New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know
ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods.
What makes this campaign particularly dangerous is its use of built-in Windows tools and trusted system processes to blend in with normal activity, making it much harder to catch through signatures alone.
Let’s walk through the full infection chain and see how you can safely detect these techniques in seconds with the help of the right analysis solutions.
To understand how this phishing campaign works end-to-end, let’s take a look at how it unfolds inside ANY.RUN’s interactive sandbox, where every step is visual, traceable, and recorded in real time.
View the full analysis session
From initial delivery to post-exploitation behaviour, the sandbox reveals the full picture, giving SOC teams the visibility they need to respond faster and helping businesses reduce the risk of silent, long-term compromise.
Full attack chain of the latest phishing threat inside ANY.RUN’s sandbox:
Phishing Email → Malicious Archive → DBatLoader Execution → Obfuscated CMD Scripts → Remcos Injected into .exe
Inside the sandbox, you can visually trace each stage of the attack as it happens, such as:
Watch how the archive triggers DBatLoader, and how obfuscated .cmd scripts begin executing suspicious commands.
See exactly when and where Remcos is injected into legitimate system processes, with process trees and memory indicators updated in real-time.
Observe persistence techniques in action, such as the creation of scheduled tasks, registry changes, and the use of .url and .pif files, clearly highlighted in the system activity log.
To better understand the tactics behind this phishing attack, you can use the built-in MITRE ATT&CK mapping in ANY.RUN. Just click the “ATT&CK” button in the top-right corner of the sandbox interface.
This view instantly highlights the techniques used during the analysis, grouped by tactics like execution, persistence, privilege escalation, and more. It’s a fast, analyst-friendly way to connect behaviour to real-world threat intelligence, no manual mapping is needed.
Whether you’re performing triage or writing reports, this feature helps security teams act faster and gives managers clear evidence of how threats operate and where defences might be bypassed.
Here are some of the key tactics observed in the session and how you can spot them easily inside the sandbox:
- Faktura.exe: The Lure File
Victims receive a phishing email containing an archive with Faktura.exe, posing as a legitimate invoice. When opened, it kicks off the attack.
Most email security tools won’t flag this file if it’s not known or doesn’t match known IOCs. In ANY.RUN, you can immediately see Faktura.exe in the process tree and watch how it spawns malicious activity, giving analysts clarity from the very first click.
- DBatLoader: The Initial Loader
Once the victim opens the phishing archive, DBatLoader is executed. It’s responsible for starting the infection chain by launching obfuscated scripts.
In the Process tree, DBatLoader appears as a dropped .exe, immediately spawning cmd.exe. You can inspect the command lines, and file system activity, and see exactly how the script execution begins.
- Obfuscated Execution with BatCloak-Wrapped CMD Files
We see inside this analysis session that .cmd scripts obfuscated with BatCloak are used to download and execute the malicious payload.
Obfuscation hides intent from static scanners. In sandboxes like ANY.RUN, you can open the command-line view and see every decoded instruction and suspicious pattern as it executes, no manual decoding is needed.
- LOLBAS Abuse with Esentutl.exe
The legitimate utility esentutl.exe is abused to copy cmd.exe into alpha.pif, a renamed dropper meant to look harmless.
File copy operations using esentutl.exe show up in the ANY.RUN Process tree and File system activity, including full paths and command context.
- Scheduled Tasks Trigger .url → .pif Execution
A scheduled task is created to run Cmwdnsyn.url, which launches the .pif file on boot or at regular intervals.
Scheduled tasks are a common persistence mechanism, but in complex environments, they often go unnoticed. With ANY.RUN, you can instantly see when and how the task is created, track its execution chain in the process tree, and inspect related file and registry changes.
This gives SOC teams a clear view of how the malware stays active over time, making it easier to build detection rules, document the persistence method, and ensure it’s fully removed.
- UAC Bypass with Fake “C:\Windows ” Directory
A mock directory (C:\Windows with a space) is used to bypass UAC prompts by exploiting Windows path handling quirks.
This phishing campaign highlights just how far attackers go to stay hidden, using built-in Windows tools, crafted persistence, and subtle privilege escalation tricks that easily bypass traditional defences.
With sandbox analysis, especially through the one like ANY.RUN, security teams gain the clarity and speed needed to stay ahead of these threats. You can observe every step of the infection, uncover techniques that static tools miss, and act with confidence.
- Faster incident response thanks to real-time behavioural insight
- Reduced dwell time by identifying threats before they spread
- Better-informed security decisions through visibility into attacker tactics
- Improved compliance and audit readiness with shareable, in-depth reports
To celebrate its 9th anniversary, ANY.RUN is offering a limited-time promotion:
Get bonus Interactive Sandbox licenses or double your TI Lookup quota, available only until May 31, 2025.
Don’t miss your chance to upgrade your threat detection and response workflow with solutions trusted by over 15,000 organizations worldwide.
HackRead
