1. Home
  2. Software
  3. Remcos

Remcos

Remcos is a closed-source tool that is marketed as a remote control and surveillance software by a company called Breaking Security. Remcos has been observed being used in malware campaigns.[1][2]

ID: S0332
Type: TOOL
Platforms: Windows
Version: 1.4
Created: 29 January 2019
Last Modified: 23 April 2026
Version Permalink
Enterprise Layer
download view

Techniques Used

Domain ID Name Use
Enterprise T1548 .002 Abuse Elevation Control Mechanism: Bypass User Account Control

Remcos has a command for UAC bypassing.[3]
Enterprise T1010 Application Window Discovery

Remcos can list all windows on victim systems.[4]
Enterprise T1560 .001 Archive Collected Data: Archive via Utility

Remcos can zip files and folders for upload.[4]
Enterprise T1123 Audio Capture

Remcos can capture data from the system’s microphone.[3][4]
Enterprise T1547 .001 Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder

Remcos can add itself to the Registry key HKCU\Software\Microsoft\Windows\CurrentVersion\Run for persistence.[3]
Enterprise T1115 Clipboard Data

Remcos steals and modifies data from the clipboard.[1][4]
Enterprise T1059 .003 Command and Scripting Interpreter: Windows Command Shell

Remcos can launch a remote command line to execute commands on the victim’s machine.[3][4]
.005 Command and Scripting Interpreter: Visual Basic

Remcos can execute VBS remotely.[4]
.006 Command and Scripting Interpreter: Python

Remcos uses Python scripts.[1]
.007 Command and Scripting Interpreter: JavaScript

Remcos has the ability to execute JavaScript remotely.[4]
Enterprise T1543 .003 Create or Modify System Process: Windows Service

Remcos can terminate, suspend, and resume a process by PID.[4]
Enterprise T1132 .001 Data Encoding: Standard Encoding

Remcos can serialize collected data with Protobuf.[5]
Enterprise T1491 .001 Defacement: Internal Defacement

Remcos has the ability to modify the desktop wallpaper.[4]
Enterprise T1568 Dynamic Resolution

Remcos has used dynamic DNS domains in C2 communications.[5]
Enterprise T1573 .002 Encrypted Channel: Asymmetric Cryptography

Remcos can use TLS to encrypt C2 communication.[4]
Enterprise T1083 File and Directory Discovery

Remcos can search for files on the infected machine.[1][4]
Enterprise T1564 Hide Artifacts

Remcos can modify file attributes to hide the file.[4]
.003 Hidden Window

Remcos can set ProcessWindowStyle.Hidden to hide windows.[5]
Enterprise T1070 Indicator Removal

Remcos can clean saved cookies and logins from the web browser.[4]
.004 File Deletion

Remcos can delete files and folders from victim machines.[4]
Enterprise T1105 Ingress Tool Transfer

Remcos can upload and download files to and from the victim’s machine.[1][4]
Enterprise T1056 .001 Input Capture: Keylogging

Remcos has a command for keylogging.[3][2]
Enterprise T1112 Modify Registry

Remcos has full control of the Registry, including the ability to modify it.[1][4]
Enterprise T1027 Obfuscated Files or Information

Remcos uses RC4 and base64 to obfuscate data, including Registry entries and file paths.[2] Remcos can also employ control flow flattening to hinder analysis.[5]
.013 Encrypted/Encoded File

Remcos can use string encryption to hinder analysis.[4]
Enterprise T1566 .001 Phishing: Spearphishing Attachment

Remcos has been spread through emails containing malicious documents.[4]
Enterprise T1057 Process Discovery

Remcos can discover running processes on compromised machines.[4]
Enterprise T1055 Process Injection

Remcos has a command to hide itself by injecting into another process.[3]
Enterprise T1090 Proxy

Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.[1][4]
Enterprise T1012 Query Registry

Remcos can obtain Registry data from targeted systems.[4]
Enterprise T1113 Screen Capture

Remcos takes automated screenshots of the infected machine.[1][4]
Enterprise T1082 System Information Discovery

Remcos can collect the OS version and process architecture of compromised hosts.[4]
Enterprise T1614 System Location Discovery

Remcos can identify the location of targeted devices.[4]
Enterprise T1033 System Owner/User Discovery

Remcos can enumerate the username on targeted hosts.[4]
Enterprise T1529 System Shutdown/Reboot

Remcos can shutdown and restart remote devices.[4]
Enterprise T1204 .002 User Execution: Malicious File

Remcos has been executed by luring victims into opening malicious email attachments including Excel files.[4]
Enterprise T1125 Video Capture

Remcos can access a system’s webcam and take pictures.[3]
Enterprise T1497 .001 Virtualization/Sandbox Evasion: System Checks

Remcos searches for Sandboxie and VMware on the system.[2]

Groups That Use This Software

ID Name References
G0140 LazyScripter

LazyScripter dropped Remcos during operations.[6]
G0047 Gamaredon Group

Gamaredon Group used Remcos during operations.[7]
G0099 APT-C-36

APT-C-36 used Remcos during operations.[5][8][9][10]
G0078 Gorgon Group

Gorgon Group has used Remcos as the final payload during operations.[11]

Campaigns

ID Name Description
C0005 Operation Spalax

During Operation Spalax, the threat actors obtained Remcos to use in operations.[12]

References

  1. Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
  2. Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
  3. Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
  4. Zhang, X. (2024, November 8). New Campaign Uses Remcos RAT to Exploit Victims. Retrieved April 16, 2026.
  5. Check Point Research. (2025, March 10). Blind Eagle: …And Justice for All. Retrieved April 16, 2026.
  6. Jazi, H. (2021, February). LazyScripter: From Empire to double RAT. Retrieved November 17, 2024.
  1. Venere, G. (2025, March 28). Gamaredon campaign abuses LNK files to distribute Remcos backdoor. Retrieved July 23, 2025.
  2. Melnyk, S. (2025, June 27). Tracing Blind Eagle to Proton66. Retrieved April 16, 2026.
  3. Insikt Group. (2025, August 26). TAG-144’s Persistent Grip on South American Organizations. Retrieved April 16, 2026.
  4. Pellegrino, G. (2025, December 16). BlindEagle Targets Colombian Government Agency with Caminho and DCRAT. Retrieved April 16, 2026.
  5. Falcone, R., et al. (2018, August 02). The Gorgon Group: Slithering Between Nation State and Cybercrime. Retrieved August 7, 2018.
  6. M. Porolli. (2021, January 21). Operation Spalax: Targeted malware attacks in Colombia. Retrieved September 16, 2022.