Overview
Remcos (Remote Control and Surveillance) is a commercial remote administration tool developed and sold by the Germany-based company Breaking Security. Although marketed as a legitimate IT management solution, Remcos has been widely adopted by cybercriminals and advanced persistent threat (APT) groups since its emergence in mid-2016. Its low cost, frequent updates, and extensive feature set have made it one of the most prevalent RATs in the threat landscape. Remcos consistently ranks among the top malware families tracked by threat intelligence platforms, appearing in campaigns targeting organizations across finance, government, healthcare, and manufacturing sectors worldwide.
Capabilities
Remcos provides comprehensive remote control over infected systems. Key capabilities include real-time desktop surveillance and screen capture, keylogging with clipboard monitoring, webcam and microphone recording, file system browsing and exfiltration, registry manipulation and persistence establishment, credential harvesting from browsers and email clients, process and service management, and reverse proxy and SOCKS tunneling. The RAT communicates over encrypted TCP or TLS channels and supports dynamic DNS for command-and-control infrastructure. Its modular plugin architecture allows operators to extend functionality post-deployment.
Distribution Methods
Remcos is predominantly delivered through phishing emails carrying weaponized Office documents or compressed archive attachments. Common delivery chains include macro-enabled Excel and Word files, ISO/IMG disk images bypassing Mark-of-the-Web protections, and LNK shortcut files that invoke PowerShell downloaders. Threat actors frequently use commodity loaders such as GuLoader and DBatLoader to deploy Remcos in memory, evading disk-based detection. Business email compromise (BEC) lures mimicking invoices, shipping notifications, and purchase orders are the most common social engineering themes.
Notable Campaigns
Remcos has featured in campaigns attributed to multiple threat groups. UAC-0050 and other Ukrainian-conflict-related actors have used it extensively for espionage operations. In 2023-2024, large-scale phishing campaigns leveraged tax-themed lures to deliver Remcos across Europe and the Americas. The Gorgon Group (APT) has historically relied on Remcos for targeting government entities in South Asia. Throughout 2025, Remcos remained a fixture in crimeware-as-a-service ecosystems, with operators offering pre-configured builders on underground forums.
Detection & Mitigation
Detection strategies include monitoring for known Remcos mutex patterns (e.g., “Remcos_Mutex_Inj” or custom variants), identifying characteristic registry run key persistence under HKCU, and flagging encrypted C2 traffic on non-standard ports. YARA rules targeting Remcos string artifacts and PE resource sections are widely available. Network-level indicators include distinctive TLS certificate patterns and DNS queries to dynamic DNS providers. Mitigation measures include disabling Office macros for untrusted documents, enforcing application whitelisting, deploying endpoint detection and response (EDR) solutions, and restricting PowerShell execution policies.