engineering. At 3.2MB, it is comically large for a JavaScript file. A legitimate business document delivered as .js should raise every alarm in the building. But email gateways that filter by extension often miss JavaScript entirely, and users who have been trained to be suspicious of .exe files do not always extend that suspicion to script formats.

The sample appeared on MalwareBazaar on March 10, 2026, reported by lowmal3. Within hours of pulling the thread, the investigation expanded from a single dropper to an active multi-vector campaign with at least five related samples submitted on the same day by multiple researchers -- a signal that this operator is running at scale.

Attribute	Value
SHA-256	`9180484968eb47d73853596ec91f4e1d495c0dc7ed1800baa38ce88528b42b5d`
MD5	`3765da8b030dce60722ec60388440962`
SHA-1	`c0956b165ca794f4044aa0803152e9a2e9d3e2eb`
Size	3,246,779 bytes (3.2 MB)
Type	JavaScript (WSH)
First Seen	2026-03-10 10:04:16 UTC
Reporter	lowmal3 (MalwareBazaar)

The Four-Stage Kill Chain

Before diving into the technical details of each stage, here is the full infection chain. Every arrow represents a boundary that most endpoint detection tools have an opportunity to catch -- and most will miss at least one.

[Email Lure: "Purchase Inquiry _.js" (3.2MB)]
         |
         v
[Stage 0: Obfuscated JavaScript]
  - Array rotation obfuscation with proxy functions
  - WScript.Shell / ActiveXObject execution
  - Self-deletion after execution
  - 3.2MB Base64 blob embedded in string table
         |
         v
[Stage 1: PowerShell - Rotational XOR Decryption]
  - Base64 decodes to PowerShell script
  - $securecontainer: 1.79MB encrypted payload
  - 32-byte XOR key with rotational feedback
  - -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden
         |
         v
[Stage 2: .NET Assembly Loader + Process Hollowing]
  - Invoke-AssemblyExecution loads DEV.dll (47KB)
  - DEV.DOWN.SHOOT() method reflectively invoked
  - Target: Aspnet_compiler.exe (legitimate .NET binary)
  - Persistence: monitoring loop re-injects on termination
         |
         v
[Stage 3: RemcosRAT]
  - Process hollowed into Aspnet_compiler.exe
  - Full surveillance capabilities: keylogging, camera, audio, screenshots
  - C2: 216.250.249.222:80 and :443 (Remcos proprietary protocol)
  - RC4-encrypted configuration with 179-byte key

Four stages is not unusual for commodity RAT delivery -- the industry has settled on a rough consensus that three to five layers provides enough evasion to beat most automated analysis without making the chain so fragile that it breaks on non-standard system configurations. What makes this chain worth examining is the quality of each individual layer.

Stage 0: JavaScript Obfuscation -- Ugly but Effective

The JavaScript dropper uses a technique that has become standard in the commodity malware ecosystem: array rotation obfuscation. All meaningful strings -- function names, encoded payloads, method calls -- are stored in a lookup array, and every reference goes through a proxy function that computes the correct array index at runtime. Variable names are reduced to two-character random combinations (ZE, ZH, B0) that convey no semantic information.

The result is a single-line, 3.2MB file with no statement terminators -- a formatting choice that serves dual purpose as both obfuscation and anti-analysis. Most text editors will choke on a single line that long, and static analysis tools that parse JavaScript by splitting on semicolons or newlines will fail silently.

Execution begins through WScript.Shell via ActiveXObject -- the classic Windows Script Host pathway. The script extracts its 3.2MB Base64 payload from the string table, writes a PowerShell command, and then deletes itself from disk. That self-deletion is important: by the time an analyst might examine the file system, the original dropper is already gone. The only artifact that remains is the PowerShell process it spawned.

Stage 1: Rotational XOR -- The Same Cipher, Different Campaign

The Base64 blob decodes to a PowerShell script containing a variable named $securecontainer -- a 1.79MB encrypted payload -- and a 32-byte XOR key stored in $encryptionrotational:

XOR Key (hex): a2f5cdf81c0d88c7158a4e05f19bffc424359b3d6be7e3011caa41d55bb382fe

The decryption algorithm is where this dropper distinguishes itself from the single-byte XOR schemes that dominate commodity malware:

for each byte at position i:
    key_position = (i + rotation_tracker) % key_length
    plaintext[i]  = ciphertext[i] XOR key[key_position]
    rotation_tracker = (rotation_tracker + key[key_position]) % 7

The rotation_tracker creates a feedback loop: the key position at byte N depends on every key byte used before it, because the tracker accumulates and wraps modulo 7 after each step. This means two identical plaintext bytes at different offsets will encrypt to different ciphertext bytes, defeating frequency analysis. It is not cryptographically novel -- this is still XOR with extra steps -- but it is sufficient to evade automated decryption tools that assume static or linearly-advancing key schedules.

Readers of our earlier reporting may recognize this exact cipher. The SnakeKeylogger dual-vector campaign we published today uses the identical rotational XOR algorithm with the same DEV.dll loader architecture. Same encryption scheme, same loader namespace, different final payload. This is not coincidence -- it points to a shared dropper builder or toolkit being used across multiple malware families.

The PowerShell runs with the standard evasion flags: -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden. None of these are exotic, but together they ensure execution even on systems with restrictive PowerShell policies, while hiding the console window from the user.

Stage 2: DEV.dll -- A .NET Loader Built for Reuse

After decryption, Stage 1 yields another PowerShell script containing an Invoke-AssemblyExecution function, a 47KB .NET DLL (DEV.dll), and the final RemcosRAT payload as a raw byte array in $ExecutionPayload.

Attribute	Value
SHA-256	`64f72b92ba056fec73ba30912a0a92d03d223d8cce9de56149cbd10f80ed80e4`
MD5	`0156574aac3f1b138634f78fd2472cf6`
Size	47,104 bytes
Type	.NET DLL
Namespace	`DEV.DOWN`
Entry Method	`SHOOT(string frameworkPath, byte[] payload)`
Assembly GUID	`ab88dfb2-73aa-4da1-bf05-e72424ad8034`

The loader performs textbook process hollowing through the NT API:

Spawn suspended process: Creates C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe in a suspended state
Hollow the process: Calls NtUnmapViewOfSection to remove the legitimate code from memory
Map payload: Uses NtCreateSection + NtMapViewOfSection to inject the RemcosRAT binary into the hollowed process space
Resume execution: The process resumes, now executing RemcosRAT instead of the ASP.NET compiler

The choice of Aspnet_compiler.exe as the hollowing target is deliberate and effective. It is a legitimate Microsoft-signed binary that lives in the .NET Framework directory. SOC analysts triaging alerts will see a .NET process running from C:\Windows\Microsoft.NET\Framework\ and may dismiss it as benign -- especially if the organization runs any ASP.NET applications. This is social engineering targeting defenders, not end users.

The loader also includes a persistence monitoring loop: if the hollowed Aspnet_compiler.exe process is terminated (by a user, by an EDR, by a system update), the loader detects its absence and re-injects. This is not persistence in the traditional sense (no registry keys, no scheduled tasks for the loader itself), but it achieves the same effect as long as the parent PowerShell process remains alive.

The GUID ab88dfb2-73aa-4da1-bf05-e72424ad8034 is a high-fidelity pivot point. This identifier is compiled into the assembly metadata and does not change between deployments unless the operator rebuilds from source. Any future sample containing this GUID is almost certainly from the same toolkit.

Stage 3: RemcosRAT -- The Payload Behind the Curtain

RemcosRAT is a commercial remote administration tool sold by BreakingSecurity.net under the pretense of legitimate use. In practice, it is one of the most widely abused RATs in the cybercrime ecosystem, with a feature set that would make nation-state developers envious.

Attribute	Value
SHA-256	`80e2868c6cd6c3b7e0b4b5584cbcc180b7c7ab049d20b0ab508e2b8be14a8522`
MD5	`e9bae8dfee1150f29d83a401def30f05`
SHA-1	`1f26813afebe2bcd86dc1dca7aa0d46023e2e588`
Imphash	`737fc4be4f9f7d7c06c790667c9f7669`
Size	527,872 bytes (528 KB)
Compile Time	2026-02-03 17:38:41 UTC

Extracted Configuration

The RemcosRAT configuration is encrypted with RC4 using a 179-byte key stored in the PE SETTINGS resource. Field boundaries use a distinctive separator: |\x1e\x1e\x1f| (pipe, record separator, record separator, unit separator, pipe). After decryption:

C2 Addresses:
  216.250.249.222:80   (password: 0)
  216.250.249.222:443  (password: 0)

Botnet Name:     RemoteHost
Mutex:           Rmc-3UG3BG
Install Name:    remcos.exe
Keylog File:     logs.dat
Screenshot Dir:  Screenshots
Audio Dir:       MicRecords
License Hash:    72214B9FB81C38C5D9F33A771B74F635
Registry Path:   HKCU\Software\Remcos

The botnet name RemoteHost is the default value that ships with the RemcosRAT builder. An operator who has gone to the trouble of building a four-stage delivery chain with custom encryption but cannot be bothered to change the default botnet name is telling you something about their priorities: technical sophistication in the delivery layer, minimal effort in the post-exploitation configuration.

The license hash 72214B9FB81C38C5D9F33A771B74F635 is particularly interesting. Every RemcosRAT license generates a unique hash tied to the customer's account on BreakingSecurity.net. This hash is a direct link to a specific purchaser -- one of the few pieces of attribution evidence that could theoretically lead to an individual.

Capability Matrix

RemcosRAT's capabilities go well beyond simple remote access:

Capability	Evidence in Binary	Operational Impact
Keylogging	`Online/Offline Keylogger Started/Stopped`, logs.dat	Captures all keyboard input, online and offline
Camera Capture	`OpenCamera`, `CloseCamera` strings	Live video feed from compromised endpoints
Audio Recording	`play/pause/resume/stop/close audio`, MicRecords/	Ambient audio surveillance
Screen Capture	Screenshots directory configured	Periodic or on-demand desktop screenshots
File Management	Upload/Download, DeleteFile	Full file system access
Process Injection	NtUnmapViewOfSection, NtCreateSection	Can migrate to other processes
UAC Bypass	Registry: EnableLUA = 0	Silently elevate to admin without user prompt
Watchdog	`Watchdog module activated`	Auto-restarts if killed
Command Shell	cmd.exe, powershell.exe	Arbitrary command execution
TLS Communication	TLS context initialization	Encrypted C2 channel (optional)

This is not a keylogger. This is not an infostealer. This is a full surveillance platform. An operator with RemcosRAT on a target endpoint has the ability to watch through the camera, listen through the microphone, read every keystroke, browse every file, and execute arbitrary commands -- all while running inside a process that looks like a legitimate Microsoft tool.

Infrastructure Analysis: Three Servers, Three Roles

The campaign uses a clean separation of infrastructure responsibilities: one server for C2, one for staging, and one for an alternate delivery vector.

C2 Server: 216.250.249.222

Attribute	Value
IP	216.250.249.222
ASN	Majestic Hosting Solutions (SpinServers)
Location	Carrollton, TX, United States
Network Range	216.250.248.0/21 (MHSL-5-216-250-248-0-21)
Open Ports	80 (Remcos), 443 (Remcos), 3389 (RDP)
TLS Certificate	None
PTR Record	None
ThreatFox	First reported 2026-03-09 by dyingbreeds_

Ports 80 and 443 are not running HTTP or TLS. They are raw TCP listeners for the Remcos proprietary protocol. The operator chose these ports specifically because they are almost universally permitted through firewalls -- most organizations allow outbound traffic on 80 and 443 without deep packet inspection. A casual network monitor will see traffic to an IP on standard web ports and may not flag it.

The RDP port (3389) being open on the C2 server is an OPSEC failure. It tells us this is a Windows server, it provides an additional attack surface for takedown operations, and it suggests the operator manages this infrastructure via direct RDP rather than through a VPN or jump host.

The /21 network range is worth monitoring. Adjacent IPs in the same block show similar characteristics:

Adjacent IP	Indicators
216.250.249.225	`masimoduti[.]club` -- DGA-like domain, RDP open
216.250.249.230	`star-procedure[.]delaymaxi[.]com` -- suspicious domain, RDP open
216.250.249.217-219	Windows servers with RDP/SMB exposed

Whether these belong to the same operator or simply indicate that this hosting range is popular with threat actors is unclear. Either way, the neighborhood should be treated as hostile.

Staging Server: 96.44.159.218

Attribute	Value
IP	96.44.159.218
Hostname	96-44-159-218-host.colocrossing.com
ASN	HostPapa / ColoCrossing
Location	Buffalo, NY, United States
Software	Apache 2.4.58 (Win64) OpenSSL/3.1.3 PHP/8.1.25 (XAMPP)
Status	LIVE at time of investigation
CVE	CVE-2020-0792 (SMBGhost) reported by Shodan

This server is running a stock XAMPP installation on Windows with the default dashboard still accessible at /dashboard/. The operator did not even remove the default Apache landing page. Payloads are organized in numbered directories -- /215/, /220/, /221/ -- suggesting an organized campaign management system where each directory corresponds to a campaign iteration or target group.

The live payload URL:

hxxp://96[.]44[.]159[.]218/220/seethebesttimeforeverythingtolearn[.]js

That filename -- seethebesttimeforeverythingtolearn.js -- is conspicuously long and reads like a motivational poster rather than a technical artifact. It is likely auto-generated or chosen to look benign in URL logs.

The Shodan flag for CVE-2020-0792 (SMBGhost) is a footnote that says a lot: this staging server is an unpatched Windows box running a default XAMPP install with SMB exposed to the internet. The operator either does not know or does not care. In either case, it means this infrastructure is also vulnerable to compromise by other actors -- a common pattern where threat actor staging servers become targets themselves.

XLS Variant Staging: 185.29.10.121

Attribute	Value
IP	185.29.10.121
ASN	DataClub (RIXHOST)
Location	Sweden
Role	XLS macro document staging
Status	Unknown

This IP hosts the staging infrastructure for the XLS macro delivery variant. It was referenced in samples submitted by pr0xylife and encoded as hex 0xB91D0A79 in the macro code -- a common obfuscation technique for embedding IP addresses in Office documents.

What Was Found vs. What Was Known

Before this investigation, the RemcosRAT binary had been flagged on ThreatFox approximately 24 hours earlier (March 9) by researcher dyingbreeds_. The sandbox report (Triage analysis 260309-mee3jsdz4p) confirmed the RemcosRAT family identification. What the existing reporting did not cover:

Previously known:

The C2 IP and RemcosRAT family identification
Basic sandbox behavioral analysis

Newly established in this investigation:

The complete four-stage delivery chain deobfuscated end-to-end
The rotational XOR cipher algorithm fully documented (including the non-linear feedback mechanism)
The DEV.dll .NET loader identified by GUID, namespace, and entry point -- creating a high-fidelity detection pivot
The staging server at 96.44.159.218 mapped with its exposed XAMPP dashboard and numbered campaign directories
The HTA delivery variant linked through shared staging infrastructure
The XLS delivery variant linked through temporal correlation and reporter overlap
10 related RemcosRAT builds identified through imphash clustering, establishing a 3-week campaign timeline
The CopilotDrivers.js variant identified as a separate operator using the same builder (different C2, different botnet name)
The license hash linked to a specific BreakingSecurity.net customer account
The connection to the SnakeKeylogger campaign using the identical DEV.dll loader architecture

Campaign Scope: Three Vectors, One Day

Five related samples were submitted to MalwareBazaar on March 10, 2026 alone, using three distinct delivery mechanisms:

Variant	Filename	Vector	Staging	Reporter
JS Dropper	Purchase Inquiry _.js	Email attachment	Embedded (3.2MB inline)	lowmal3
HTA	goodwill.hta	Unknown	96.44.159.218/220/	pr0xylife
XLS	New Inquiry List.xla	Email attachment	185.29.10.121	pr0xylife
XLS	New Inquiry List2.xla	Email attachment	Unknown	pr0xylife
JS (separate op)	CopilotDrivers.js	Unknown	Embedded	abuse_ch

The volume and variety of delivery vectors on a single day points to automated campaign management. An operator manually crafting and sending five different dropper formats simultaneously is possible but inefficient -- it is far more likely that this is driven by a builder toolkit that outputs JS, HTA, and XLS formats from the same payload configuration.

The CopilotDrivers.js variant is the outlier. It uses a different C2 (systemcopilotdrivers[.]ydns[.]eu:3001 resolving to 181.206.158.190), a different botnet name (tar1), and a different port. This is almost certainly a separate operator who purchased the same RemcosRAT license or is using a cracked copy of the same builder. The shared imphash confirms the same build environment, but the operational infrastructure is entirely independent.

Imphash Clustering: A Three-Week Build Cadence

The imphash 737fc4be4f9f7d7c06c790667c9f7669 is the thread that unravels the full campaign scope. An imphash (import hash) is computed from the imported DLL functions in a PE binary. When two executables share an imphash, they were built with the same compiler, the same linker settings, and the same set of imported functions -- effectively, from the same build environment.

Searching MalwareBazaar for this imphash returns 10 samples spanning three weeks:

SHA-256 (truncated)	Filename	First Seen	Days Since Start
21c4eeb2...	til.exe	2026-02-16	0
84eaa8ef...	(hash-named)	2026-02-19	3
ce3d4a6a...	(hash-named)	2026-02-20	4
4f0c95a1...	a.exe	2026-02-26	10
497f6567...	2031aacee3...	2026-02-27	11
0f142584...	(hash-named)	2026-03-02	14
b6fda8d5...	(hash-named)	2026-03-03	15
7976b72d...	(hash-named)	2026-03-04	16
2c965934...	074455d0...	2026-03-09	21
80e2868c...	(our sample)	2026-03-09	21

The cadence is consistent: a new sample every 2-4 days, with the pace accelerating in March. The payload binary was compiled on February 3, 2026 -- two weeks before the first sample appeared in the wild -- suggesting a build-once, deploy-many model where the same compiled binary is wrapped in fresh dropper layers for each campaign wave.

This is an ongoing operation. The operator is actively producing new samples, and the next one is likely 2-4 days away.

Threat Actor Profile

Attribute	Assessment
Confidence	LOW-MEDIUM
Motivation	Financial (commodity RAT for credential theft / data exfiltration)
Sophistication	Medium -- custom encryption and multi-stage delivery, but default config values and exposed infrastructure
Attribution	Unknown individual or group operating as a RemcosRAT customer
Campaign Duration	At least 3 weeks (February 16 -- March 10, ongoing)

OPSEC Assessment

The operator sits in a common middle ground: technically capable enough to build a multi-layer delivery chain with custom encryption, but operationally careless in ways that will eventually get them caught.

Competent decisions:

Four-stage delivery chain with multiple encryption layers
Rotational XOR with non-linear key feedback (defeats basic frequency analysis)
Process hollowing into a legitimate .NET binary
Dual-port C2 configuration (80 and 443) for firewall evasion
Multiple delivery vectors for the same payload (JS, HTA, XLS)
Numbered staging directories for campaign organization

Damaging mistakes:

Default botnet name RemoteHost left unchanged
RDP (3389) exposed on the C2 server
XAMPP default dashboard accessible on the staging server
Staging server vulnerable to SMBGhost (CVE-2020-0792)
License hash 72214B9FB81C38C5D9F33A771B74F635 compiled into every payload, linking all activity to one BreakingSecurity.net account
DEV.dll GUID ab88dfb2-73aa-4da1-bf05-e72424ad8034 unchanged across campaigns, enabling trivial clustering
No PTR record or TLS certificate on C2 (bare IP stands out in network logs)

The license hash is the most consequential of these mistakes. It is baked into the Remcos binary by the builder and cannot be removed without reverse-engineering the license validation. Every sample this operator deploys carries the same digital fingerprint, and BreakingSecurity.net has that fingerprint mapped to a customer account. Whether law enforcement can or will compel that mapping is a separate question, but the technical linkage exists.

MITRE ATT&CK Mapping

Tactic	Technique	ID	Implementation
Initial Access	Spearphishing Attachment	T1566.001	"Purchase Inquiry" JS and "New Inquiry" XLS lures
Execution	JavaScript	T1059.007	WScript execution of obfuscated JS dropper
Execution	PowerShell	T1059.001	-ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden
Execution	Shared Modules	T1129	.NET Assembly.Load() for DEV.dll reflective loading
Defense Evasion	Obfuscated Files	T1027	Array rotation, Base64, Rotational XOR, RC4
Defense Evasion	Process Hollowing	T1055.012	Aspnet_compiler.exe hollowed via NT API
Defense Evasion	Masquerading	T1036	Executes as legitimate .NET Framework tool
Privilege Escalation	Bypass UAC	T1548.002	Registry EnableLUA = 0 modification
Persistence	Registry Run Keys	T1547.001	HKCU\Software\Remcos
Collection	Keylogging	T1056.001	Online/offline keylogger writing to logs.dat
Collection	Video Capture	T1125	Camera access via OpenCamera/CloseCamera
Collection	Audio Capture	T1123	Microphone recording to MicRecords/ directory
Collection	Screen Capture	T1113	Periodic screenshots to Screenshots/ directory
Command and Control	Non-Standard Port	T1571	Remcos protocol on ports 80/443 (not HTTP/TLS)
Command and Control	Encrypted Channel	T1573	Optional TLS mode available in configuration

Detection Guidance

YARA Signatures

The following behavioral and artifact-based indicators provide detection opportunities at each stage of the kill chain.

Stage 0 -- JavaScript dropper:

JavaScript files exceeding 1MB delivered via email
WScript.Shell invocation combined with ActiveXObject
Array rotation patterns with two-character variable names
Self-deletion behavior (fso.DeleteFile)

Stage 1 -- PowerShell:

PowerShell process spawned by wscript.exe with -WindowStyle Hidden
Variable names $securecontainer and $encryptionrotational in script block logs
Base64-encoded payloads exceeding 1MB in PowerShell command lines

Stage 2 -- .NET Loader:

Aspnet_compiler.exe launched as a child of PowerShell
.NET assembly with GUID ab88dfb2-73aa-4da1-bf05-e72424ad8034
DEV.DOWN.SHOOT method invocation in .NET ETW traces
NtUnmapViewOfSection followed by NtCreateSection and NtMapViewOfSection targeting a .NET Framework binary

Stage 3 -- RemcosRAT:

Mutex creation: Rmc-3UG3BG
Network connections to 216.250.249.222 on ports 80 or 443 that do not carry valid HTTP or TLS traffic
Registry key creation at HKCU\Software\Remcos
Files created in Screenshots\, MicRecords\, or logs.dat in user profile directories

Network Detection

# Snort/Suricata rule concept for C2 traffic on HTTP ports without HTTP protocol
alert tcp $HOME_NET any -> 216.250.249.222 [80,443] (msg:"BREAKGLASS RemcosRAT C2 Traffic to Known IP"; sid:2026031001; rev:1;)

# DNS/proxy block recommendations
216[.]250[.]249[.]222  # C2
96[.]44[.]159[.]218    # Staging
185[.]29[.]10[.]121    # XLS staging

Endpoint Detection

Search for the following process relationships, which should never occur in normal operations:

wscript.exe --> powershell.exe --> Aspnet_compiler.exe
mshta.exe   --> powershell.exe --> Aspnet_compiler.exe

Any instance of Aspnet_compiler.exe running with a parent process that is not msbuild.exe, devenv.exe, or the .NET SDK toolchain is suspicious and should be investigated immediately.

Indicators of Compromise

Network Indicators

# C2 Infrastructure (defanged)
216[.]250[.]249[.]222:80      # RemcosRAT C2 - Remcos protocol (Majestic Hosting / SpinServers, TX)
216[.]250[.]249[.]222:443     # RemcosRAT C2 - Remcos protocol (alternate port)
216[.]250[.]249[.]222:3389    # RDP - operator management access

# Staging Infrastructure (defanged)
96[.]44[.]159[.]218            # XAMPP staging server (HostPapa / ColoCrossing, NY)
185[.]29[.]10[.]121            # XLS variant staging (DataClub / RIXHOST, Sweden)

# Staging URLs (defanged)
hxxp://96[.]44[.]159[.]218/220/seethebesttimeforeverythingtolearn[.]js

# Adjacent suspicious infrastructure (same /21 range)
216[.]250[.]249[.]225          # masimoduti[.]club
216[.]250[.]249[.]230          # star-procedure[.]delaymaxi[.]com

File Indicators

# JS Dropper (Stage 0)
SHA256: 9180484968eb47d73853596ec91f4e1d495c0dc7ed1800baa38ce88528b42b5d
MD5:    3765da8b030dce60722ec60388440962
SHA1:   c0956b165ca794f4044aa0803152e9a2e9d3e2eb

# .NET Loader - DEV.dll (Stage 2)
SHA256: 64f72b92ba056fec73ba30912a0a92d03d223d8cce9de56149cbd10f80ed80e4
MD5:    0156574aac3f1b138634f78fd2472cf6

# RemcosRAT Payload (Stage 3)
SHA256: 80e2868c6cd6c3b7e0b4b5584cbcc180b7c7ab049d20b0ab508e2b8be14a8522
MD5:    e9bae8dfee1150f29d83a401def30f05
SHA1:   1f26813afebe2bcd86dc1dca7aa0d46023e2e588
Imphash: 737fc4be4f9f7d7c06c790667c9f7669

# HTA Variant Dropper
SHA256: ed925501e749cdc073143ed948ec8a93c6b6a4b76304d9c6a76c6faabc8d048e
MD5:    faeeeb063ff4d8bbfff9a1fae1b71ca8

# HTA Stage 2 JS
SHA256: 1b9791c5c75b7eb0c7510c42c6381f4fbfc40539c3afaab192d0ee65ab591d28

Behavioral Indicators

# RemcosRAT Configuration Artifacts
Mutex:              Rmc-3UG3BG
Install filename:   remcos.exe
Keylog file:        logs.dat
Screenshot dir:     Screenshots
Audio dir:          MicRecords
Registry key:       HKCU\Software\Remcos
Process target:     C:\Windows\Microsoft.NET\Framework\v4.0.30319\Aspnet_compiler.exe

# Encryption Keys
XOR Key (hex):      a2f5cdf81c0d88c7158a4e05f19bffc424359b3d6be7e3011caa41d55bb382fe
RC4 Key:            179 bytes from SETTINGS PE resource
License Hash:       72214B9FB81C38C5D9F33A771B74F635

# .NET Assembly Identifiers
DEV.dll GUID:       ab88dfb2-73aa-4da1-bf05-e72424ad8034
Namespace:          DEV.DOWN
Entry Point:        SHOOT(string, byte[])

Recommended Actions

Immediate (24-48 hours)

Block 216.250.249.222 on all firewalls (ports 80, 443, 3389)
Block 96.44.159.218 and 185.29.10.121 on web proxies and DNS sinkholes
Search endpoint telemetry for mutex Rmc-3UG3BG
Search for Aspnet_compiler.exe running with PowerShell or WScript as a parent process
Search email gateway logs for .js attachments exceeding 1MB

Short-term (1-2 weeks)

Hunt for imphash 737fc4be4f9f7d7c06c790667c9f7669 across all detection systems
Deploy detection for .NET assemblies containing GUID ab88dfb2-73aa-4da1-bf05-e72424ad8034
Report staging server 96.44.159.218 to HostPapa abuse (still serving live payloads)
Report C2 216.250.249.222 to SpinServers abuse (abuse@spinservers.com)
Enable PowerShell Script Block Logging if not already active

Medium-term (1-3 months)

Monitor 216.250.249.0/24 for new C2 deployment (adjacent IPs already suspicious)
Track imphash cluster for new builds (current cadence: every 2-4 days)
Evaluate detection coverage for rotational XOR decryption patterns in PowerShell
Implement ASR rules blocking WScript from spawning PowerShell
Monitor MalwareBazaar for new RemcosRAT samples tagged with the same reporter chain

References

ThreatFox IOC: https://threatfox.abuse.ch/ioc/1762208/
MalwareBazaar (JS dropper): https://bazaar.abuse.ch/sample/9180484968eb47d73853596ec91f4e1d495c0dc7ed1800baa38ce88528b42b5d/
MalwareBazaar (RemcosRAT payload): https://bazaar.abuse.ch/sample/80e2868c6cd6c3b7e0b4b5584cbcc180b7c7ab049d20b0ab508e2b8be14a8522/
CAPE Sandbox: https://www.capesandbox.com/analysis/56891/
Triage Sandbox (HTA variant): https://tria.ge/reports/260310-l5rnlafx8x/
CERT-PL MWDB: https://mwdb.cert.pl/sample/ed925501e749cdc073143ed948ec8a93c6b6a4b76304d9c6a76c6faabc8d048e/
Malpedia RemcosRAT: https://malpedia.caad.fkie.fraunhofer.de/details/win.remcos

Published by Breakglass Intelligence. Investigation conducted 2026-03-10. 4 stages deobfuscated. 10 related builds clustered. 3 infrastructure IPs mapped. 1 license hash that ties it all together. Classification: TLP:CLEAR