DonutLoader Reloaded in a Modern Remcos RAT Campaign

SOC Prime Team

DonutLoader Reloaded in a Modern Remcos RAT Campaign

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

G DATA has identified a fresh Remcos RAT campaign that begins with a malicious batch file and moves through several scripting layers, including PowerShell, VBScript, and AutoIt, to retrieve and launch a DonutLoader shellcode payload. The loader ultimately injects the final Remcos RAT into the legitimate Windows binary colorcpl.exe. Throughout the chain, the attackers rely on trusted tools such as 7-Zip, pCloud storage, and multiple LOLBins to make the activity appear routine. The use of Donut-generated shellcode for process injection marks a notable evolution in modern Remcos delivery.

Investigation

Researchers followed the full infection path from a phishing attachment named Bestellung.CMD, which launched cscript.exe to execute a VBScript proxy that decoded a Base64-encoded PowerShell command. That PowerShell stage downloaded 7-Zip utilities and a password-protected archive from pCloud, then unpacked a JScript file that dropped an AutoIt interpreter and a fake PNG carrying additional payload content. The AutoIt component decrypted XOR-obfuscated data, rebuilt the DonutLoader shellcode, and injected it into colorcpl.exe, where Remcos RAT version 7.2.1 Pro was executed.

Mitigation

Defenders should watch for suspicious use of cscript.exe, SyncAppvPublishingServer.vbs, and PowerShell IEX commands containing Base64-encoded content, especially when those processes originate from batch files. Detection should also cover unexpected appearances of 7z.exe and 7z.dll in user directories, along with unauthorized AutoIt binaries. Behavior-based protections should be tuned to identify process injection into colorcpl.exe and activity consistent with Donut-generated shellcode.

Response

If this activity is detected, isolate the affected system immediately, terminate the suspicious processes, and capture memory for shellcode analysis. Investigators should review dropped files and any deleted artifacts to reconstruct the full execution chain, while blocking communication with the identified command-and-control infrastructure. Remediation should include removal of the Remcos RAT and cleanup of any abused legitimate utilities involved in the attack.

"graph TB %% Class definitions classDef technique fill:#99ccff classDef tool fill:#ffcc99 classDef process fill:#ff9999 classDef misc fill:#dddddd %% Node definitions phish_spear["Action – T1566.001 Phishing: Spearphishing Attachment File: Bestellung.CMD"]:::technique cmd_shell["Technique – T1059.003 Command and Scripting Interpreter Windows Command Shell"]:::technique vbscript["Technique – T1059.005 Command and Scripting Interpreter Visual Basic (cscript.exe + .vbs)"]:::technique syncappv_proxy["Technique – T1216.002 System Script Proxy Execution SyncAppvPublishingServer"]:::technique powershell_hidden["Technique – T1059.001 Command and Scripting Interpreter PowerShell (hidden, Base64 decode) Subu2011techniques: T1027.009 Embedded Payloads, T1564.003 Hidden Window"]:::technique ingress_transfer["Technique – T1105 Ingress Tool Transfer Download 7z utilities and passwordu2011protected ZIP Subu2011technique: T1027.015 Compression"]:::technique javascript_masq["Technique – T1059.007 Command and Scripting Interpreter JavaScript (iphdcrtj.js) Masquerading: T1036.008 fake PNG containing AutoIt script"]:::technique process_injection["Technique – T1055 Process Injection Injected into colorcpl.exe"]:::technique reflective_loader["Technique – T1620 Reflective Code Loading DonutLoader shellcode u2192 Remote Access Software (Remcos RAT)"]:::technique c2_comm["Technique – T1071 Application Layer Protocol C2 communication"]:::technique %% Connections showing attack flow phish_spear –>|leads_to| cmd_shell cmd_shell –>|leads_to| vbscript vbscript –>|leads_to| syncappv_proxy syncappv_proxy –>|leads_to| powershell_hidden powershell_hidden –>|leads_to| ingress_transfer ingress_transfer –>|leads_to| javascript_masq javascript_masq –>|leads_to| process_injection process_injection –>|leads_to| reflective_loader reflective_loader –>|leads_to| c2_comm "

Attack Flow

Attack Narrative & Commands:
The adversary has obtained a malicious PowerShell payload (e.g., a downloader) that has been Base64‑encoded to evade static detection. To stay under the radar, the attacker chooses a signed, built‑in module—AppvClient—which is commonly present on Windows systems. They import the module, then use Invoke‑Expression (IEX) to decode and execute the payload entirely in memory, leaving no file artifacts. This exact command line (Import-Module AppvClient; IEX <Base64String>) matches the Sigma rule’s condition.

Regression Test Script:

<#
Simulation script for triggering the "PowerShell IEX with AppvClient" detection rule.
#>

# 1. Import the legitimate module (signed binary proxy execution)
Import-Module AppvClient -ErrorAction Stop

# 2. Prepare a simple benign PowerShell payload and Base64‑encode it
$payload = "Write-Host 'Compromise simulated – payload executed.'"
$bytes   = [System.Text.Encoding]::Unicode.GetBytes($payload)
$b64     = [System.Convert]::ToBase64String($bytes)

# 3. Execute the payload in‑memory using IEX (the detection trigger)
IEX ([System.Text.Encoding]::Unicode.GetString([System.Convert]::FromBase64String($b64)))

# 4. Optional: keep the session alive briefly to ensure logs are flushed
Start-Sleep -Seconds 5

Cleanup Commands:

# Remove the imported module to reduce footprint
if (Get-Module -Name AppvClient) {
    Remove-Module -Name AppvClient -Force
}

# Clear the PowerShell history for the current session
Clear-History

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free