{"id":13839,"date":"2025-05-22T12:44:42","date_gmt":"2025-05-22T12:44:42","guid":{"rendered":"\/cybersecurity-blog\/?p=13839"},"modified":"2025-05-22T12:48:49","modified_gmt":"2025-05-22T12:48:49","slug":"dbatloader-drops-remcos","status":"publish","type":"post","link":"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/","title":{"rendered":"DBatLoader Delivers Remcos via .pif Files and UAC Bypass in New Phishing Campaign\u00a0"},"content":{"rendered":"\n<p>A new phishing campaign is spreading the <a href=\"https:\/\/any.run\/malware-trends\/remcos\" target=\"_blank\" rel=\"noreferrer noopener\">Remcos<\/a> Remote Access Trojan (<a href=\"https:\/\/any.run\/malware-trends\/rat\" target=\"_blank\" rel=\"noreferrer noopener\">RAT<\/a>) through <a href=\"https:\/\/any.run\/malware-trends\/dbatloader\" target=\"_blank\" rel=\"noreferrer noopener\">DBatLoader<\/a>. It employs User Account Control (<a href=\"https:\/\/any.run\/cybersecurity-blog\/windows11-uac-bypass\/\" target=\"_blank\" rel=\"noreferrer noopener\">UAC<\/a>) bypass, obfuscated scripts, Living Off the Land Binaries (LOLBAS) abuse, and persistence mechanisms.<\/p>\n\n\n\n<p>Here\u2019s an analysis of the infection chain, key techniques, and detection tips.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">How the Attack Works&nbsp;&nbsp;<\/h2>\n\n\n\n<p>To see how the attack unfolds, we analyzed the sample inside <a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dbatloader_phish_campaign&amp;utm_term=220525&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a>.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/app.any.run\/tasks\/c57ca499-51f5-4c50-a91f-70bc5a60b98d\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dbatloader_phish_campaign&amp;utm_term=220525&amp;utm_content=linktoservice\" target=\"_blank\" rel=\"noreferrer noopener\">View full execution and analysis<\/a>&nbsp;<\/p>\n\n\n\n<p>The attack likely starts with a <a href=\"https:\/\/any.run\/cybersecurity-blog\/investigating-phishing-threats\/\" target=\"_blank\" rel=\"noreferrer noopener\">phishing<\/a> email containing an archive.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large is-resized\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"582\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-21-1024x582.png\" alt=\"\" class=\"wp-image-13847\" style=\"width:650px;height:auto\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-21-1024x582.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-21-300x170.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-21-768x436.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-21-1536x873.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-21-370x210.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-21-270x153.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-21-740x420.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image-21.png 1600w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Analysis of the malicious sample inside ANY.RUN\u2019s Interactive Sandbox<\/em><\/figcaption><\/figure><\/div>\n\n\n<p>Inside it, there is a malicious executable named \u201cFAKTURA\u201d, which deploys DBatLoader on the system.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Use of .pif Files for Disguise and UAC Bypass<\/strong>&nbsp;<\/h3>\n\n\n\n<p>DBatLoader uses .pif (Program Information File) files as a method of disguise and execution. &nbsp;<\/p>\n\n\n\n<p>Originally intended for configuring how DOS-based programs should run in early Windows systems, .pif files have become obsolete for legitimate use. However, they are still executable on modern Windows versions, making them useful for attackers.&nbsp;<\/p>\n\n\n\n<p>Windows treats .pif files similarly to .exe files. When executed, they can run without triggering warning dialogs, depending on system configuration. &nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-full\"><img loading=\"lazy\" decoding=\"async\" width=\"1023\" height=\"234\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-1.png\" alt=\"\" class=\"wp-image-13850\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-1.png 1023w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-1-300x69.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-1-768x176.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-1-370x85.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-1-270x62.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image5-1-740x169.png 740w\" sizes=\"(max-width: 1023px) 100vw, 1023px\" \/><figcaption class=\"wp-element-caption\"><em>Trailing spaces allow attackers to abuse Windows\u2019s folder name handling<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In the analysis, the malicious alpha.pif (a Portable Executable file) bypassed UAC by creating fake directories like \u201cC:\\Windows \u201c (note the empty space), exploiting Windows\u2019s folder name handling to gain elevated privileges.&nbsp;<\/p>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nGet extra sandbox licenses for your team as a gift<br>Take advantage of <span class=\"highlight\">ANY.RUN&#8217;s special offers<\/span> before May 31&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=dbatloader_phish_campaign&#038;utm_term=220525&#038;utm_content=linktoplans\" rel=\"noopener\" target=\"_blank\">\nSee all offers\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Evasion and Persistence: Ping Command and Scheduled Task<\/strong>&nbsp;<\/h3>\n\n\n\n<p>One observed command line uses PING.EXE to ping the local loopback address (127.0.0.1) ten times. While legitimate programs may use this to test network connectivity by sending ICMP echo requests, malware like DBatLoader uses it to introduce artificial delays for time-based evasion. <\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"557\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-1-1024x557.png\" alt=\"\" class=\"wp-image-13852\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-1-1024x557.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-1-300x163.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-1-768x418.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-1-1536x835.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-1-370x201.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-1-270x147.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-1-740x402.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image6-1.png 1808w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>ANY.RUN flags PING.EXE activity and identifies it as a delay simulation<\/em>&nbsp;&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>In some cases, this technique can also be repurposed for remote system discovery.&nbsp;<\/p>\n\n\n\n<p>The malicious svchost.pif file launched NEO.cmd through CMD, which then executed extrac32.exe to add a specific path to Windows Defender&#8217;s exclusion list, allowing it to evade further detection.&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"604\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-1-1024x604.png\" alt=\"\" class=\"wp-image-13854\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-1-1024x604.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-1-300x177.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-1-768x453.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-1-1536x906.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-1-370x218.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-1-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-1-740x436.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image7-1.png 1826w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The sandbox highlights evasion and persistence activities in the MITRE ATT&amp;CK Matrix<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>To maintain persistence and survive following reboots, DBatLoader abuses a scheduled task to trigger a Cmwdnsyn.url file, which launches a .pif dropper.&nbsp;&nbsp;<\/p>\n\n\n\n<h3 class=\"wp-block-heading\"><strong>Obfuscation and Remcos Deployment<\/strong>&nbsp;<\/h3>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"625\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-1-1024x625.png\" alt=\"\" class=\"wp-image-13856\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-1-1024x625.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-1-300x183.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-1-768x469.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-1-1536x937.png 1536w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-1-370x226.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-1-270x165.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-1-740x452.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image8-1.png 1565w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>Obfuscation complicates the analysis for security professionals<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>The loader used .cmd files obfuscated with BatCloak to download and run Remcos.&nbsp;&nbsp;<\/p>\n\n\n<div class=\"wp-block-image\">\n<figure class=\"aligncenter size-large\"><img loading=\"lazy\" decoding=\"async\" width=\"1024\" height=\"601\" src=\"\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-1-1024x601.png\" alt=\"\" class=\"wp-image-13858\" srcset=\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-1-1024x601.png 1024w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-1-300x176.png 300w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-1-768x451.png 768w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-1-370x217.png 370w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-1-270x159.png 270w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-1-740x435.png 740w, https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2025\/05\/image9-1.png 1485w\" sizes=\"(max-width: 1024px) 100vw, 1024px\" \/><figcaption class=\"wp-element-caption\"><em>The sandbox flags the injected process and detects Remcos<\/em>&nbsp;<\/figcaption><\/figure><\/div>\n\n\n<p>Remcos injects into trusted system processes SndVol.exe, colorcpl.exe or others, varying on each new instance, blending in with the rest of the processes.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">Spot Similar Attacks with Proactive Sandbox Analysis&nbsp;<\/h2>\n\n\n\n<p>Multi-stage attacks that utilize different means of staying hidden on the system are hard to identify with standard signature-based solutions. The most effective way to ensure detection is to proactively detonate the suspicious files inside the safe, <a href=\"https:\/\/any.run\/cybersecurity-blog\/interactive-malware-sandbox\/\" target=\"_blank\" rel=\"noreferrer noopener\">virtual environment of a malware sandbox<\/a>.&nbsp;<\/p>\n\n\n\n<p><a href=\"https:\/\/any.run\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dbatloader_phish_campaign&amp;utm_term=220525&amp;utm_content=linktolanding\" target=\"_blank\" rel=\"noreferrer noopener\">ANY.RUN\u2019s Interactive Sandbox<\/a> allows security teams to conduct fast and in-depth analysis of malware and phishing attacks to maximize the detection rate. The service offers fully interactive cloud-based VMs supporting Windows, <a href=\"https:\/\/any.run\/cybersecurity-blog\/android-malware-analysis\/\" target=\"_blank\" rel=\"noreferrer noopener\">Android<\/a>, and <a href=\"https:\/\/any.run\/cybersecurity-blog\/linux-malware-analysis-cases\/\" target=\"_blank\" rel=\"noreferrer noopener\">Linux<\/a> systems.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Accelerate Threat Analysis<\/strong>: The sandbox detects malware strains in under 40 seconds, reducing incident investigation time and boosting SOC productivity.&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Keep Your Infrastructure Safe<\/strong>: Analyze suspicious files and URLs in a cloud-based, isolated environment to eliminate the risk of compromising corporate infrastructure.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Boost Team Collaboration<\/strong>: Configure access levels, track productivity, and coordinate the team&#8217;s work on threat analysis.&nbsp;&nbsp;&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improve Cost-Effectiveness<\/strong>:&nbsp;Minimize financial losses with faster threat analysis and detection that supercharges response and containment.&nbsp;<\/li>\n<\/ul>\n\n\n\n<!-- Regular Banner START -->\n<div class=\"regular-banner\">\n<!-- Text Content -->\n<p class=\"regular-banner__text\">\nSee all ANY.RUN&#8217;s 9th Birthday special offers <br>and <span class=\"highlight\">get yours before May 31<\/span>&nbsp;   \n<\/p>\n<!-- CTA Link -->\n<a class=\"regular-banner__link\" id=\"article-banner-regular\" href=\"https:\/\/app.any.run\/plans\/?utm_source=anyrunblog&#038;utm_medium=article&#038;utm_campaign=dbatloader_phish_campaign&#038;utm_term=220525&#038;utm_content=linktoplans\" rel=\"noopener\" target=\"_blank\">\nSee all offers\n<\/a>\n<\/div>\n<!-- Regular Banner END -->\n<!-- Regular Banner Styles START -->\n\n<style>\n.regular-banner {\ndisplay: flex;\ntext-align: center;\nflex-direction: column;\nalign-items: center;\ngap: 1.5rem;\nwidth: 100%;\npadding: 2rem;\nmargin: 1.5rem 0;\nborder-radius: 0.5rem;\nfont-family: 'Catamaran Bold';\nmargin-inline: auto;\nbackground: rgba(32, 168, 241, 0.1);\nborder: 1px solid rgba(75, 174, 227, 0.32);\n}\n\n.regular-banner__text {\nfont-size: 1.5rem;\nmargin: 0;\n}\n\n.highlight {\ncolor: #ea2526;\n}\n\n.regular-banner__link {\npadding: 0.5rem 1.5rem;\nfont-weight: 500;\ntext-decoration: none;\nborder-radius: 0.5rem;\ncolor: #FFFFFF;\nbackground-color: #1491D4;\ntext-align: center;\ntransition: all 0.2s ease-in;\n}\n\n.regular-banner__link:hover {\nbackground-color: #68CBFF;\ncolor: white;\n}\n<\/style>\n<!-- Regular Banner Styles END -->\n\n\n\n<p>Analysts can monitor unusual file paths, track processes for unexpected activity, analyze network connections, and, most importantly, manually engage with the system and threats.&nbsp;<\/p>\n\n\n\n<p>The sandbox flags all the malicious behaviors and generates a <a href=\"https:\/\/any.run\/cybersecurity-blog\/malware-analysis-report\/\" target=\"_blank\" rel=\"noreferrer noopener\">detailed report<\/a> with <a href=\"https:\/\/any.run\/cybersecurity-blog\/iocs-iobs-ioas-explained\/\" target=\"_blank\" rel=\"noreferrer noopener\">IOCs<\/a> that can be adapted for detection rules and endpoint security improvement.&nbsp;<\/p>\n\n\n\n<h2 class=\"wp-block-heading\">About ANY.RUN&nbsp;<\/h2>\n\n\n\n<p>Over 500,000 cybersecurity professionals and 15,000+ companies in finance, manufacturing, healthcare, and other sectors rely on ANY.RUN. Our services streamline malware and phishing investigations for organizations worldwide.&nbsp;<\/p>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Speed up triage and response: <\/strong>Detonate suspicious files using ANY.RUN\u2019s Interactive Sandbox to observe malicious behavior in real time and collect insights for faster and more confident security decisions.&nbsp;<\/li>\n<\/ul>\n\n\n\n<ul class=\"wp-block-list\">\n<li><strong>Improve threat detection:<\/strong> ANY.RUN\u2019s Threat Intelligence Lookup and TI Feeds provide actionable insights into cyber attacks, improving detection and deepening understanding of evolving threats.&nbsp;<\/li>\n<\/ul>\n\n\n\n<p><a href=\"https:\/\/any.run\/demo\/?utm_source=anyrunblog&amp;utm_medium=article&amp;utm_campaign=dbatloader_phish_campaign&amp;utm_term=220525&amp;utm_content=linktodemo\" target=\"_blank\" rel=\"noreferrer noopener\">Give ANY.RUN\u2019s services a try in your company with a 14-day trial \u2192<\/a>&nbsp;<\/p>\n","protected":false},"excerpt":{"rendered":"<p>A new phishing campaign is spreading the Remcos Remote Access Trojan (RAT) through DBatLoader. It employs User Account Control (UAC) bypass, obfuscated scripts, Living Off the Land Binaries (LOLBAS) abuse, and persistence mechanisms. Here\u2019s an analysis of the infection chain, key techniques, and detection tips.&nbsp; How the Attack Works&nbsp;&nbsp; To see how the attack unfolds, [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":13844,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[60],"tags":[57,10,15,34],"class_list":["post-13839","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-news","tag-anyrun","tag-cybersecurity","tag-malware","tag-malware-analysis"],"acf":[],"yoast_head":"<!-- This site is optimized with the Yoast SEO plugin v20.10 - https:\/\/yoast.com\/wordpress\/plugins\/seo\/ -->\n<title>Phishing Campaign: DBatLoader Delivers Remcos via UAC Bypass<\/title>\n<meta name=\"description\" content=\"Learn about a new phishing campaign spreading Remcos through DBatLoader. It employs UAC bypass and obfuscated scripts to compromise systems.\" \/>\n<meta name=\"robots\" content=\"index, follow, max-snippet:-1, max-image-preview:large, max-video-preview:-1\" \/>\n<link rel=\"canonical\" href=\"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/\" \/>\n<meta name=\"twitter:label1\" content=\"Written by\" \/>\n\t<meta name=\"twitter:data1\" content=\"ANY.RUN\" \/>\n\t<meta name=\"twitter:label2\" content=\"Est. reading time\" \/>\n\t<meta name=\"twitter:data2\" content=\"5 minutes\" \/>\n<script type=\"application\/ld+json\" class=\"yoast-schema-graph\">{\"@context\":\"https:\/\/schema.org\",\"@graph\":[{\"@type\":\"Article\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/#article\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/\"},\"author\":{\"name\":\"ANY.RUN\",\"@id\":\"https:\/\/any.run\/\"},\"headline\":\"DBatLoader Delivers Remcos via .pif Files and UAC Bypass in New Phishing Campaign\u00a0\",\"datePublished\":\"2025-05-22T12:44:42+00:00\",\"dateModified\":\"2025-05-22T12:48:49+00:00\",\"mainEntityOfPage\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/\"},\"wordCount\":847,\"commentCount\":0,\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"keywords\":[\"ANYRUN\",\"cybersecurity\",\"malware\",\"malware analysis\"],\"articleSection\":[\"News\"],\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"CommentAction\",\"name\":\"Comment\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/#respond\"]}]},{\"@type\":\"WebPage\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/\",\"name\":\"Phishing Campaign: DBatLoader Delivers Remcos via UAC Bypass\",\"isPartOf\":{\"@id\":\"https:\/\/any.run\/\"},\"datePublished\":\"2025-05-22T12:44:42+00:00\",\"dateModified\":\"2025-05-22T12:48:49+00:00\",\"description\":\"Learn about a new phishing campaign spreading Remcos through DBatLoader. It employs UAC bypass and obfuscated scripts to compromise systems.\",\"breadcrumb\":{\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/#breadcrumb\"},\"inLanguage\":\"en-US\",\"potentialAction\":[{\"@type\":\"ReadAction\",\"target\":[\"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/\"]}]},{\"@type\":\"BreadcrumbList\",\"@id\":\"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/#breadcrumb\",\"itemListElement\":[{\"@type\":\"ListItem\",\"position\":1,\"name\":\"Home\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/\"},{\"@type\":\"ListItem\",\"position\":2,\"name\":\"News\",\"item\":\"https:\/\/any.run\/cybersecurity-blog\/category\/news\/\"},{\"@type\":\"ListItem\",\"position\":3,\"name\":\"DBatLoader Delivers Remcos via .pif Files and UAC Bypass in New Phishing Campaign\u00a0\"}]},{\"@type\":\"WebSite\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN&#039;s Cybersecurity Blog\",\"description\":\"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.\",\"publisher\":{\"@id\":\"https:\/\/any.run\/\"},\"potentialAction\":[{\"@type\":\"SearchAction\",\"target\":{\"@type\":\"EntryPoint\",\"urlTemplate\":\"https:\/\/any.run\/?s={search_term_string}\"},\"query-input\":\"required name=search_term_string\"}],\"inLanguage\":\"en-US\"},{\"@type\":\"Organization\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"url\":\"https:\/\/any.run\/\",\"logo\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"contentUrl\":\"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg\",\"width\":1,\"height\":1,\"caption\":\"ANY.RUN\"},\"image\":{\"@id\":\"https:\/\/any.run\/\"},\"sameAs\":[\"https:\/\/www.facebook.com\/www.any.run\/\",\"https:\/\/twitter.com\/anyrun_app\",\"https:\/\/www.linkedin.com\/company\/30692044\",\"https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ\"]},{\"@type\":\"Person\",\"@id\":\"https:\/\/any.run\/\",\"name\":\"ANY.RUN\",\"image\":{\"@type\":\"ImageObject\",\"inLanguage\":\"en-US\",\"@id\":\"https:\/\/any.run\/\",\"url\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"contentUrl\":\"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g\",\"caption\":\"ANY.RUN\"},\"url\":\"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/\"}]}<\/script>\n<!-- \/ Yoast SEO plugin. -->","yoast_head_json":{"title":"Phishing Campaign: DBatLoader Delivers Remcos via UAC Bypass","description":"Learn about a new phishing campaign spreading Remcos through DBatLoader. It employs UAC bypass and obfuscated scripts to compromise systems.","robots":{"index":"index","follow":"follow","max-snippet":"max-snippet:-1","max-image-preview":"max-image-preview:large","max-video-preview":"max-video-preview:-1"},"canonical":"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/","twitter_misc":{"Written by":"ANY.RUN","Est. reading time":"5 minutes"},"schema":{"@context":"https:\/\/schema.org","@graph":[{"@type":"Article","@id":"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/#article","isPartOf":{"@id":"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/"},"author":{"name":"ANY.RUN","@id":"https:\/\/any.run\/"},"headline":"DBatLoader Delivers Remcos via .pif Files and UAC Bypass in New Phishing Campaign\u00a0","datePublished":"2025-05-22T12:44:42+00:00","dateModified":"2025-05-22T12:48:49+00:00","mainEntityOfPage":{"@id":"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/"},"wordCount":847,"commentCount":0,"publisher":{"@id":"https:\/\/any.run\/"},"keywords":["ANYRUN","cybersecurity","malware","malware analysis"],"articleSection":["News"],"inLanguage":"en-US","potentialAction":[{"@type":"CommentAction","name":"Comment","target":["https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/#respond"]}]},{"@type":"WebPage","@id":"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/","url":"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/","name":"Phishing Campaign: DBatLoader Delivers Remcos via UAC Bypass","isPartOf":{"@id":"https:\/\/any.run\/"},"datePublished":"2025-05-22T12:44:42+00:00","dateModified":"2025-05-22T12:48:49+00:00","description":"Learn about a new phishing campaign spreading Remcos through DBatLoader. It employs UAC bypass and obfuscated scripts to compromise systems.","breadcrumb":{"@id":"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/#breadcrumb"},"inLanguage":"en-US","potentialAction":[{"@type":"ReadAction","target":["https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/"]}]},{"@type":"BreadcrumbList","@id":"https:\/\/any.run\/cybersecurity-blog\/dbatloader-drops-remcos\/#breadcrumb","itemListElement":[{"@type":"ListItem","position":1,"name":"Home","item":"https:\/\/any.run\/cybersecurity-blog\/"},{"@type":"ListItem","position":2,"name":"News","item":"https:\/\/any.run\/cybersecurity-blog\/category\/news\/"},{"@type":"ListItem","position":3,"name":"DBatLoader Delivers Remcos via .pif Files and UAC Bypass in New Phishing Campaign\u00a0"}]},{"@type":"WebSite","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/","name":"ANY.RUN&#039;s Cybersecurity Blog","description":"Cybersecurity Blog covers topics for experienced professionals as well as for those new to it.","publisher":{"@id":"https:\/\/any.run\/"},"potentialAction":[{"@type":"SearchAction","target":{"@type":"EntryPoint","urlTemplate":"https:\/\/any.run\/?s={search_term_string}"},"query-input":"required name=search_term_string"}],"inLanguage":"en-US"},{"@type":"Organization","@id":"https:\/\/any.run\/","name":"ANY.RUN","url":"https:\/\/any.run\/","logo":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","contentUrl":"https:\/\/any.run\/cybersecurity-blog\/wp-content\/uploads\/2020\/08\/ANYRUN-Icon.svg","width":1,"height":1,"caption":"ANY.RUN"},"image":{"@id":"https:\/\/any.run\/"},"sameAs":["https:\/\/www.facebook.com\/www.any.run\/","https:\/\/twitter.com\/anyrun_app","https:\/\/www.linkedin.com\/company\/30692044","https:\/\/www.youtube.com\/channel\/UCOgCPho7lzmH7m6fPNlukrQ"]},{"@type":"Person","@id":"https:\/\/any.run\/","name":"ANY.RUN","image":{"@type":"ImageObject","inLanguage":"en-US","@id":"https:\/\/any.run\/","url":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","contentUrl":"https:\/\/secure.gravatar.com\/avatar\/c4ce3a6c672056b4a8cd6b0110782215?s=96&d=mm&r=g","caption":"ANY.RUN"},"url":"https:\/\/any.run\/cybersecurity-blog\/author\/a-bespalova\/"}]}},"_links":{"self":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13839"}],"collection":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/comments?post=13839"}],"version-history":[{"count":20,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13839\/revisions"}],"predecessor-version":[{"id":13867,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/posts\/13839\/revisions\/13867"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media\/13844"}],"wp:attachment":[{"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/media?parent=13839"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/categories?post=13839"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/any.run\/cybersecurity-blog\/wp-json\/wp\/v2\/tags?post=13839"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}