{
  "family": "remcos",
  "sample_count": 198,
  "category": "rat",
  "description": "Remcos is a commercial remote access trojan sold openly as legitimate remote-administration software but widely abused in malicious campaigns since 2016. It provides keylogging, password recovery, webcam capture, audio recording, screen capture, and remote shell capabilities. Remcos is typically delivered through phishing emails with malicious Office documents or archives containing the payload.",
  "cta": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.",
  "aliases": [],
  "enrichment_level": "hand-curated",
  "faq": [
    {
      "@type": "Question",
      "name": "What is Remcos?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Remcos is a commercial remote access trojan sold openly as legitimate remote-administration software but widely abused in malicious campaigns since 2016. It provides keylogging, password recovery, webcam capture, audio recording, screen capture, and remote shell capabilities. Remcos is typically delivered through phishing emails with malicious Office documents or archives containing the payload."
      }
    },
    {
      "@type": "Question",
      "name": "How does Remcos spread?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Remcos is sold publicly as a commercial remote administration tool and is frequently repurposed maliciously, delivered through phishing emails with weaponized documents and archive attachments."
      }
    },
    {
      "@type": "Question",
      "name": "What are the signs of a Remcos infection?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "Persistent unsigned remcos.exe processes, scheduled tasks for persistence, encrypted outbound traffic to attacker C2, and AV detections for Remcos indicate the infection."
      }
    },
    {
      "@type": "Question",
      "name": "What should I do if I think I have Remcos on my system?",
      "acceptedAnswer": {
        "@type": "Answer",
        "text": "If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance."
      }
    }
  ],
  "faq_count": 4,
  "mitre_attack": [
    "T1566.001",
    "T1059.001",
    "T1071.001"
  ],
  "cisa_advisory": null,
  "last_updated": "2026-05-27"
}