Cagey Phishing Campaign Delivers Multiple RATs to Steal Windows Data

Various anti-detection features, including the use of the ScrubCrypt antivirus-evasion tool, fuel an attack that aims to take over Microsoft Windows machines.

A newly exposed
corporate phishing campaign
targeting Microsoft Windows users is delivering a flurry of remote access Trojans (RATs) and other malware under the cover of multiple detection-evasion techniques.
The attackers behind the campaign try to lure users into clicking on an attachment that ultimately employs the tool ScrubCrypt to deliver primarily the VenomRAT version 6, although various other oft-used malware also are associated
with the campaign
, researchers from Fortinets FortiGuard Labs Threat Research revealed in a blog post.
While the RAT maintains a connection with attackers command-and-control (C2) server, the attack drops plug-ins including
Remcos RAT
, XWorm,
NanoCore RAT
, and a stealer designed for specific crypto wallets, according to the researchers.
Ultimately the campaign is aimed at stealing critical data from targeted systems — ostensibly to be used in future attacks — as well achieving persistence on a victims network, according to the post.
The attackers employ a variety of methods, including phishing emails with malicious attachments, obfuscated script files, and Guloader PowerShell, to infiltrate and compromise victim systems, wrote Cara Lin, senior antivirus analyst at Fortinet. Furthermore, deploying plugins through different payloads highlights the versatility and adaptability of the attack campaign.
VenomRAT is a tool used previously by the
8220 Gang
, a cybercriminal group that uses a powerful botnet as its weapon of choice. ScrubCrypt, meanwhile, converts executables into undetectable batch files, providing several options to manipulate malware, making it more challenging for antivirus products to detect, Lin noted.
The campaign typically starts with a phishing email stating that a shipment has been delivered with an attached invoice that is actually an SVG file named INV0ICE_#TBSBVS0Y3BDSMMX.svg and contains embedded base64-encoded data.
If a targeted user opens the SVG file, the ECMAScript creates a new blob and utilizes window.URL.createObjectURL to drop the decoded data as a ZIP file named INV0ICE_#TBSBVS0Y3BDSMMX.zip. The decompressed file reveals an obfuscated batch file with an embedded payload that appears to be created by the BatCloak tool, which distributes malware while effectively evading detection by antivirus program, Lin explained.
The embedded script initially copies a PowerShell execution file to C:UsersPublicxkn.exe and utilizes the copied file in later commands, using parameters that conceal its activity. It then decodes the malicious data and saves it as pointer.png, which is later executed as pointer.cmd and deletes all the previously executed files.
The pointer.cmd file serves as the ScrubCrypt batch file, and its deliberately cluttered with numerous junk strings to obscure readability, Lin wrote. The file incorporates two payloads, the first of which serves two primary purposes: establishing persistence and loading the targeted malware, VenomRAT. The second payload from the ScrubCrypt batch file is for AMSI bypass and ETW bypass, she noted.
VenomRAT was first identified in 2020 and uses a modified version of the well-known Quasar RAT. It allows attackers to gain unauthorized access and control over targeted systems. As with other RATs, VenomRAT enables attackers to manipulate compromised devices remotely, allowing them to execute various malicious activities without the victims knowledge or consent, Lin wrote.
Once deployed, VenomRAT initiates communication with its C2 server to send information about the victim, such as hardware specifications, username, operating system details, camera availability, execution path, foreground window name, and the name of the antivirus product installed. It then maintains communication channels with the C2 server to acquire the aforementioned additional
plugins
for related and other malicious activities as the attack continues from there, Lin wrote.
Notable among those plugins are three RATs often used for various nefarious purposes, including the
Remcos RAT
, which gives attackers complete system control to capture keystrokes, screenshots, credentials, and other sensitive information; NanoCore RAT, which can remotely access and control a victims computer; and
Xworm
, which can load ransomware or act as a persistent backdoor.
Because this cyberattack campaign uses multiple layers of obfuscation and evasion techniques, its important for enterprises to stay vigilant.
The attackers ability to persist in the system, evade detection, and execute malicious payloads underscores the importance of robust cybersecurity measures and vigilant monitoring to mitigate such threats effectively, Lin noted.
Organizations should educate users about the hallmark signs of
phishing campaigns
and encourage them to report suspicious activity to IT departments, as well as avoid downloading files or clicking on links from untrusted sources.
Despite its evasive tactics, a strong antivirus-detection system should pick up the malware entering a network, and one that includes a content disarm-and-reconstruction service also is helpful to disable the malicious macros in the document before they can do any harm, Lin wrote.
Fortiguard included a list of indicators of compromise for the specific VenomRAT campaign in the post, including associated C2 domains, URLs associated with the attack, and files the attack distributes.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Cagey Phishing Campaign Delivers Multiple RATs to Steal Windows Data