Remcos

Category: rat · Aliases: RAT.Remcos, Backdoor.Win32.Remcos, RemcosRAT · Sample count (EMBER 2018): 198 · Enrichment: curated_sourced · Updated: 2026-07-02T09:04:51Z

Overview

Executive Summary

Remcos (short for Remote Control and Surveillance) is a highly sophisticated, commercially available Remote Access Trojan (RAT). It is marketed ostensibly as a legitimate remote administration and penetration testing tool by a company called BreakingSecurity. However, due to its powerful surveillance capabilities, ability to bypass antivirus, and explicit marketing on dark web forums, it is overwhelmingly utilized by cybercriminals, APT groups, and script kiddies to establish total, stealthy control over victim machines.

Infection Vector and Technical Capabilities

Because Remcos is sold commercially, the infection vector depends entirely on the purchaser. However, it is most frequently distributed via highly targeted spear-phishing campaigns utilizing weaponized Microsoft Office documents (exploiting CVEs like CVE-2017-11882) or disguised as PDF invoices. Once executed, Remcos provides the attacker with an advanced espionage platform:

Threat Assessment

A Remcos detection is a critical "Code Red" incident indicating a total compromise of the affected endpoint. The attacker has interactive, human-driven access to the machine, is actively capturing credentials, and possesses the capability to move laterally to compromise the broader Active Directory domain or deploy ransomware.

Incident Response and Remediation

Known aliases

Threat reports may refer to this family under multiple names:

MITRE ATT&CK Techniques

This family has been observed using the following ATT&CK techniques: T1071.001 T1056.001 T1055

Generated Detections (Boilerplate)

These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.

YARA Rule

rule MALWARE_WIN_REMCOS {
    meta:
        description = "Detects Remcos (rat)"
        author = "SystemHelpdesk Boilerplate Generator"
        date = "2026-07-06"
    strings:
        $s1 = "remcos" ascii wide nocase
        $s2 = "rat.remcos" ascii wide nocase
        $s3 = "backdoor.win32.remcos" ascii wide nocase
        $s4 = "remcosrat" ascii wide nocase
    condition:
        uint16(0) == 0x5a4d and any of them
}

Sigma Rule

title: Suspicious Remcos Activity
id: cae8a30912dca6afdb1cf79734265504
status: experimental
description: Detects generic indicators of the remcos malware family.
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith:
            - '\cmd.exe'
            - '\powershell.exe'
        CommandLine|contains:
            - "*remcos*"
            - "*rat.remcos*"
            - "*backdoor.win32.remcos*"
            - "*remcosrat*"
    condition: selection
level: medium

References & External Analysis

Frequently Asked Questions

Is Remcos legitimate software?

It is sold as remote-control/surveillance software by Breaking Security, but MITRE notes it has been observed used in malware campaigns.

What does Remcos do once installed?

It allows remote control, keystroke logging, and exfiltration of data from the infected machine.

How is Remcos distributed?

Predominantly through phishing emails containing malicious documents or archives.

Why is Remcos hard to classify?

It is a dual-use tool: legitimately marketed remote-administration software that is commonly repurposed for malicious access.

How can I reduce the risk from Remcos?

Treat unexpected attachments with caution, keep endpoint protection current, and verify that any remote-access software on your machine was installed intentionally.

Where is the authoritative reference?

MITRE ATT&CK's Remcos entry (S0332), linked on this page.

Related Families (Category: rat)

Explore other malware families in the same category:

Need help with an active incident? Published by the SystemHelpdesk team.

Machine-readable

Get this profile as JSON: https://jordanricky1604-ship-it.github.io/malware-families-catalog/api/remcos.json

Ecosystem & Interactive Environments

This profile is part of the Malware Families Catalog, a public dataset of 2,899 malware families. The catalog is also published across our ecosystem: Hugging Face, Kaggle, Replit, StackBlitz, CodeSandbox, and CodePen.