Summary
Remcos RAT, originally a powerful surveillance and control tool, has become one of the most dangerous threats globally. Its ability to bypass defenses and steal credentials makes it a top priority for cybersecurity teams to detect and mitigate.
Remcos is a Remote Access Trojan (RAT) originally a commercial remote management tool that threats actors increasingly abuse to gain unauthorized remote control of Windows systems. It provides capabilities such as credential theft, keylogging, screen capture, webcam/microphone control, and persistent command and control (C2) access.
📥 Infection Vectors
- Phishing Emails: Malicious attachments (often disguised as invoices, job offers, or government notices).
- Compromised Websites: Hosting payloads that download and install Remcos.
⚙️ Key Features of Remcos RAT
- Remote Control: Full access to the victim’s system, including files, processes, and registry.
- Surveillance: Keylogging, screen capture, webcam/microphone recording.
- Persistence: Uses registry modifications and startup tricks to remain active.
- C2 Communication: Connects to attacker-controlled servers for instructions and data exfiltration.
- Fileless Attacks: Recent campaigns inject malicious code directly into memory, bypassing Endpoint Detection & Response (EDR) tools.
Evolution of New Remcos Functionalities:
The latest Remcos variant has been observed exhibiting a significant change in behaviour compared to previous versions. Instead of stealing and storing data locally on the infected system, this variant establishes direct online command-and-control (C2) communication, enabling real-time access and control. In particular, it leverages the webcam to capture live video streams, allowing attackers to monitor targets remotely. This shift from local data exfiltration to live, online surveillance represents an evolution in Remcos’ capabilities, increasing the risk of immediate espionage and persistent monitoring.
Our Lat61 Threat Intelligence research team has previously covered legacy Remcos previous variants and their associated behaviours.
Infection Workflow
Figure 1: Infection Workflow.
Technical Details
Malware often uses dynamic API resolution as a stealth and evasion technique. Instead of hardcoding the names of Windows API functions (like CreateFileA, LoadLibrary, etc.), it resolves them at runtime.
APIs are decrypted at runtime to evade static detection, hinder reverse engineering, and dynamically resolve malicious functionality during execution.
Figure 2: Before API decryption.
Figure 3: After API decryption.
The malware checks system access privileges to determine available capabilities, decide on privilege escalation, bypass security controls, and adapt its malicious behavior accordingly.
Certain actions (e.g., Writing to protected directories, modifying registry keys, installing persistence mechanisms, or disabling security services) require elevated rights.
Figure 4: Access Privileges check.
Remcos RAT initializes by decrypting its configuration, setting persistence, and dynamically loading APIs to evade detection before establishing command-and-control (C2) communication. Its initialization sequence is designed to hide its true capabilities until runtime, making it more difficult.
Remcos stores its configuration in encrypted or compressed form inside the binary.
Figure 5: Remcos Agent Console.
How Remcos Steals and Exfiltrates Sensitive Data
Remcos is designed to steal sensitive information and provide attackers with persistent remote access to compromised systems. Its stealing capabilities focus on credential harvesting, surveillance, and data exfiltration.
Figure 6: Remcos Identification.
Remcos Key Stealing Capabilities
Credential Theft:
Steals usernames and passwords from web browsers (Chrome, Firefox, Edge, Internet Explorer).
Captures authentication data stored in the Windows Credential Manager.
Keystroke Logging:
Implements keylogging to capture typed data such as passwords, chat messages, and search queries.
Logs keystrokes in real time and forwards them directly to the C2 server.
Screen & Webcam Capture:
Takes screenshots of the desktop at configurable intervals.
Activates the webcam to capture images or live video streams without user awareness.
Clipboard Monitoring:
Monitors clipboard contents to capture copied credentials, cryptocurrency wallet addresses, or sensitive content.
Real-Time Data Exfiltration:
In newer variants, stolen data is exfiltrated directly via online C2 communication, rather than being stored locally, reducing forensic artifacts.
Figure 7: Remcos characteristics.
Remcos includes a geolocation capability that retrieves the infected host’s IP address, which can be used to determine the victim’s approximate geographic region.
Figure 8: Tracing geolocation.
Remcos RAT maintains internal log data to record stolen information and operational activity. The way logs are handled depends on the variant, configuration, and attack strategy.
- Keystroke Logs
- Records user keystrokes captured via its keylogging module.
- Older variants may temporarily store keystrokes in local log files before exfiltration.
- Newer variants often send keystrokes directly to the C2 server, minimizing local artifacts.
- Screen, Webcam, and Audio Logs
- Screenshots, webcam captures, or audio recordings may be:
- Stored temporarily in hidden directories, or
- Buffered in memory and exfiltrated immediately via C2.
- File names are often randomized or encrypted.
- System Activity Logs
- Logs system profiling data such as OS version and architecture, Username, hostname, installed software and running processes
- Command Execution Logs
- Tracks executed commands and task results received from the C2.
During analysis of the new Remcos variant, the malware was observed creating a log file at the following location:
“C:\ProgramData\colors\logs.dat”
Figure 9: Log file.
Why does Remcos encrypt its C2?
Remcos does not store its C2 in plaintext in order to evade static string extraction, signature-based antivirus detection, and easy IOC harvesting.
Instead, it embeds the C2 (IP address and port) in an encrypted byte array, decrypts it only in memory at runtime, and immediately uses it for network API calls.
The code shown implements a byte-wise XOR decryption loop that reconstructs an obfuscated C2 string (172.245.246.77:8080) at runtime. The malware dynamically loads WININET.dll to avoid static imports and uses the decrypted string as its network endpoint for command-and-control communication.
Figure 10: Dynamic C2 domain decryption.
The online keylogger leverages the same structural design as its offline counterpart; however, rather than persisting captured keystrokes to disk, it transmits the data in real time to the command‑and‑control (C2) server, enabling immediate exfiltration and eliminating the need for local storage.
Each keystroke intercepted by the online keylogger is encapsulated into a structured, network‑ready payload and transmitted through the malware’s communication channel in real time, allowing the attacker to continuously monitor user activity while avoiding the creation of forensic artifacts on the victim’s filesystem.
Figure 11: Online keylogger initialized.
The malware hooks input events to capture user entered data and streams the collected content directly to its C2 infrastructure for immediate exfiltration.
Figure 12: Captured browsers input.
Remcos does not embed its webcam recording functionality in its main executable. Instead, it relies on an external module delivered as a Dynamic Link Library (DLL), which the malware retrieves from the command‑and‑control (C2) server when the attacker requests webcam access.
Figure 13: Webcam Capture Module Initialization.
Upon receiving webcam related command, Remcos performs the following steps internally:
The malware establishes a connection to the C2 server using its existing communication channel (typically over HTTP via WinINet). It then downloads the DLL payload into memory or saves it temporarily to disk, depending on the variant and configuration.
Instead of statically linking webcam functionality, Remcos loads the downloaded module at runtime using Windows API functions such as LoadLibrary.
After the DLL is loaded, Remcos resolves specific exported functions using GetProcAddress. These functions implement webcam-related operations such as:
- Initializing the video capture device,
- Capturing frames or video streams,
- Encoding or compressing the captured data,
- Returning the recorded output to the main Remcos process.
The main Remcos process invokes the exported webcam routine from the DLL. The module then interacts with Windows multimedia APIs to access the system’s camera device and collect video or image data.
The recorded webcam output is passed back to the core Remcos process or directly transmitted by the module itself to the C2 server. The data is typically sent in chunks over the existing encrypted or obfuscated C2 channel.
FoxMailRecovery is typically the name of an exported function inside a credential-recovery plugin DLL.
Figure 14: Loading additional DLL.
The following code snippet matches the way Remcos constructs and sends command messages to its C2 server, specifically using a text-based command format. In Remcos, commands and responses are often wrapped inside string tokens (for example: /text “…”) before being transmitted.
When invoked with the /sext option, the malware writes execution results to a temporary file with a randomly generated name in its working directory. The stored data is subsequently retrieved and exfiltrated to the C2 server, after which the file is deleted to minimize on-disk traces.
Figure 15: Steal command.
How Remcos does Persistence
Remcos establishes persistence so that it is relaunched automatically after a system reboot or user logon. It supports several persistence mechanisms, chosen based on its configuration and privileges.
Remcos creates a named mutex to: Rmc-GSEGIF
- Prevent multiple instances from running
- Ensure only the persistent copy stays active
This supports persistence stability rather than startup persistence directly.
Figure 16: Remcos Persistence.
How Remcos Does Cleanup Procedure
After exfiltrating sensitive information, Remcos performs a clean-up routine by deleting browser cookies and stored browsing data. This tactic removes traces of its activity, disrupts forensic analysis, and diminishes evidence of credential theft or session hijacking, ultimately making it more difficult for investigators or victims to determine what information was compromised.
Remcos deletes all the recording files (keylogging, screenshots, and audio recordings).
Figure 17.: Clear cookies, browser data.
Figure 18: Delete Files & Folder.
After completing its data theft and clean-up routines, Remcos removes the registry keys it previously created for persistence. By deleting these auto‑run entries, the malware attempts to erase evidence of how it maintained long‑term access, making forensic analysis and remediation more difficult.
Figure 19: Delete Persistence.
Finally, the malware removes its installation artifacts by generating and executing a temporary Visual Basic script update.vbs in the %TEMP% directory using a randomly generated filename. This script deletes the original files, after which the malware terminates its own process.
Figure 20: Update.vbs added in the temp folder.
Below is the generated script with comments
Creating a FileSystemObject and Loop while the specified file exists.
- Set fso = CreateObject(“Scripting.FileSystemObject”)
Figure 21: Creates FileSystemObject.
Create a WScript.Shell object and run a command in the command prompt and Create a FileSystemObject and delete the script itself.
- CreateObject(“WScript.Shell”).Run “cmd /c \”\””
- CreateObject(“Scripting.FileSystemObject”).DeleteFile(Wscript.ScriptFullName)
Figure 22: Delete FileSystemObject and delete script itself.
Remcos Network Interaction with C2 Servers
Remcos initiates outbound connections to its command‑and‑control (C2) infrastructure either hardcoded or decrypted at runtime using HTTP or TCP. It regularly sends beacon signals to request instructions, processes remote commands, and exfiltrates stolen data such as keystrokes and credentials. The transfer occurs through a custom protocol that is encrypted or obfuscated, deliberately crafted to resemble normal web traffic and thereby evade detection.
Figure 23: Network Interaction with C2 Servers.
How Can Remcos RAT be Removed?
- Reboot into Safe Mode with Networking.
- Use UltraAV antivirus to delete malicious files.
- Detected as the following name by UltraAV: Trojan.W32.111125.Remcos.YR.
Figure 24: Threat Detection Name.
MITRE ATT&CK
| ID | Technique | Description |
| T1123 | Audio Capture | Capture data from the system’s microphone |
| T1027 | Obfuscated Files or Information: Dynamic API Resolution | Resolves API functions at runtime instead of declaring them in the import table to hinder analysis and detection. |
| T1547.001 | Registry Run Keys | Remcos can add itself to the Registry key for persistence. |
| T1115 | Clipboard Data | Steals and Copies data from the clipboard. |
| T1056.001 | Input Capture: Keylogging | Remcos has a command for keylogging. |
| T1113 | Screen Capture | Taking automated screenshots of the infected machine |
| T1125 | Video Capture | Remcos can access a system’s webcam and take pictures. |
| T1055 | Process Injection | Remcos has a command to hide itself through injecting into another process. |
Conclusion
The latest Remcos variants demonstrate a continued evolution in both stealth and functionality. These newer builds employ stronger obfuscation, runtime decryption of configuration data, and modular plugin-based capabilities to hinder static analysis and detection. Enhanced command-and-control mechanisms, dynamic DLL loading for extended features such as credential theft and webcam access, and improved cleanup routines further indicate an emphasis on evasion and operational flexibility. Overall, the persistence of Remcos and the steady refinement of its techniques highlight its ongoing effectiveness as a remote access trojan.
Indicators of compromise
| MD5 | c748c6a74389e4c48f9a34acba1ff093 |
| Mutex | Rmc-GSEGIF |
| C2 Domain | 172.245.246.77:8080 |
| File Artifact | C:\ProgramData\colors\logs.dat |