Lmst
Login

#RemcosRat

OTX Bottechbot@social.raytec.co
2025-06-04

Remcos RAT Delivered via MSHTA and PowerShell in Fileless Malware Campaign

Hashes (SHA256) are commonly used to identify people who are at risk of falling into a relationship with a different party or organisation. and their potential impact on their respective social status is revealed.

Pulse ID: 6840214f09754e0950515733
Pulse Link: otx.alienvault.com/pulse/68402
Pulse Author: cryptocti
Created: 2025-06-04 10:34:55

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #InfoSec #Malware #OTX #OpenThreatExchange #PowerShell #RAT #Remcos #RemcosRAT #bot #cryptocti

Hackread.comHackread@mstdn.social
2025-05-15

⚠️ Watch out for ZIP and shortcut files on #Windows as attackers are using fake PDF icons to trick users into installing #Remcos trojan and take over computers.

Read: hackread.com/fileless-remcos-r

#CyberSecurity #Windows #Malware #RemcosRAT

Bradmalware_traffic@infosec.exchange
2025-03-25

#MalspamMonday

Malspam Monday is when I check the inboxes of my honey pot accounts for anything interesting distributed through email.

Today, I found an example of #GuLoader for #Remcos #RAT

Details at github.com/malware-traffic/ind

#RemcosRAT #malspam

Screenshot of the email with the malicious attachment containing GuLoader for Remcos RATTraffic from the infection by GuLoader for Remcos RAT filtered in Wireshark. The Remcos RAT C2 server for HTTPS traffic over TCP port 9090 uses a self-signed certficate.
Bradmalware_traffic@infosec.exchange
2025-03-10

Social media post I wrote about #RemcosRAT for my employer at linkedin.com/posts/unit42_remc and x.com/malware_traffic/status/1

2025-03-10 (Monday): #Remcos #RAT activity. Email distribution used a zip archive attachment with a .7z file extension. During a test infection, we saw indicators of a #Keylogger and a Hacking tool to view browser passwords.

More info at github.com/PaloAltoNetworks/Un

A #pcap of the infection traffic and the associated #malware files are available at malware-traffic-analysis.net/2

Screenshot of the email distributing Remcos RAT, focusing on the attached archive and its contents.Traffic from the Remcos RAT infection filtered in Wireshark. It show information about the infected Windows host, and it also shows a Windows EXE sent over the C2 traffic. The Windows EXE is a hacker tool to view browser passwords.Location of a text file for an offline keylogger. The image shows the beginning of the contents of this keylogger data file.This infection was persistent through copies of the initial malware saved to the AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup directory. This image also shows a Windows Registry update caused by the Remcos RAT infection.
D3LabD3Lab
2024-11-25

🚨 Attenzione: Campagna Malware in Italia 🚨
"Fattura Energia" distribuiscono il trojan RAT 🐁

⚠️ IoC:
- MD5 66e9e95985918197cabcedecef2d981d
- C2: 5nd42h78s.]duckdns.]org

Sebastiansebagutiem@chilemasto.casa
2024-11-12

Los #hackers estΓ‘n usando el #exploit de #Excel para propagar el #malware #RemcosRAT sin archivos
blogs.masterhacks.net/noticias

Anonymous πŸˆοΈπŸΎβ˜•πŸ΅πŸ΄πŸ‡΅πŸ‡Έ :af:youranonriots@kolektiva.social
2024-11-11

Cybersecurity researchers have discovered a new phishing campaign that spreads a new fileless variant of known commercial malware called #RemcosRAT. #malware #phishing #CyberSecurity thehackernews.com/2024/11/cybe

D3LabD3Lab
2024-08-23

Campagne Week 34

πŸ”₯β˜ οΈπŸ’£πŸ‘»
: Fattura
: Delivery
: Preventivo
: Bank
: Fattura
: Pagamento
: Bank
: Udienza Centrale Polizia
: Pagamento via PEC
: Telecom

D3LabD3Lab
2024-08-16

Campagne Week 33

πŸ”₯β˜ οΈπŸ’£πŸ‘»
: Errore Pagamento
: Formulario bancario
: Fattura Entrate Governative
: Ordine d'Acquisto
: Proposta Contratto
: Quote

ο»Ώ

D3LabD3Lab
2024-08-09

Campagne Week 32
πŸ”₯β˜ οΈπŸ’£πŸ‘»

: Citazione
: Ordine
: Modulo bancario
: Documento
: Prezzi
: Preventivo
: Pagamento
: Ordine
: Quotazione
: Pagamento
: Documento

D3LabD3Lab
2024-08-02

Campagne Week 31

πŸ‘»πŸ”₯πŸ’£β˜ οΈ
: Preventivo
: Pagamento Bancario
: Etratto Conto
: Ordine
: Fattura
: Delivery
- : Malware APK

Funesfunes@infosec.exchange
2024-07-18

Found this user on the @internetarchive hosting images with embedded base64 encoded #malware between <<BASE64_START>> and <<BASE64_END>> flags. The malware is used to download an inject the next stage payload into another process. The campaign I observed involved #RemcosRAT

User page: archive.org/details/@nodetecto
Remcos: hxxps://petshopsirena[.]mk/a.txt
#c2 : 45.95.169[.]135:2404

I found samples dropping others such as #agenttesla and #formbook as well.

#infosec #threatintel

GermΓ‘n FernΓ‘ndez :verified:1ZRR4H@infosec.exchange
2024-06-06

🚩 Active #RemcosRAT campaign is distributed via GitHub through abuse of comments in legitimate repositories.

Some malicious links:
- https://github[.]com/ustaxes/UsTaxes/files/15421286/2022and2023TaxDocuments[.]zip
- https://github[.]com/ustaxes/UsTaxes/files/15419438/2023TaxDocuments[.]zip
- https://github[.]com/PolicyEngine/policyengine-us/files/15487603/2023.TAX.ORGANIZER.pdf[.]zip
- https://github[.]com/hmrc/claim-tax-refund/files/15487332/TaxrefundlistPDF[.]zip

They also got creative and registered the user "user-attachments" on GitHub πŸ˜„
- https://github[.]com/user-attachments/files/15592343/Rachel.Completed.Organizer.Season.TAX.2023[.]zip

Remcos C2 servers:
- pattreon.duckdns[.]org:7035
- deytrycooldown.duckdns[.]org:7070
- newlink.duckdns[.]org:5111
* Botnet: RemoteHost

REF: bleepingcomputer.com/news/secu

D3LabD3Lab
2024-05-31

Campagne Week 22

☠️πŸ”₯πŸ‘»πŸ’£

: Ordine d'acquisto
: Preventivo
: Pagamento
: APK Bank
: Contratto
: Fattura

D3LabD3Lab
2024-05-24

Campagne Week 21
☠️πŸ”₯πŸ‘»πŸ’£
: Bozza Contratto
: Ordine
: Fattura
: Ordine
: Lisino
: Contratto
: Delivery
: Documentazione
: Cambiare Rotta

D3LabD3Lab
2024-05-17

Campagne Week 20

☠️πŸ”₯πŸ’£πŸ‘»
: Bozza Contratto
: Ordine
: Pagamento
: Contratto
: APK Bank
: Documenti
: Fattura
: Delivery
: Ordine

D3LabD3Lab
2024-05-10

Campagne Week 19

☠️πŸ”₯πŸ‘»πŸ’£
: Documenti
: Ordine
: Bank
: Preventivo
: Ordine

Not Simonsimontsui@infosec.exchange
2024-04-17

The Computer Emergency Response Team of Ukraine (CERT-UA) reports that the threat actor group UAC-0184 is increasingly using popular messengers and social engineering in 2024 to target the Ukrainian military, and steal documents/messenger data (e.g. Signal). Malware delivered include IDAT, RemcosRAT, VIOTTOKEYLOGGER, XWorm, SIGTOP and TUSC. A lot of IOC provided, and images depict infection chains or lure messages. πŸ”— (Ukrainian language) cert.gov.ua/article/6278521

#CERTUA #UAC0184 #Ukraine #cyberespionage #threatintel #IOC #RemcosRAT #IDAT #xworm

Not Simonsimontsui@infosec.exchange
2024-04-08

Fortinet reports on a recent phishing campaign containing Scalable Vector Graphics (SVG) files. The malicious attachment downloads a ZIP file and begins the infection chain. ScrubCrypt, described as an "antivirus evasion tool", is used to load the final payload VenomRAT while maintaining a connection with the C2 server to install plugins like XWorm, NanoCore, RemcosRAT and a crypto wallet stealer. They provides detailed insights into how the threat actor distributes VenomRAT and other plugins. IOC listed. πŸ”— fortinet.com/blog/threat-resea

#ScrubCrypt #VenomRAT #RemcosRAT #XWorm #NanoCore #threatintel #IOC

Not Simonsimontsui@infosec.exchange
2024-03-20

ESET Research reports that AceCryptor use surged in the second half of 2023. This included Remcos RAT campaigns for the first time, using compromised accounts for credibility in phishing emails. AceCryptor + Remcos campaigns targeted Poland, Bulgaria, Spain, and Serbia. Campaigns were described, MITRE ATT&CK TTPs and IOC provided. πŸ”— welivesecurity.com/en/eset-res

#AceCryptor #threatintel #IOC #Remcos #RemcosRAT #VidarStealer #Stopransomware #SmokeLoader

Client Info

Server: https://mastodon.social
Version: 2025.04
Repository: https://github.com/cyevgeniy/lmst