Tag: remcos

37 Attack Reports | 0 Vulnerabilities

Attack reports

Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downlo…
remcos
openclaw
ghostloader
2026-05-05
deepseek-claw
Published: May 5, 2026
Downloadable IOCs: 4

From Inbox to Intrusion: Multi‑Stage Remcos RAT and C2‑Delivered Payloads in Network

This multi-stage fileless Remcos RAT attack leverages a phishing-delivered JavaScript dropper to trigger a reflective PowerShell loader that executes payloads entirely in memory. The infection chain utilizes obfuscation techniques like rotational XOR and Base64 encoding to reconstruct .NET payloads…
rat
phishing
remcos
remote access trojan
2026-04-01
js dropper
Published: April 1, 2026
Downloadable IOCs: 2

Mercenary Akula Hits Ukraine-Supporting Financial...

A European financial institution involved in regional development and reconstruction initiatives was targeted by a social engineering attack attributed to the Russia-aligned Mercenary Akula. The attack used a spoofed Ukrainian judicial domain to deliver an email containing a link to a remote access…
social engineering
spearphishing
remcos
cyber espionage
remote access
quasarrat
financial theft
2026-02-25
davinci group
fire cells group
remote manipulator system
uac-0050
Published: February 25, 2026
Downloadable IOCs: 10

Remcos Revisited: Inside the RAT's Evolving Command-and-Control Techniques

This analysis examines the evolution of Remcos, a Remote Access Trojan that has become a significant global threat. Originally a commercial tool, Remcos now provides attackers with capabilities such as credential theft, keylogging, screen capture, and webcam control. The latest variant exhibits rea…
rat
persistence
remcos
credential theft
keylogging
data exfiltration
evasion techniques
remote access trojan
command-and-control
2026-02-18
Published: February 18, 2026
Downloadable IOCs: 1

New Remcos Campaign Distributed Through Fake Shipping Document

A new phishing campaign has been discovered that delivers a fileless variant of the Remcos RAT. The attack begins with an email impersonating a Vietnamese shipping company, luring victims to open a malicious Word document. This document retrieves a remote RTF file, exploits a vulnerability, and exe…
phishing
remcos
CVE-2017-11882
process hollowing
remcos rat
remote access tool
fileless malware
2026-01-19
Published: January 19, 2026
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 13

Malware Campaign Leverages SVGs, Email Attachments, and CDNs to Drop XWorm and Remcos via BAT Scripts

A sophisticated malware campaign has been uncovered that utilizes various techniques to deliver Remote Access Trojans (RATs) such as XWorm and Remcos. The attack chain begins with a ZIP archive, often hosted on trusted platforms like ImgKit, containing obfuscated BAT scripts. These scripts execute …
obfuscation
xworm
rat
phishing
powershell
remcos
evasion techniques
bat scripts
svg
fileless execution
2025-09-11
Published: September 11, 2025
Downloadable IOCs: 2

Statistics Report on Malware Targeting Windows Database Servers in Q2 2025

The analysis team has categorized attacks on MS-SQL and MySQL servers installed on Windows systems during Q2 2025. While the number of targeted systems remains stable, attacks on MS-SQL servers have been decreasing. MySQL servers saw a significant spike in attacks in June 2025. The report provides …
windows
coinminer
anydesk
remcos
gh0strat
cobaltstrike
netcat
mysql
database
ms-sql
2025-08-08
juicypotato
hploader
shadowforce
server security
q2 2025
ahnlab smart defense
clrshell
mykings
attack statistics
loveminer
Published: August 8, 2025
Downloadable IOCs: 9

LNK Trojan delivers REMCOS

This report details a multi-stage malware campaign delivering the REMCOS backdoor via a malicious Windows LNK shortcut file. The attack begins with social engineering, leveraging PowerShell for initial execution and deploys a persistent backdoor capable of full system compromise. The infection chai…
backdoor
powershell
remcos
keylogger
lnk file
c2 communication
pif file
multi-stage attack
base64 encoding
2025-07-30
Published: July 30, 2025
Downloadable IOCs: 8

AsyncRAT Campaign Continues to Evade Endpoint Detection

A wide-ranging phishing campaign has been identified that enables threat actors to bypass traditional security controls and delay detection. The campaign, tracked since 2024, has facilitated remote surveillance, credential theft, lateral movement, data exfiltration, and ransomware across numerous o…
obfuscation
xworm
phishing
remcos
asyncrat
venomrat
purehvnc
cloud services
cybercriminal
trycloudflare
remote access trojan
2025-06-17
python scripts
endpoint evasion
Published: June 17, 2025
Downloadable IOCs: 0

Unmasking the Infrastructure of a Spear‑phishing Campaign

Censys researchers uncovered a spear‑phishing campaign where threat actors leveraged a cluster of 16 open directories hosting heavily obfuscated Visual Basic Script (VBS) files. The study analyzes how attackers set up these public-accessible directories to store malicious scripts, the obfuscation t…
spearphishing
remcos
asyncrat
dcrat
2025-06-11
limerat
opendir
Published: June 11, 2025
Downloadable IOCs: 54

The strange tale of ischhfd83: When cybercriminals eat their own

This investigation uncovered a large-scale campaign involving backdoored GitHub repositories targeting game cheaters and inexperienced cybercriminals. The threat actor, possibly linked to a Distribution-as-a-Service operation, uses multiple types of backdoors and a convoluted infection chain leadin…
backdoor
obfuscation
rat
infostealer
remcos
lumma stealer
asyncrat
github
telegram
2025-06-04
Published: June 4, 2025
Downloadable IOCs: 52

Part 2: Compromised WordPress Pages and Malware Campaigns

This analysis focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. The threat actors used redirector scripts to target users from various countries, mimicking the Google Play Store. Additionally, the XWorm campaign tar…
xworm
phishing
ransomware
android
remcos
wordpress
credential theft
strela stealer
proton66
weaxor
2025-05-16
Published: May 16, 2025
Downloadable IOCs: 45

Proton66: Compromised WordPress Pages and Malware Campaigns

This intelligence briefing focuses on malware campaigns linked to Proton66, particularly those targeting Android devices through compromised WordPress websites. It details how these sites were injected with malicious scripts to redirect Android users to fake Google Play Store pages. The report also…
xworm
phishing
ransomware
android
korea
remcos
wordpress
strela stealer
2025-04-18
germany
weaxor
Published: April 18, 2025
Downloadable IOCs: 48

Threat actors misuse Node.js to deliver malware and other malicious payloads

Since October 2024, threat actors have been leveraging Node.js to deliver malware and payloads for information theft and data exfiltration. A recent malvertising campaign uses cryptocurrency trading themes to lure users into downloading malicious installers. The attack chain includes initial access…
node.js
remcos
latrodectus
stilachirat
ahkbot
2025-04-15
raccoono365
Published: April 15, 2025
Downloadable IOCs: 0

Blind Eagle: ...And Justice for All

Check Point Research uncovered ongoing campaigns by Blind Eagle (APT-C-36) targeting Colombian institutions since November 2024. The group utilized malicious .url files, similar to CVE-2024-43451, to deliver HeartCrypt-packed malware and Remcos RAT. Campaigns infected over 1,600 victims in a single…
phishing
remcos
government
purecrypter
webdav
remcos rat
CVE-2024-43451
heartcrypt
2025-04-10
apt-c-36
colombia
Published: April 10, 2025
Downloadable IOCs: 0

Threat actors leverage tax season to deploy tax-themed phishing campaigns

Microsoft has observed several phishing campaigns using tax-related themes to steal credentials and deploy malware as Tax Day approaches in the United States. These campaigns use redirection methods like URL shorteners and QR codes in malicious attachments, and abuse legitimate services to avoid de…
malware
phishing
social engineering
remcos
credential theft
latrodectus
guloader
redirection
qr codes
remote access trojans
2025-04-03
tax season
ahkbot
bruteratel c4
Published: April 3, 2025
Downloadable IOCs: 0

Gamaredon campaign abuses LNK files to distribute Remcos backdoor

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading t…
phishing
powershell
ukraine
remcos
dll sideloading
lnk files
2025-03-28
gthost
hyperhosting
Published: March 28, 2025
Downloadable IOCs: 0

New Steganographic Campaign Distributing Multiple Malware Variants

A sophisticated steganographic campaign has been observed distributing multiple stealer malware variants, including Remcos, DcRAT, AgentTesla, and VIPKeyLogger. The infection chain begins with a phishing email containing an Excel file that exploits CVE-2017-0199. This leads to the download of an HT…
obfuscation
phishing
remcos
steganography
asyncrat
dcrat
CVE-2017-0199
process hollowing
remote access trojan
agenttesla
vipkeylogger
2025-03-17
Published: March 17, 2025
Linked vulnerabilities : CVE-2017-0199
Downloadable IOCs: 13

Remote Monitoring and Management (RMM) Tooling Increasingly an Attacker's First Choice

Threat actors are increasingly using legitimate remote monitoring and management (RMM) tools as initial payloads in email campaigns. This trend aligns with a decrease in the use of traditional loaders and botnets by initial access brokers. RMMs can be exploited for data collection, financial theft,…
screenconnect
rmm
remcos
lumma stealer
asyncrat
remote access
cybercrime
grandoreiro
email campaigns
netsupport
astaroth
initial access
2025-03-12
guildma
atera
mispadu
bluetrait
fleetdeck
Published: March 12, 2025
Downloadable IOCs: 15

Blind Eagle: …And Justice for All

Check Point Research uncovered ongoing campaigns by Blind Eagle targeting Colombian institutions since November 2024. The group exploits a variant of CVE-2024-43451, using malicious .url files to deliver malware. Their attack chain includes HeartCrypt-packed executables, a .NET RAT, and Remcos RAT …
phishing
remcos
purecrypter
remcos rat
CVE-2024-43451
heartcrypt
2025-03-10
Published: March 10, 2025
Downloadable IOCs: 16

Remcos RAT Targets Europe: New AMSI and ETW Evasion Tactics Uncovered

This week, the SonicWall threat research team discovered a new update in the Remcos infection chain aimed at enhancing its stealth by patching AMSI scanning and ETW logging to evade detection. This loader was seen distributing Async RAT in the past but now it has extended its functionality to Remco…
rat
phishing
powershell
remcos
2025-03-05
zip
vb script
Published: March 5, 2025
Downloadable IOCs: 7

TAG-124’s Multi-Layered TDS Infrastructure and Extensive User Base

Insikt Group has identified a complex infrastructure linked to the traffic distribution system TAG-124, which overlaps with several threat activity clusters and includes compromised WordPress sites and various servers. Multiple threat actors, including operators of Rhysida and Interlock ransomware,…
remcos
cleanuploader
mintsloader
2025-01-31
tag-124
ta582
Published: January 31, 2025
Downloadable IOCs: 102

Crypted Hearts: Exposing the HeartCrypt Packer-as-a-Service Operation

This analysis examines HeartCrypt, a new packer-as-a-service (PaaS) used to protect malware. Developed since July 2023 and launched in February 2024, HeartCrypt charges $20 per file to pack Windows x86 and .NET payloads. It is primarily used by malware operators of families like LummaStealer, Remco…
xworm
rhadamanthys
remcos
quasar rat
vidar stealer
redline stealer
process hollowing
anti-sandbox
lummastealer
2024-12-14
heartcrypt
packer-as-a-service
Published: December 14, 2024
Downloadable IOCs: 0

How to Improve Cyber Threat Investigations with TI Lookup

This article discusses the use of Threat Intelligence (TI) Lookup, a centralized service for threat data exploration and analysis. It highlights key features such as fast search results, extensive search parameters, and access to a large database of malware and phishing samples. The article explain…
phishing
remcos
stealc
cybersecurity
lumma
malware analysis
threat intelligence
agenttesla
yara rules
2024-11-13
darkvision
sandbox
ioc
Published: November 13, 2024
Downloadable IOCs: 0

New Campaign Uses Remcos RAT to Exploit Victims

A phishing campaign utilizing Remcos RAT has been detected. The attack begins with an email containing a malicious Excel document that exploits CVE-2017-0199. When opened, it downloads and executes an HTA file, which in turn downloads and runs a malicious EXE. This EXE uses PowerShell to load and e…
rat
phishing
powershell
remcos
CVE-2017-0199
process hollowing
2024-11-08
Published: November 8, 2024
Downloadable IOCs: 2

Malicious CAPTCHA delivers Lumma and Amadey Trojans

An adware campaign targets online users by presenting them with fake CAPTCHA or update prompts, tricking them into running malicious PowerShell commands that deploy credential-stealing malware like Lumma and Amadey. The attackers leverage ad networks to redirect victims to compromised sites hosting…
malvertising
adware
remcos
amadey
infostealers
social-engineering
lumma
captcha
2024-10-29
Published: October 29, 2024
Downloadable IOCs: 1

The New Malware Distribution Service

This analysis uncovers a novel malware distribution mechanism utilizing VBE scripts stored in archive files to spread various malware families, including AgentTesla, Remcos, Snake, and NjRat. It details the infection chain, which involves downloading encoded files from a command-and-control server,…
malware
evasion
remcos
injection
njrat
bladabindi
njw0rm
lv
keylogger
2024-10-16
agenttesla
ekans
snakehose
distribution
Published: October 16, 2024
Downloadable IOCs: 7

Emansrepo Stealer: Multi-Vector Attack Chains

A Python infostealer named Emansrepo has been observed since November 2023, distributed via phishing emails containing fake purchase orders and invoices. The malware steals browser data, credit card information, and files, sending them to the attacker's email. The attack chain has evolved, becoming…
phishing
infostealer
remcos
2024-09-04
emansrepo
Published: September 4, 2024
Downloadable IOCs: 42

Threat Actor Abuses Cloudflare Tunnels to Deliver RATs

Proofpoint is tracking a cluster of cybercriminal threat activity leveraging Cloudflare Tunnels to deliver malware, particularly remote access trojans (RATs) like Xworm, AsyncRAT, VenomRAT, GuLoader, and Remcos. The campaigns employ various techniques, such as using URL files to establish connectio…
xworm
remcos
asyncrat
venomrat
guloader
rats
webdav
cloudflare
2024-08-01
Published: August 1, 2024
Downloadable IOCs: 13

Secret Message: Steganography Tricks of TA558 Group in Cyber Attacks on Enterprises in Russia and Belarus

F.A.C.C.T.'s Threat Intelligence analysts have investigated numerous cyberattacks by the TA558 group targeting enterprises, government institutions, and banks in Russia and Belarus. The attacks aimed to steal data and gain access to the organization's internal systems. TA558 used multi-stage phishi…
malware
phishing
social engineering
russia
belarus
remcos
steganography
CVE-2017-11882
agent tesla
2024-07-30
Published: July 30, 2024
Linked vulnerabilities : CVE-2017-11882
Downloadable IOCs: 74

Likely eCrime Actor Capitalizing on Falcon Sensor Issues

A cybercrime group has leveraged a content update issue with the CrowdStrike Falcon sensor to distribute malicious files targeting Latin American customers. The campaign involves a ZIP archive named 'crowdstrike-hotfix.zip' containing a HijackLoader payload that loads RemCos malware, using Spanish …
phishing
remcos
hijackloader
2024-07-29
falcon
latam
Published: July 29, 2024
Downloadable IOCs: 14

RAT Distributed as UUEncoding (UUE) File

This intelligence report describes a malicious operation where the Remcos Remote Access Trojan (RAT) is being disseminated through phishing emails containing an attachment exploiting the Unix-to-Unix Encoding (UUE) technique. The encoded file loads an obfuscated VBScript that fetches additional mal…
obfuscation
rat
phishing
persistence
remcos
remote access
2024-06-11
Published: June 11, 2024
Downloadable IOCs: 3

PDF “Flawed Design” Exploitation

Check Point Research identified an unusual pattern involving PDF exploitation, mainly targeting users of Foxit Reader. This exploit triggers security warnings that could deceive users into executing harmful commands. The exploitation occurs through a flawed design in Foxit Reader, showing 'OK' as t…
malware
xworm
campaigns
remcos
asyncrat
2024-05-09
2024-05-14
njrat
dcrat
pdf
venomrat
exploitation
nanocore rat
pony
bladabindi
foxit
agent-tesla
njw0rm
lv
2024-05-10
Published: May 14, 2024
Downloadable IOCs: 40

GoTo Meeting loads RAT via Shellcode Loader

A malicious campaign has been discovered that exploits the legitimate GoTo Meeting online conferencing software to deploy the Remcos remote access trojan (RAT). The attack chain involves utilizing lures like porn downloads, software setup files, and tax forms with Russian and English file names. It…
rat
remcos
2024-05-08
dll sideloading
shellcode
rust
2024-05-09
2024-05-10
2024-05-13
Published: May 13, 2024
Downloadable IOCs: 17

Dissecting REMCOS RAT: An in-depth analysis of a widespread 2024 malware, Part Four

This comprehensive analysis provides a thorough examination of the REMCOS Remote Access Trojan (RAT), a prominent malware threat that gained significant prevalence in 2024. The analysis delves into the malware's configuration structure, command and control capabilities, persistence mechanisms, and …
rat
evasion
persistence
remcos
2024-05-04
2024-05-05
2024-05-06
2024-05-07
2024-05-08
credential theft
remote access
2024-05-09
Published: May 9, 2024
Downloadable IOCs: 34

HijackLoader Updates

HijackLoader, also known as IDAT Loader, is a modular malware loader capable of executing multiple payloads. It utilizes a variety of modules for code injection, execution, and evasion techniques. This report analyzes the updated version of HijackLoader, which includes new modules for bypassing Win…
rat
evasion
rhadamanthys
stealer
remcos
2024-05-03
2024-05-04
2024-05-05
2024-05-06
2024-05-07
amadey
lumma stealer
injection
modular
racoon stealer v2
malware loader
meta stealer
Published: May 7, 2024
Downloadable IOCs: 11

Analysis of TargetCompany’s Attacks Against MS-SQL Servers (Mallox, BlueSky Ransomware)

The report analyzes recent attacks by the TargetCompany ransomware group targeting poorly managed MS-SQL servers. The group initially installs Remcos RAT and a remote screen control malware for reconnaissance and lateral movement. Subsequently, the Mallox ransomware is deployed to encrypt the infec…
ransomware
remcos
mallox
sql
tor2mine
bluesky
Published: May 2, 2024
Downloadable IOCs: 5
Click here to see more Attack Reports