Surge in Maritime-Focused Phishing Campaigns Deploying Remcos RAT via Archive Files

Following our recent advisory on WinRAR-related threats, Obrela has identified a significant escalation in phishing campaigns targeting Greek maritime organizations, leveraging compressed archives to deliver the Remcos Remote Access Trojan (RAT).

Threat Overview

Attackers are distributing spear-phishing emails masquerading as logistics, procurement, and operations correspondence, frequently sent to shared inboxes (e.g., info@, ops@). These emails typically carry malicious RAR or ZIP attachments. Inside, a JavaScript or VBS loader often disguised with double file extensions (e.g., invoice.pdf.js) executes via Windows Scripting Host.

Once triggered, the loader retrieves the Remcos RAT payload from remote servers, granting attackers persistent remote control, keylogging, and credential theft capabilities. Some campaigns also utilize malicious LNK files that execute PowerShell commands to fetch the payload, increasing stealth.

Observed Tactics, Techniques & Procedures (TTPs)

• Initial Access: [T1566.001] Spearphishing Attachment
• Execution: [T1059.007] JavaScript; [T1059.001] PowerShell; [T1204] User Execution
• Persistence & C2: Remcos RAT

Technical Indicators (IOCs)

Domains / C2 Infrastructure

• geoplugin[.]net
• hftook7lmaroutsg1.duckdns[.]org
• 5y9pfu[.]missileries-fenagle[.]yelocom[.]com

Malicious Mail Sender

• sder@oldendarf[.]cam

File Hashes

• 1b0eb55bb50d0286b192accbe408826c4c2e6c59a78d52743ce4f84ac0b1d6d0
• FF026E3D87B29D7399E991F7AD20751008746C16
• 612341AF1BC3D94A0366EF541F3AE7BF8CB1C979
• 8DD719CDF5B8E522E6DCC1EB5FE182CD29D71AAF

File Artifacts

• RAR/ZIP archives containing:
  • .js loaders with double extensions (e.g., invoice.pdf.js, manifest.xls.js)
  • Malicious LNK shortcuts initiating PowerShell download chains

Recommendations

• Block Suspicious Archives: Quarantine RAR/ZIP attachments from unverified sources.
• Inspect File Extensions: Flag files with double extensions (*.pdf.js, *.xls.js).
• Update Decompression Tools: Keep WinRAR and similar utilities fully patched, given recent exploit activity.
• Harden Email Security: Apply advanced filtering for scripts and compressed archives.
• Security Awareness: Train frontline maritime personnel to identify phishing attempts and report anomalies promptly.
• IOC Integration: Deploy network and endpoint detection rules to identify traffic to the above domains and detect suspicious PowerShell execution.

Reference:

• https://www.obrela.com/advisory/winrar-0-day-remote-code-execution-rce-exploit-for-sale/
• https://www.forcepoint.com/blog/x-labs/remcos-malware-new-face
• https://bazaar.abuse.ch/browse/tag/hftook7lmaroutsg1-duckdns-org/

Obrela’s Threat Intelligence Team continues to monitor these developments and will issue further advisories as new indicators emerge.