How to protect PowerShell from fileless attacks from the Remcos RAT malware

Windows users should be on high alert for the Remcos Remote Access Trojan (RAT). This malware deploys an extremely stealthy payload via phishing, without the need for a download. A single careless click on a malicious ZIP link will get the RAT up and running, executing HTML applications via PowerShell . From there, it can take screenshots, log keystrokes, and take complete control of your system.

Here's how to protect your PowerShell from the Remcos RAT and any other fileless attacks.

How RAT Remcos Hijacks PowerShell to Take Over Your System?

Security firm Qualys has revealed the simplicity of the Remcos RAT attack. Victims receive a ZIP file containing a fraudulent LNK file, a Windows shortcut disguised as a real document. As of May 2025, attackers are using tax-themed phishing emails, but future variants could use anything to trick you into clicking the link.

When you open the LNK file, it launches a Windows application called mshta.exe (Microsoft HTML Application Host). Next, a PowerShell script, such as '24.ps1,' launches a shellcode loader that executes the Remcos RAT payload in real time. The attack does not store any files on disk and operates entirely in memory.

Additionally, Microsoft Defender antivirus software cannot take action while the attacker is making a remote TLS connection. Currently, they are linking to a command server called 'ReadyRestaurants DOT com'. Google Chrome has marked it as 'unsafe'. But this may change in the future.

Important Note : Windows PowerShell has become a favorite tool for cybercriminals to carry out stealthy attacks without being detected. Just last month, we saw this with the Neptune RAT malware, which required you to download a file first.

Prevent RAT Remcos from executing in PowerShell

First, launch PowerShell with admin rights. Then, check if it is in unrestricted or restricted mode.

Get-ExecutionPolicy

If your device is set to restricted (usually the default), skip to the next step. If not, first switch from unrestricted back to restricted. Click A when asked to confirm this change.

Set-ExecutionPolicy Restricted

After implementing the above change, follow Qualys' recommendation and set PowerShell to Constrained Language Mode. This blocks access to sensitive .NET methods and COM objects that the Remcos RAT and similar malware often exploit.

$ExecutionContext.SessionState.LanguageMode = "ConstrainedLanguage"

For best performance, make sure this setting applies to all users, including non-administrator users, even if you're the only one using the PC.

Set-ExecutionPolicy -Scope LocalMachine -ExecutionPolicy Restricted -Force

Qualys also recommends blocking suspicious PowerShell command line arguments. This prevents hidden precursor scripts, like the HTA file in Remcos RAT attacks, from executing in the user's PowerShell window.

Since the Remcos RAT leverages PowerShell shellcode, there is a way to detect these commands. Unless it is already present on your PC, you may need to manually create the missing registry paths for "PowerShell" and "ScriptBlockLogging".

New-Item -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsPowerShell" -Force New-Item -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsPowerShellScriptBlockLogging" -Force Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsPowerShellScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

Now, enable the 'ScriptBlockLogging' command and set its value to 1. This will prevent Remcos RAT and other malware from running shellcode loader in PowerShell.

Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsPowerShellScriptBlockLogging" -Name "EnableScriptBlockLogging" -Value 1

There is another related command to block suspicious command line arguments using hidden scripts.

New-Item -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsPowerShell" -Name "CommandLineFiltering" -Force Set-ItemProperty -Path "HKLM:SOFTWAREPoliciesMicrosoftWindowsPowerShellCommandLineFiltering" -Name "EnableCommandLineFiltering" -Value 1

Good to Know : The recent rise of AI-generated scripts in PowerShell is a big factor in making it easier for malware authors to create new scripts to target systems.

Note : Some websites recommend disabling PowerShell for non-administrators. We won't go to that extreme, as using a non-administrator Windows account has several advantages. First, it protects you from credential-stealing cyber threats, such as NT LAN Manager (NTLM).

Disable MSHTA.exe to prevent RAT Remcos from executing

The Remcos RAT uses a common system application on Windows PCs called 'mshta.exe'. This application is located in 'C:WindowsSystem32'.

Nowadays, it is perfectly fine to disable mshta.exe. It is rarely used, except in legacy applications like Internet Explorer or Office macros. It has been completely removed from Windows 11 24H2.

Since mshta.exe executes HTML application (HTA) files, it is used to run VBScript or JavaScript outside the browser with full system privileges.

In Windows 11 Pro, type gpedit.msc into the Run command to go to the Local Group Policy Editor. Follow this path: Computer Configuration -> Windows Settings -> Security Settings -> Software Restriction Policies .

If no policy exists, right-click to create a new security policy by selecting New Software Restriction Policies . Once created, under Additional Rules , right-click and select New Path Rule .

Rename this path to C:WindowsSystem32mshta.exe. Set the security level to Disallowed and click Apply -> OK .

On Windows 11/10 Home devices without Group Policy Editor, there is another way. Launch Windows Security and go to App & Browser Control -> Exploit Protection -> Exploit Protection Settings -> Program Settings . Here, click Add program to customize .

The above options will show two options. Click on Choose exact file path . It will open a File Explorer window. Navigate to the location of the mshta.exe file and it will open in another pop-up window.

Now, you just need to disable all mshta.exe policies that override system precautions. If these policies are already disabled, you don't need to do anything.

Other methods to prevent remote exploitation in PowerShell

Here are some other things you can do to prevent the Remcos RAT and other remote exploits from executing in PowerShell.

1. Investing in Windows endpoint protection software, such as Microsoft Defender, is a different product than Windows Security.
2. Update and patch your system regularly. Moving to version 24H2 in Windows 11 will provide timely patches for these latest threats.
3. Deploy email filtering and anti-phishing protection on web browser emails used on Windows devices.

Micah Soto

Update 26 May 2025