Malicious GST Debit Note Attachment Delivers Remcos RAT Through Multi-Stage Loader
8 min. read 
Published on
A phishing campaign is targeting users in India with a fake GST debit note attachment that installs Remcos RAT, a remote access trojan used for surveillance, credential theft, and remote control.
The campaign was detailed by K7 Security Labs, which found a suspicious file named “GST Debit Note Apr_26.com” during telemetry monitoring. The file arrives through a phishing archive and opens a multi-stage infection chain.
Access content across the globe at the highest speed rate.
70% of our readers choose Private Internet Access
70% of our readers choose ExpressVPN
Browse the web from multiple devices with industry-standard security protocols.
Faster dedicated servers for specific actions (currently at summer discounts)
The attack uses a 32-bit .NET executable, in-memory loading, steganographic payload storage, process hollowing, and registry persistence. The final payload gives attackers control of the infected Windows machine and can steal browser data from Chrome and Firefox.
Fake GST Attachment Starts the Infection
The lure fits a familiar business workflow in India. A GST debit note can look routine to employees who handle invoices, tax records, supplier payments, or accounting documents.
After extraction, the archive drops a file with a .com extension. K7 found that the file was packed, unsigned, and disguised as a legitimate brick-building game with Turkish-language artifacts embedded in the sample.
The decoy runs quietly in the background. That lowers the chance that the victim will notice anything unusual while the real malware chain begins.
| Attack stage | What happens | Risk |
|---|---|---|
| Phishing email | Victim receives an archive attachment using a GST debit note theme | Business users may treat it as a normal accounting file |
| Initial executable | The archive drops GST Debit Note Apr_26.com | The file is actually a packed 32-bit .NET executable |
| First loader | Optimax.dll loads directly into memory | Security tools may miss parts of the chain |
| Second loader | System Optimizer Ultimate.dll loads the final payload | The attack keeps sensitive stages away from normal disk scanning |
| Final payload | Remcos RAT runs on the system | Attackers gain remote control and data theft capability |
Payloads Hide Inside a Bitmap Resource
The malware hides its next-stage components inside resource sections of the executable. K7 said the embedded resource contains a serialized .NET Bitmap object that acts as a container for hidden payload data.
This design makes static analysis harder because the next stage does not appear as a normal standalone file. The loader reconstructs the payload in memory and runs it using .NET loading techniques.
The first in-memory component is Optimax.dll. It then calls a second-stage loader named System Optimizer Ultimate.dll, which launches Remcos as the final payload.
Remcos Uses Process Hollowing and Persistence
After the final stage runs, Remcos uses process hollowing to hide under the victim’s default browser process name. This helps the RAT blend into normal activity and makes process-based detection harder.
The malware also creates persistence through a Windows Run entry. MITRE ATT&CK describes Registry Run Keys as a common method attackers use to start programs automatically when a user logs in.
In this campaign, the malware creates a hidden copy of itself in the AppData Roaming folder under a random name. K7 also observed the mutex “Remcos_Mutex_Inj,” which confirmed the active Remcos RAT payload.
- Loads malicious DLLs directly in memory.
- Runs the final RAT under a browser process name.
- Creates a hidden copy in AppData Roaming.
- Uses a Run registry entry for startup persistence.
- Checks for sandbox and virtual machine environments.
- Attempts User Account Control bypass through eventviewer.exe.
Credential Theft and Surveillance Capabilities
Remcos can monitor the active window, log title changes, track user idle time, and report user activity. K7 also observed audio and webcam recording capabilities in the sample.
The RAT includes browser credential theft functions. It can collect Chrome stored logins, Chrome cookies, and Firefox stored credentials, which aligns with MITRE ATT&CK’s Credentials from Web Browsers technique.
For businesses, this creates a serious risk beyond one infected PC. Browser-stored passwords may provide access to email, banking portals, cloud dashboards, accounting systems, source code repositories, and internal tools.
| Capability | Potential impact |
|---|---|
| Browser credential theft | Steals saved passwords and cookies from Chrome and Firefox |
| Remote command execution | Lets attackers run commands on the compromised machine |
| Window monitoring | Tracks active applications and user behavior |
| Audio and webcam access | Enables surveillance of the infected user |
| C2 exfiltration | Sends captured data to attacker infrastructure |
Campaign Appears Broader Than One Payload
K7 said related samples tied to the same infrastructure also delivered Agent Tesla, Phantom Stealer, Dark Cloud, RedLine Stealer, MassLogger variants, Formbook, XWorm, and Snake keyloggers.
That points to a broader loader-style operation where the delivery chain stays similar but the final malware can change. In this case, Remcos was the final payload connected to India-themed filenames such as NEFT, RTGS, IMPS, and GST.
The Cyber Swachhta Kendra, operated under India’s CERT-In ecosystem, has also warned that Remcos has been used by threat actors for espionage, credential theft, and system takeover.
What Users and Security Teams Should Do
Users should avoid opening unexpected archive attachments, especially files that claim to be invoices, debit notes, payment records, GST documents, NEFT forms, RTGS forms, or IMPS notices.
Security teams should search endpoints for the listed hashes, suspicious AppData Roaming executables, Remcos-related mutex activity, Run key changes, and outbound traffic to the reported C2 infrastructure. They should also review detections for process hollowing and other injection behavior.
Enterprises should restrict script abuse, block executable files inside archives where possible, harden email filtering, and alert on suspicious persistence through Registry Run Keys. Machines that opened the attachment should be isolated and investigated before normal use continues.
- Do not open GST-themed archives from unknown senders.
- Block executable attachments inside compressed files.
- Audit Windows Run keys and startup locations.
- Search for Remcos mutex and related file hashes.
- Reset browser-stored credentials used on affected machines.
- Review network logs for traffic to reported C2 endpoints.
- Enable endpoint detection that can inspect memory-based execution.
Indicators of Compromise
The following indicators came from the malware analysis. Security teams should use them for threat hunting, but they should also check behavior because attackers can change infrastructure and filenames quickly.
| Type | Indicator | Description |
|---|---|---|
| MD5 hash | C2E25ABA8E2AD4CAFDD6C633B8CA0906 | Archive file |
| MD5 hash | 897ABF678EDAD72998554EC18675092F | GST debit note executable |
| MD5 hash | AFE085B7324D72673EEF749FF5F21A49 | Optimax.dll first-stage loader |
| MD5 hash | F3626A38FCF488C9EED54BEB8C7C116F | System Optimizer Ultimate.dll second-stage loader |
| MD5 hash | 4924369C0BDAF73B21EB992EB9DB4DEA | Remcos RAT payload |
| IP address | 62.102.148.212:37393 | Remcos C2 server |
| IP address | 217.138.252.123:42830 | Associated C2 infrastructure |
| IP address | 146.70.244.90:37393 | Associated C2 infrastructure |
| Mutex | Remcos_Mutex_Inj | Remcos RAT execution marker |
| File name | logs.dat | Captured data storage before exfiltration |
Why This Campaign Matters
This campaign shows how attackers can combine a local business lure with technical evasion. A GST debit note theme increases the chance of execution, while in-memory loading and process hiding reduce the chance of quick detection.
The broader Remcos threat remains relevant because attackers continue to use it in phishing campaigns. The Cyber Swachhta Kendra alert recommends caution with unsolicited attachments, stronger email controls, updated systems, and restrictions on risky script execution.
Security teams should treat any confirmed infection as a credential compromise event. Because the malware targets browser-stored data, response should include password resets, cookie/session invalidation, and review of accounts accessed from the infected machine. The browser theft behavior maps directly to Credentials from Web Browsers, which defenders should include in detection and response playbooks.
K7’s analysis makes clear that the campaign reaches beyond one attachment and one payload. Similar infrastructure has delivered several malware families, making this a wider malware delivery operation that Indian organizations should monitor closely.
FAQ
It is a phishing campaign that uses a fake GST debit note archive attachment to infect Windows systems. The attachment drops a disguised .NET executable that starts a multi-stage loader and eventually runs Remcos RAT.
Remcos RAT can give attackers remote control of the machine. In this campaign, researchers observed persistence, process hollowing, browser credential theft, user activity monitoring, audio and webcam recording capabilities, and data exfiltration to a C2 server.
The GST theme targets users in India by making the attachment look like a routine business or tax document. Employees who handle finance, invoices, supplier payments, or accounting records may be more likely to open it.
No. The campaign uses in-memory loading for important stages, but researchers also observed dropped files, a hidden AppData copy, registry persistence, and temporary artifacts. It is more accurate to describe it as a multi-stage loader with fileless-style execution techniques.
They should disconnect the device from the network, report the incident to IT or security teams, run a full endpoint investigation, remove the malware, rotate passwords and browser-stored credentials, and review accounts accessed from that machine.
Read our disclosure page to find out how can you help VPNCentral sustain the editorial team Read more
Improve this guide
User forum
0 messages