Full Report
Over the past two weeks, LevelBlue SpiderLabs has been tracking an active phishing campaign distributing malicious spreadsheet attachments. What initially appeared to be a limited phishing attempt quickly evolved into a widespread campaign impacting multiple organizations across various industries, including manufacturing, media, professional services, agriculture, and chemicals. The affected organizations are distributed globally, with firms identified across Europe, the Asia-Pacific region, and the Americas.
Analysis Summary
# Tool/Technique: AsyncRAT & Remcos Multi-Stage Phishing Campaign
## Overview
This is a widespread, global phishing campaign identified in June 2026 that targets various industries (manufacturing, media, chemicals, etc.) to deploy Remote Access Trojans (RATs). The attack utilizes a complex, multi-stage delivery chain involving macro-enabled Excel spreadsheets, obfuscated HTA scripts, and PowerShell one-liners to bypass traditional security perimeters.
## Technical Details
- **Type:** Malware Family (AsyncRAT, Remcos) / Multi-stage Delivery Technique
- **Platform:** Windows
- **Capabilities:** Remote Access, Keylogging, Information Stealing, Persistence, Stealth/Evasion.
- **First Seen:** Early activity in April; intensified wave June 10–23, 2026.
## MITRE ATT&CK Mapping
- **TA0001 - Initial Access**
- T1566.001 - Phishing: Spearphishing Attachment
- **TA0002 - Execution**
- T1204.002 - User Execution: Malicious File
- T1059.001 - Command and Scripting Interpreter: PowerShell
- T1059.005 - Command and Scripting Interpreter: Visual Basic
- T1218.005 - System Binary Proxy Execution: Mshta.exe
- **TA0003 - Persistence**
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- **TA0005 - Defense Evasion**
- T1027 - Obfuscated Files or Information
- T1140 - Deobfuscate/Decode Files or Information
- T1027.001 - Binary Padding
- **TA0009 - Collection**
- T1056.001 - Input Capture: Keylogging
- **TA0011 - Command and Control**
- T1573 - Encrypted Channel (RC4/TLS)
## Functionality
### Core Capabilities
- **Remote Access:** Full control over the infected host via Remcos or AsyncRAT.
- **Data Exfiltration:** Ability to steal sensitive business documents and credentials.
- **Surveillance:** Real-time keylogging to capture credentials and communications.
- **Hidden Execution:** Uses `Win32_Process.Create` with `ShowWindow = 0` to execute payloads without a visible window.
### Advanced Features
- **Sophisticated Evasion:** Employs multiple layers of obfuscation, including URL shorteners, randomized capitalization of file extensions, and "junk code" padding (e.g., repeating words like "disor" to hide Base64 strings).
- **Environment Checks:** The HTA staging phase performs system checks before deploying the final payload.
- **Multi-Stage Loading:** Uses a sequential chain (Excel -> VBA -> HTA -> PowerShell -> Paste Service -> Final Payload) to minimize the footprint of any single file.
## Indicators of Compromise
- **File Hashes (SHA256):**
- `49c7b4eb6620917ee7ca796472b7af9f01ea6f7f80391ae7eb7bd8dabe0b7249` (Excel Dropper)
- **File Names:** Commonly mimic business documents (e.g., Purchase Order, Payment Advice, Shipping Docs).
- **Network Indicators:**
- `cuth[.]me` (URL Shortener)
- `masuk[.]to` (URL Shortener)
- `as[.]al/file/KBn1RC` (Paste service used for staging)
- **Behavioral Indicators:**
- `Excel.exe` spawning `mshta.exe`.
- `mshta.exe` spawning `powershell.exe`.
- PowerShell interacting with `WMI` (`winmgmts:root\cimv2`) to create new processes.
## Associated Threat Actors
- Unknown (Campaign exhibits features common to financially motivated cybercrime groups and commodity malware distributors).
## Detection Methods
- **Signature-based:** Standard AV signatures for AsyncRAT and Remcos payloads.
- **Behavioral Detection:**
- Monitor for Office applications spawning scripting engines (`mshta.exe`, `powershell.exe`, `cscript.exe`).
- Alert on PowerShell commands containing `Base64` strings with significant junk character padding.
- Monitor WMI activity specifically originating from HTA files.
- **Network Defense:** Block or alert on traffic to known paste-sites or unauthorized URL shorteners in business environments.
## Mitigation Strategies
- **Email Security:** Implement strict filtering for macro-enabled attachments (.xlsm) and block suspicious URL shorteners.
- **Endpoint Hardening:**
- Disable Office Macros via Group Policy for all departments not requiring them.
- Apply Attack Surface Reduction (ASR) rules, specifically "Block all Office applications from creating child processes."
- **User Awareness:** Train staff (particularly in Finance, Procurement, and Sales) to verify sender identity before enabling content on unexpected business documents.
## Related Tools/Techniques
- **Lumma Stealer / FormBook:** Often delivered via similar phishing chains.
- **VBA Stomping:** Similar obfuscation techniques used in macro-enabled documents.
- **Living off the Land (LotL):** Heavy reliance on `mshta.exe` and `WMI`.