Remcos is a commercial remote access trojan sold openly as legitimate remote-administration software but widely abused in malicious campaigns since 2016. It provides keylogging, password recovery, webcam capture, audio recording, screen capture, and remote shell capabilities. Remcos is typically delivered through phishing emails with malicious Office documents or archives containing the payload.
This family has been observed using the following ATT&CK techniques: T1566.001 T1059.001 T1071.001
Remcos is a commercial remote access trojan sold openly as legitimate remote-administration software but widely abused in malicious campaigns since 2016. It provides keylogging, password recovery, webcam capture, audio recording, screen capture, and remote shell capabilities. Remcos is typically delivered through phishing emails with malicious Office documents or archives containing the payload.
Remcos is sold publicly as a commercial remote administration tool and is frequently repurposed maliciously, delivered through phishing emails with weaponized documents and archive attachments.
Persistent unsigned remcos.exe processes, scheduled tasks for persistence, encrypted outbound traffic to attacker C2, and AV detections for Remcos indicate the infection.
If you suspect this malware on your system, do not attempt manual removal. Contact SystemHelpdesk expert MSP support at 855-783-7555 for professional incident response guidance.
Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/remcos.json
This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families extracted from the EMBER 2018 benchmark. The catalog is also published on Hugging Face and Kaggle.