A new PowerShell-based shellcode loader has been discovered, designed to execute a variant of Remcos RAT. The attack chain begins with malicious LNK files in ZIP archives, using mshta.exe for initial execution. The loader employs fileless techniques, executing code directly in memory to evade traditional defenses. It leverages Windows APIs to allocate memory and execute binary code. The Remcos RAT provides full system control, featuring keylogging, screen capture, and credential theft capabilities. It uses advanced evasion techniques like process hollowing and UAC bypass. The malware establishes persistence through registry modifications and connects to a command and control server over TLS. This sophisticated attack emphasizes the need for behavioral analytics and proactive security measures to detect and mitigate such stealthy threats.