Phishing campaign poses as HR emails to spread Remcos malware

Attackers are using layoff-themed emails to pressure employees into opening malicious attachments.

What happened

According to Cyber Press, researchers identified a phishing campaign that uses fake internal human resources emails to distribute the Remcos remote access trojan. The messages impersonate official workplace communications and reference a “Staff Performance Report for October 2025,” prompting recipients to open an attachment out of concern about potential job losses. The emails deliver a compressed archive containing a disguised executable that installs Remcos on Windows systems.

Going deeper

The emails are written in a formal internal tone and suggest that the attachment contains information about upcoming terminations. While the file appears to be a PDF, it is actually an executable hidden inside a compressed archive, a technique that relies on default Windows settings that conceal file extensions. Once opened, the malware installs itself in system directories and modifies registry settings to maintain persistence across reboots. Investigators observed that the campaign relies on social pressure rather than technical exploits, using fear and urgency to reduce scrutiny before execution.

What was said

Researchers said the Remcos payload is packaged using a legitimate Windows installer framework, which helps the malware blend in with normal software activity. After installation, Remcos establishes a connection to a remote command server and enables capabilities such as keystroke capture, screen monitoring, and clipboard access. Analysts warned that emails referencing layoffs or performance reviews are especially effective during periods of economic uncertainty and urged organizations to treat unsolicited internal notices with caution.

The big picture

According to GBHackers, the Remcos RAT campaign shows how attackers continue to pair malware delivery with real-world pressure points. The outlet warned that “technical defenses must be paired with user awareness,” noting that phishing lures tied to layoffs are particularly effective because they exploit fear and uncertainty.

“As layoffs continue to dominate the news cycle, employees are urged to exercise extreme caution with unsolicited HR communications,” GBHackers reported. Messages framed as internal documents or urgent notices are more likely to trigger fast, unverified clicks.

GBHackers advised that security teams should “reinforce email filtering rules to flag double-extension files and executable archives,” while organizations should remind staff to verify sensitive documents through “out-of-band communication channels before clicking.” The report stressed that without these checks, even well-defended environments remain vulnerable to socially engineered malware delivery.

FAQs

Why do attackers use layoff-themed emails?

Messages tied to job security create urgency and emotional pressure, which increases the chance that recipients open attachments without verification.

What is Remcos used for after installation?

Remcos allows attackers to monitor activity, capture credentials, and maintain long-term access to infected systems.

Why are double file extensions dangerous?

They disguise executable files as documents, especially when operating systems hide file extensions by default.

How can organizations reduce risk from these emails?

They can block executable attachments, flag compressed archives from internal lookalike senders, and require verification for sensitive HR communications.

What should employees do if they receive an unexpected HR notice?

They should avoid opening attachments and confirm the message through a known internal contact or official communication channel.