A ZIP archive containing a VHDX virtual disk file was identified that automatically mounts on modern Windows systems and exposes malicious JavaScript code. The payload delivers Remcos RAT (Remote Access Trojan), a commonly deployed remote access tool used in targeted attacks. This attack chain exploits Windows’ automatic mounting behavior to obscure malware delivery.

Why it matters in Western Canada: Organizations across Western Canada’s education, government, healthcare, and financial sectors regularly use Windows systems that may auto-mount such files, making staff and systems vulnerable to this delivery technique. Remcos RAT enables unauthorized system access and data exfiltration, creating significant risk to regulated organizations handling sensitive citizen data.

---

Summary generated from the original advisory. Read the full source: sans-isc