Remcos (short for Remote Control and Surveillance) is a highly sophisticated, commercially available Remote Access Trojan (RAT). It is marketed ostensibly as a legitimate remote administration and penetration testing tool by a company called BreakingSecurity. However, due to its powerful surveillance capabilities, ability to bypass antivirus, and explicit marketing on dark web forums, it is overwhelmingly utilized by cybercriminals, APT groups, and script kiddies to establish total, stealthy control over victim machines.
Infection Vector and Technical Capabilities
Because Remcos is sold commercially, the infection vector depends entirely on the purchaser. However, it is most frequently distributed via highly targeted spear-phishing campaigns utilizing weaponized Microsoft Office documents (exploiting CVEs like CVE-2017-11882) or disguised as PDF invoices.
Once executed, Remcos provides the attacker with an advanced espionage platform:
Total Surveillance and Keylogging: Remcos features a highly effective, persistent keylogger. It also allows the attacker to secretly view the victim's screen in real-time, activate the webcam, record audio from the microphone, and steal saved passwords from web browsers and FTP clients.
Advanced Evasion (Process Injection): The builder allows attackers to easily pack the payload. Upon execution, Remcos utilizes process hollowing, decrypting its core payload directly into the memory of a legitimate Windows process (like `svchost.exe` or `explorer.exe`), completely evading file-based antivirus scanning.
System Administration and Lateral Movement: The attacker has full GUI-based control over the file system, registry, and running processes. Remcos provides a remote command shell, allowing attackers to utilize PowerShell to move laterally across the corporate network.
Threat Assessment
A Remcos detection is a critical "Code Red" incident indicating a total compromise of the affected endpoint. The attacker has interactive, human-driven access to the machine, is actively capturing credentials, and possesses the capability to move laterally to compromise the broader Active Directory domain or deploy ransomware.
Incident Response and Remediation
Immediate Network Severance: The endpoint must be physically disconnected from the network instantly to terminate the attacker's interactive session and halt any ongoing data exfiltration or lateral pivoting.
Hunt for Lateral Movement: Incident responders must assume the attacker has used Remcos to steal local credentials and move laterally. Scrutinize Active Directory authentication logs and internal network traffic for anomalous administrative activity originating from the compromised host.
Total Re-imaging and Credential Wipe: The machine cannot be trusted and must be wiped to bare metal. Every single credential (user, service accounts, domain admin) that was exposed to the compromised machine must be immediately reset globally.
Known aliases
Threat reports may refer to this family under multiple names:
This family has been observed using the following ATT&CK techniques: T1071.001T1056.001T1055
Generated Detections (Boilerplate)
These YARA and Sigma rules are auto-generated based on the family name and aliases. They must be heavily tuned before deployment in a production environment.
It is sold as remote-control/surveillance software by Breaking Security, but MITRE notes it has been observed used in malware campaigns.
What does Remcos do once installed?
It allows remote control, keystroke logging, and exfiltration of data from the infected machine.
How is Remcos distributed?
Predominantly through phishing emails containing malicious documents or archives.
Why is Remcos hard to classify?
It is a dual-use tool: legitimately marketed remote-administration software that is commonly repurposed for malicious access.
How can I reduce the risk from Remcos?
Treat unexpected attachments with caution, keep endpoint protection current, and verify that any remote-access software on your machine was installed intentionally.
Where is the authoritative reference?
MITRE ATT&CK's Remcos entry (S0332), linked on this page.
Related Families (Category: rat)
Explore other malware families in the same category: