New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know

ANY.RUN analysts recently uncovered a stealthy phishing campaign delivering the Remcos RAT (Remote Access Trojan) through a loader malware known as DBatLoader. This attack chain relies on a blend of obfuscated scripts, User Account Control (UAC) bypass, and LOLBAS (Living-Off-the-Land Binaries and Scripts) abuse to stay hidden from traditional detection methods.

What makes this campaign particularly dangerous is its use of built-in Windows tools and trusted system processes to blend in with normal activity, making it much harder to catch through signatures alone.

Let’s walk through the full infection chain and see how you can safely detect these techniques in seconds with the help of the right analysis solutions.

****See the Full Attack Chain Unfold in Real Time****

To understand how this phishing campaign works end-to-end, let’s take a look at how it unfolds inside ANY.RUN’s interactive sandbox, where every step is visual, traceable, and recorded in real time.

View the full analysis session

Full attack chain of the new phishing danger inside ANY.RUN’s sandbox

From initial delivery to post-exploitation behaviour, the sandbox reveals the full picture, giving SOC teams the visibility they need to respond faster and helping businesses reduce the risk of silent, long-term compromise.

Full attack chain of the latest phishing threat inside ANY.RUN’s sandbox:

Phishing Email → Malicious Archive → DBatLoader Execution → Obfuscated CMD Scripts → Remcos Injected into .exe

Inside the sandbox, you can visually trace each stage of the attack as it happens, such as:

Watch how the archive triggers DBatLoader, and how obfuscated .cmd scripts begin executing suspicious commands.

ANY.RUN sandbox detected the commands execution of cmd.exe

See exactly when and where Remcos is injected into legitimate system processes, with process trees and memory indicators updated in real-time.

Remcos RAT exposed inside the interactive sandbox

Observe persistence techniques in action, such as the creation of scheduled tasks, registry changes, and the use of .url and .pif files, clearly highlighted in the system activity log.

To better understand the tactics behind this phishing attack, you can use the built-in MITRE ATT&CK mapping in ANY.RUN. Just click the “ATT&CK” button in the top-right corner of the sandbox interface.

This view instantly highlights the techniques used during the analysis, grouped by tactics like execution, persistence, privilege escalation, and more. It’s a fast, analyst-friendly way to connect behaviour to real-world threat intelligence, no manual mapping is needed.

MITRE ATT&CK techniques and tactics used by the new phishing campaign

Whether you’re performing triage or writing reports, this feature helps security teams act faster and gives managers clear evidence of how threats operate and where defences might be bypassed.

****Techniques Used in This Phishing Attack (Visible Inside Sandbox)****

Here are some of the key tactics observed in the session and how you can spot them easily inside the sandbox:

1. Faktura.exe: The Lure File

Victims receive a phishing email containing an archive with Faktura.exe, posing as a legitimate invoice. When opened, it kicks off the attack.

Most email security tools won’t flag this file if it’s not known or doesn’t match known IOCs. In ANY.RUN, you can immediately see Faktura.exe in the process tree and watch how it spawns malicious activity, giving analysts clarity from the very first click.

FAKTURA.exe displayed inside ANY.RUN sandbox

2. DBatLoader: The Initial Loader

Once the victim opens the phishing archive, DBatLoader is executed. It’s responsible for starting the infection chain by launching obfuscated scripts.

In the Process tree, DBatLoader appears as a dropped .exe, immediately spawning cmd.exe. You can inspect the command lines, and file system activity, and see exactly how the script execution begins.

YARA rule triggered by DBatLoader

3. Obfuscated Execution with BatCloak-Wrapped CMD Files

We see inside this analysis session that .cmd scripts obfuscated with BatCloak are used to download and execute the malicious payload.

Obfuscation hides intent from static scanners. In sandboxes like ANY.RUN, you can open the command-line view and see every decoded instruction and suspicious pattern as it executes, no manual decoding is needed.

4. LOLBAS Abuse with Esentutl.exe

The legitimate utility esentutl.exe is abused to copy cmd.exe into alpha.pif, a renamed dropper meant to look harmless.

File copy operations using esentutl.exe show up in the ANY.RUN Process tree and File system activity, including full paths and command context.

LOLBAS Abuse with Esentutl.exe detected inside ANY.RUN sandbox

5. Scheduled Tasks Trigger .url → .pif Execution

A scheduled task is created to run Cmwdnsyn.url, which launches the .pif file on boot or at regular intervals.

Scheduled task technique in detail

Scheduled tasks are a common persistence mechanism, but in complex environments, they often go unnoticed. With ANY.RUN, you can instantly see when and how the task is created, track its execution chain in the process tree, and inspect related file and registry changes.

This gives SOC teams a clear view of how the malware stays active over time, making it easier to build detection rules, document the persistence method, and ensure it’s fully removed.

6. UAC Bypass with Fake “C:\Windows ” Directory

A mock directory (C:\Windows with a space) is used to bypass UAC prompts by exploiting Windows path handling quirks.

Bypass UAC with mock directories (note trailing space)

****Why Sandbox Analysis Is Critical Against Evasive Threats****

This phishing campaign highlights just how far attackers go to stay hidden, using built-in Windows tools, crafted persistence, and subtle privilege escalation tricks that easily bypass traditional defences.

With sandbox analysis, especially through the one like ANY.RUN, security teams gain the clarity and speed needed to stay ahead of these threats. You can observe every step of the infection, uncover techniques that static tools miss, and act with confidence.

• Faster incident response thanks to real-time behavioural insight
• Reduced dwell time by identifying threats before they spread
• Better-informed security decisions through visibility into attacker tactics
• Improved compliance and audit readiness with shareable, in-depth reports

****Take Advantage of ANY.RUN’s Birthday Offers****

To celebrate its 9th anniversary, ANY.RUN is offering a limited-time promotion:

Get bonus Interactive Sandbox licenses or double your TI Lookup quota, available only until May 31, 2025.

Don’t miss your chance to upgrade your threat detection and response workflow with solutions trusted by over 15,000 organizations worldwide.