From a VHDX File to a Remcos RAT, (Tue, Jun 16th)

Security researchers have identified a concerning malware delivery method that exploits Windows' native virtual disk handling capabilities to distribute Remcos Remote Access Trojan (RAT). This attack vector demonstrates how threat actors continue to evolve their tactics by leveraging legitimate system features for malicious purposes, creating particular challenges for security teams relying on traditional detection mechanisms.

The attack begins with a malicious ZIP archive that, when extracted, reveals a VHDX (Virtual Hard Disk v2) file. What makes this technique particularly insidious is how modern Windows operating systems automatically mount VHDX files when accessed, without requiring additional user interaction or administrative privileges. Once mounted, the virtual disk exposes a malicious JavaScript file designed to execute and ultimately deliver the Remcos RAT payload. This approach cleverly bypasses many conventional security controls that might scan email