Back

New Remcos RAT Campaign Exploits CVE-2017-11882 via Phishing

Severity: High (Score: 70.5)

Sources: www.fortinet.com, www.mcafee.com, Feeds.Feedburner

Published: 2026-05-29 · Updated: 2026-05-29

Keywords: remcos, campaign, infection, remote, full, windows, users

Severity indicators: ot

Summary

A new phishing campaign distributing a variant of the Remcos RAT has been identified, targeting Microsoft Windows users. The attack utilizes a fake shipping document to deliver a malicious Word file that exploits CVE-2017-11882, allowing full remote control of the victim's computer. The phishing email masquerades as a legitimate message from a shipping company in Vietnam, enticing users to open the attached document. The attack leverages a fileless execution method, employing PowerShell and VBScript to load the Remcos agent. This campaign is notable for its sophisticated use of URL shortening and remote template features in Microsoft Word. FortiGuard Labs reported the campaign, highlighting its high severity and potential impact on users. Current defenses, including FortiMail, can block the phishing emails before delivery. Key Points: • The campaign exploits CVE-2017-11882, a known vulnerability in Microsoft Equation Editor. • Phishing emails are disguised as shipping documents to lure victims into opening malicious attachments. • The attack employs a fileless execution method using PowerShell and VBScript for stealth.

Detailed Analysis

**Impact** Windows users globally are targeted by this campaign, with phishing emails impersonating shipping companies to lure victims into opening malicious attachments. Successful exploitation results in full remote control of compromised systems, enabling surveillance, resource management, and network manipulation. The campaign affects enterprise and individual users, potentially impacting logistics, manufacturing, and other sectors reliant on Windows environments. No specific numbers or geographic concentrations beyond the Vietnam-themed phishing lure were provided. **Technical Details** The attack initiates via phishing emails containing malicious Word documents or batch files. The Word document abuses CVE-2017-11882, a Remote Code Execution vulnerability in Microsoft Equation Editor, to execute shellcode that downloads and runs a VBScript with embedded Base64-encoded PowerShell code. The batch file variant uses DonutLoader shellcode and AutoIt staging, leveraging Windows Script Host binaries (cscript.exe and SyncAppvPublishingServer.vbs) as living-off-the-land binaries (LOLBins) to execute encoded payloads. Infrastructure includes URL shorteners and cloud storage services (pCloud/filedn[.]com) hosting encrypted payloads. The final payload is a fileless Remcos RAT variant employing process hollowing and reflective loading techniques. **Recommended Response** Apply Microsoft security updates that patch CVE-2017-11882 immediately to prevent exploitation via malicious Word documents. Deploy email filtering solutions capable of detecting and quarantining phishing emails with suspicious attachments, such as FortiMail. Monitor for execution of known LOLBins abused in this campaign (cscript.exe, SyncAppvPublishingServer.vbs) and unusual PowerShell activity involving Base64 decoding and hidden execution. Block and monitor the identified URLs and IP addresses, including hxxps://go-shorty[.]killcod3[.]com, hxxps://tnvs[.]de, and 66[.]179[.]94[.]117, and restrict execution of unauthorized batch files and scripts.

Source articles (3)

  • Deceptively Sweet: DonutLoader Reloaded in a modern Remcos RAT Infection — Feeds.Feedburner · 2026-05-29
    G Data Analysts discovered a new Remcos RAT infection chain which started with a seemingly harmless batch file that executes encoded commands. This batch file creates hidden directories and retrieves…
  • New Remcos Campaign Distributed Through Fake Shipping Document — www.fortinet.com · 2026-05-29
    A fileless Remcos RAT campaign abuses remote Word templates and CVE-2017-11882 for full system compromise Affected Platforms: Microsoft Windows Impacted Users: Windows Users Impact: Full remote contro…
  • Peeling Back The Layers Of Remcosrat Malware — www.mcafee.com · 2026-05-29

Timeline

  • 2021-11-03 — CVE-2017-11882 added to CISA KEV: CISA recognized CVE-2017-11882 for active exploitation, prompting heightened awareness among cybersecurity professionals.
  • 2026-05-29 — New Remcos RAT campaign discovered: FortiGuard Labs identified a phishing campaign delivering Remcos RAT via a fake shipping document, impacting Windows users.

CVEs

  • CVE-2017-11882

Related entities

  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Trojan (Attack Type)
  • Vietnam (Country)
  • filedn.com (Domain)
  • go-shorty.killcod3.com (Domain)
  • idliya.com (Domain)
  • tnvs.de (Domain)
  • 216.9.224.26 (Ipv4)
  • 66.179.94.117 (Ipv4)
  • Agent Tesla (Malware)
  • Beagle Backdoor (Malware)
  • DrakCloud (Malware)
  • KissLoader (Malware)
  • Remcos (Malware)
  • Remcos RAT (Malware)
  • DonutLoader (Tool)
  • Microsoft Equation Editor (Tool)
  • PCloud (Tool)
  • AutoIt (Tool)
  • PowerShell (Tool)
  • VBScript (Tool)
  • Windows Script Host (Tool)
  • T1027 - Obfuscated Files Or Information (Mitre Attack)
  • T1036 - Masquerading (Mitre Attack)
  • T1047 - Windows Management Instrumentation (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1055.012 - Process Hollowing (Mitre Attack)
  • T1055 - Process Injection (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.003 - Windows Command Shell (Mitre Attack)
  • T1059.005 - Visual Basic (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1105 - Ingress Tool Transfer (Mitre Attack)
  • T1140 - Deobfuscate/Decode Files Or Information (Mitre Attack)
  • T1218 - System Binary Proxy Execution (Mitre Attack)
  • T1219 - Remote Access Tools (Mitre Attack)
  • T1560.001 - Archive Via Utility (Mitre Attack)
  • T1564.003 - Hidden Window (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • T1620 - Reflective Code Loading (Mitre Attack)
  • App-V (Platform)
  • Microsoft Word (Platform)
  • Windows (Platform)
  • Windows Task Scheduler (Platform)
  • 94CA3BEEB0DFD3F02FE14DE2E6FB0D26E29BEB426AEE911422B08465AFBD2FAA (Sha256)
  • E915CE8F7271902FA7D270717A5C08E57014528F19C92266F7B192793D40972F (Sha256)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed