{
	"id": "d9bee9a3-72f4-4aea-b9d3-332c19f21dcd",
	"created_at": "2026-04-06T00:07:58.156274Z",
	"updated_at": "2026-04-10T03:30:57.293213Z",
	"deleted_at": null,
	"sha1_hash": "388f8ac136cabd8b60e368cf95692d8d300a1a09",
	"title": "Remcos RAT Operations: How Attackers Gain and Maintain Control",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1712588,
	"plain_text": "Remcos RAT Operations: How Attackers Gain and Maintain\r\nControl\r\nPublished: 2026-03-05 · Archived: 2026-04-05 20:16:30 UTC\r\nMarch 5, 2026\r\n3:27 pm\r\nMalware Analysis\r\nRemcos in nutshell\r\nRemcos is a Windows remote access trojan (RAT) that was originally sold as a legitimate tool for remote\r\nadministration and management, but it has been widely abused by cybercriminals and threat groups in phishing\r\nand malware campaigns to infect systems across many sectors, including government, healthcare, financial\r\nservices, banking, and other critical industries .\r\nRemcos gives attackers full remote control over an infected system, allowing them to execute commands, manage\r\nfiles, capture keystrokes and screenshots, record audio and video, and steal stored credentials . Because of these\r\ncapabilities and its persistence, Remcos is often used not only for espionage or system takeover but also for\r\nfinancially driven objectives: attackers can covertly collect sensitive data such as login credentials, banking\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 1 of 18\n\ndetails, and other personal or business information and then use it to take over accounts, commit fraud, perform\r\nunauthorized transactions, steal money, or sell the stolen information for profit.\r\nInfection flow\r\nThe initial stage of the infection chain was first observed on 2025-12-16 (UTC) according to VirusTotal. The\r\nsample is a malicious JavaScript (JS) file with a size of 8.84 MB .\r\nSHA256: e0a69eff836709cbefee1079d647d50d55f558e5f8c7bf18a8056361cd5116f3\r\nDetection Ratio: 20/63 at the time of analysis\r\nFigure (1) - Sample on VirusTotal\r\nThe analyzed sample is heavily obfuscated JavaScript that drops and executes multi-stage payloads. Below, a\r\ndiagram shows these stages.\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 2 of 18\n\nFigure (2) - Infection Flow\r\nStage 1 - Analysis of obfuscated Java Script\r\nThe first stage of the infection chain is implemented in a large JavaScript file that is highly obfuscated and\r\nmainly contains junk, unused variables, and functions that do not affect execution. \r\nOne noticeable technique is the repeated concatenation of the same unclear string to a single variable many times,\r\nwhich intentionally increases the script size and hides the real payload inside a large amount of repetitive data.\r\nFigure (3) - Obfuscated JS\r\nIn addition to this, it hides meaningful strings inside large arrays and retrieves them dynamically at runtime using\r\nhelper functions with calculated indexes and also uses confusing execution structures, including unnecessary\r\nloops and arithmetic expressions. Also defines several functions that appear to move execution forward or\r\nbackward, as well as unused prototypes that are never actually invoked .\r\nAfter the deobfuscation, the script first checks whether a specific file with a random-looking name already exists\r\nunder C:\\Users\\Public\\Libraries\\.\r\nIf the file does not exist, the malware copies itself into that directory, and then, to maintain persistence, it creates a\r\nscheduled task using theschtasksutility.\r\nThis causes the script to be executed every 10 minutes, guaranteeing re-execution even after a reboot. The task is\r\ncreated via\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 3 of 18\n\ncmd.exeand launched using WScript.Shell.Run,which is a common LOLBins-based persistence technique where\r\nattackers abuse legitimate Windows binaries or scripts (“Living off the Land Binaries”) to perform malicious\r\nactions without dropping new executables, helping them evade security detection.\r\nFigure (4) - Clean JS\r\nThe script then drops three files in the same directory:C:\\Users\\Public\\Libraries\\. Each file is reconstructed from\r\nobfuscated data  – the strings are reversed, cleaned of special characters (~,!,#,$,%,^,\u0026,*,\u003e),and written to disk\r\nusingADODB.Stream.\r\nThe decoding process can be reproduced in CyberChef using this recipe that reverses the string and removes\r\nunwanted characters.\r\nThe dropped files as following :\r\nDropped File Description\r\nFilename:\r\nWTZTFTBNJIPTWLHJTGXIXAYZECKKCFKKMBWVLGGVHQGONDHQVYLZUJN\r\nHash: 6bed90bbdb00ffb3704410c6a7b16751cd8fdc100acf47130783477750c33c8b\r\nObfuscated\r\nLua script;\r\nexecuted by\r\nthe loader\r\nas a\r\ncommand-line\r\nargument\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 4 of 18\n\nDropped File Description\r\nFilename:\r\nWTZTFTBNJIPTWLHJTGXIXAYZECKKCFKKMBWVLGGVHQGONDHQVYLZUJN.exe\r\nHash: 5343326fb0b4f79c32276f08ffcc36bd88cde23aa19962bd1e8d8b80f5d33953\r\nLuaJIT-based\r\nloader;\r\nexecuted\r\nfirst and\r\nreceives the\r\nLua script\r\nas input\r\nFilename: lua51.dll\r\nLuaJIT\r\nruntime\r\nlibrary used\r\nby the\r\nloader to\r\nexecute the\r\nLua script\r\nStage 2 - LUA\r\nThis stage is written in Lua, a lightweight, high-level scripting language designed for embedded use. Lua is\r\nfamous for its simplicity, speed, and flexibility, and is commonly employed for scripting, automation, and\r\nintegration into other applications thanks to its compact footprint and efficient performance.\r\nAnalyzing the Script it’s an obfuscated LuaJIT-based loader that leverages FFI (Foreign Function Interface), a\r\nbuilt‑in feature that allows pure Lua code to directly call native C functions and work with C data structures,\r\nwithout needing custom bindings or external DLL wrappers. In this case, FFI is abused to enable low‑level\r\nprocess and memory manipulation from within Lua.\r\nFigure (5) - Clean lua\r\nThe malware targets colorcpl.exe, a legitimate Windows Control Panel applet, as its process injection victim. The\r\nloader spawns the trusted Windows process and injects a decoded payload via opening the target process with full\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 5 of 18\n\naccess, allocates executable memory, writes the decoded payload into it, and executes it via a remote thread.\r\nFigure (6) - Process Injection\r\nThe injected payload is stored inside a large embedded variable and protected by three layers of obfuscation. First,\r\nthe payload string is reversed, then Base64 decoded, and finally transformed using a ROT14 applied to printable\r\nASCII characters.\r\nThis script automates the deobfuscation and dumping of the shellcode for further analysis.\r\nimport re\r\nimport base64\r\ndef rot14(data):\r\n return bytes(\r\n 33 + ((b + 14) % 94) if 33 \u003c= b \u003c= 126 else b\r\n for b in data\r\n )\r\nwith open(\"file.lua\", \"r\", errors=\"ignore\") as f:\r\n lua = f.read()\r\n# Find the embedded payload\r\npayload = re.search(r\"(==[A-Za-z0-9+/=]{100,})\", lua).group(1)\r\npayload = payload[::-1]\r\npayload = base64.b64decode(payload)\r\npayload = rot14(payload)\r\nwith open(\"dump.bin\", \"wb\") as f:\r\n f.write(payload)\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 6 of 18\n\nprint(\"Payload decoded\")\r\nDonut loader - Shellcode\r\nThe extracted shellcode is packed using Donut, a popular shellcode generation tool that produces\r\nposition‑independent code designed for in‑memory execution. Donut can convert a wide range of payload types,\r\nincluding native PE files (EXE/DLL) and .NET assemblies into shellcode that can be injected and executed.\r\nDonut shellcode is composed of a native loader stub followed by a structured configuration and the embedded\r\npayload itself. The configuration, commonly referred to as the Donut instance, contains metadata such as\r\narchitecture flags, encryption keys, payload type, and execution options.\r\nTo inspect this stage, the donut‑decryptor tool was helpful to parse and decrypt the Donut instance, allowing the\r\nloader logic and dumping\r\nthe embedded payload.\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 7 of 18\n\nThe dumped final stage was identified as Remcos RAT, delivered as a PE32 executable and written in C++. The\r\nRemcos payload is never written to disk during this stage and only exists in memory after successful decryption\r\nand execution by the Donut loader.\r\nFinal Payload - Remcos\r\nConfiguration\r\nThe sample stores its RC4‑encrypted configuration inside a PE resource named “SETTINGS”. The configuration\r\ndata is structured so that the first byte specifies the length of the RC4 key, followed by the key itself, and then the\r\nencrypted configuration blob.\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 8 of 18\n\nFigure (7) - Encrypted configuration\r\nHere is the Python script used to decrypt the embedded configuration : \r\nimport pefile\r\ndef rc4_decrypt(data, key):\r\n if type(data) == str:\r\n data = data.encode('utf-8')\r\n if type(key) == str:\r\n key = key.encode('utf-8')\r\n x = 0\r\n box = list(range(256))\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 9 of 18\n\nfor i in range(256):\r\n x = (x + box[i] + key[i % len(key)]) % 256\r\n box[i], box[x] = box[x], box[i]\r\n x = 0\r\n y = 0\r\n out = []\r\n for c in data:\r\n x = (x + 1) % 256\r\n y = (y + box[x]) % 256\r\n box[x], box[y] = box[y], box[x]\r\n out.append(c ^ box[(box[x] + box[y]) % 256])\r\n return bytes(out)\r\ndef extract_remcos_config(pe):\r\n for rsrc in pe.DIRECTORY_ENTRY_RESOURCE.entries:\r\n for entry in rsrc.directory.entries:\r\n if str(entry.name) == 'SETTINGS':\r\n data_entry = entry.directory.entries[0].data\r\n offset = data_entry.struct.OffsetToData\r\n size = data_entry.struct.Size\r\n return pe.get_memory_mapped_image()[offset:offset + size]\r\n raise ValueError(\"SETTINGS resource not found\")\r\n# main\r\npe_file = pefile.PE(\"remcos.bin\")\r\nconfig_data = extract_remcos_config(pe_file)\r\nkey_len = config_data[0]\r\nkey = config_data[1:key_len + 1]\r\nencrypted_config = config_data[key_len + 1:]\r\nprint(rc4_decrypt(encrypted_config,key))\r\nSome decrypted values from the configuration are shown below:\r\nValue Description\r\nlaboratery.ydns.eu:63099:1 C2 server address, port, and TLS flag (1 = TLS enabled)\r\nlaboratery1.ydns.eu:63921:0 C2 server address, port, and TLS flag (0 = TLS disabled)\r\nRemoteHost Botnet name configured in the malware\r\nremcos.exe Name of the REMCOS executable once installed\r\nRmc-AFAZ9F Mutex name, also used as a registry key\r\nlogs.dat File used to store keylogging output\r\nRemcos Main installation directory\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 10 of 18\n\nValue Description\r\nremcos Directory used for keylogging data\r\nC16F3DF974E930853974A85A2987E8B7 Embedded REMCOS license value\r\nScreenshots Folder used to store captured screenshots\r\nMicRecords Folder used to store recorded audio\r\n\\x1e\\x1e\\x1f is used as a delimiter between fields in C2 communication packets\r\nThe configuration also includes flags that enable or disable modules such as keylogging, screenshot\r\ncapture, microphone/audio recording, and other capabilities\r\nAdditionally, it contains certificate-related values used for TLS communication, including the raw TLS\r\ncertificate and the C2 server’s public certificate, which enable encrypted communication when TLS is\r\nactive\r\nRemcos pre execution phase\r\nPrivilege checks\r\nAt startup, Remcos performs a series of privilege checks to determine its current execution context and adapt its\r\nbehavior accordingly. It\r\nfirst verifies whether the process is running with administrative privileges. If this check succeeds, the malware\r\nperforms an additional\r\nvalidation by querying the process access token and comparing the user SID against the LOCAL SYSTEM\r\naccount. This allows the malware to distinguish between standard user, administrator, and SYSTEM execution\r\ncontexts.\r\nFigure (8) - Privilege check\r\nMutex\r\nRemcos uses a mutex name taken from its configuration to ensure that only one instance runs at a time.\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 11 of 18\n\nWhen executed with SYSTEM privileges, the malware appends the -sys suffix to the mutex name to indicate a\r\nhigh-privilege instance. If running without SYSTEM privileges, the mutex is created using the same name without\r\nthe suffix.\r\nRegistry\r\nRemcos stores its configuration and operational state in the Windows registry under a registry key name derived\r\nfrom the malware’s mutex Rmc-AFAZ9Ft. This key resides under HKCU\\Software\\ for standard user-level\r\ninfections, and under HKLM\\Software\\ when elevated/system privileges are available.\r\nFigure (9) - Registry configuration\r\nSome default Remcos registry values:\r\nValue Name Description\r\n(Default) Default key value (unset)\r\nexepath The Remcos executable path encrypted with the same key as the config\r\nlicence License string assigned to the Remcos build\r\ntime Timestamp stored as a DWORD (likely Unix epoch)\r\nUID Unique malware identifier or victim ID\r\nRemcos may create additional registry values depending on the features enabled in its configuration. For example:\r\nRegistry\r\nValue\r\nPurpose\r\nWD\r\nStores the PID of the main Remcos process. The malware writes this value before starting the\r\nwatchdog process. The watchdog (often running inside a legitimate process like svchost.exe )\r\nmonitors the main process and restarts it if it is killed.\r\nInj\r\nUsed to track or reset the state of process injection. It is related to Remcos injecting itself into\r\nanother process.\r\nFR\r\nFirst-run flag. It shows that one-time actions (such as browser data cleaning) have already been\r\nexecuted, so they will not run again.\r\nInstallation and Persistence\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 12 of 18\n\nREMCOS installs itself on the victim machine by copying its executable to the %ProgramData% folder with the\r\nfilename remcos.exe under a directory named Remcos. Both the directory name and the filename are retrieved\r\ndirectly from its configuration. REMCOS also makes manual detection more difficult by applying read-only,\r\nhidden, and system attributes to the file and the directory.\r\nFor persistence, Remcos is dependent on the privilege level of the running process. When run under a standard\r\nuser context, it only sets persistence within HKEY_USERS\\\\Software\\Microsoft\\Windows\\CurrentVersion\\Run,\r\nensuring execution upon logon for that specific user.\r\nHowever, if the process is running with administrative privileges, REMCOS can write to system-wide autorun\r\nlocations such as HKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Run or\r\nHKEY_LOCAL_MACHINE\\Software\\Microsoft\\Windows\\CurrentVersion\\Policies\\Explorer\\Run. These\r\nlocations provide persistence across all user accounts and are generally more impactful.\r\nFeatured enabled in this sample\r\nKeylogger\r\nRemcos includes features for keylogging and clipboard monitoring, allowing it to collect every keystroke a user\r\nmakes as well as any text data the user copies to the clipboard. This sample logs the captured input, both\r\nkeystrokes and clipboard contents, into a file logs.dat within a Remcos folder under %AppData%.\r\nThe keylogging functionality is implemented by installing a Windows hook using SetWindowsHookExA, which\r\nallows the malware to intercept keyboard events at the system level without requiring kernel drivers. Once\r\ninstalled, this hook runs continuously in the background, capturing key presses as they occur.\r\nFigure (10) - keylogger initialization\r\nThe clipboard monitoring capture copies text data the user explicitly places on the clipboard that might not be\r\nentered via keyboard alone. It uses standard Windows clipboard APIs to grab the current text contents whenever a\r\ncommand is issued or at regular intervals and stores it in the same log file.\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 13 of 18\n\nFigure (11) - Getting clipboard data\r\nScreenshots\r\nRemcos includes a screen capture capability that enables attackers to monitor the victim’s desktop activity in real\r\ntime. It creates an in-memory copy of the current display and extracts the image data to generate a screenshot. It\r\nalso enumerates open windows and selectively captures specific applications based on their titles, allowing for\r\nmore targeted surveillance.\r\nFigure (12) - Screenshot\r\nCaptured screenshots are stored locally in the Screenshots folder defined in the configuration. Each file uses a\r\ntimestamp-based naming format: wnd_%04i%02i%02i_%02i%02i%02i, which corresponds to\r\nwnd_YYYYMMDD_HHMMSS, allowing the images to be organized chronologically.\r\nAudio recording [MicRecords]\r\nThe audio recording capability enables Remcos to capture live microphone input from an infected system in real\r\ntime. Once activated, the malware interacts directly with the Windows multimedia (WaveIn) API to continuously\r\nrecord audio from the victim’s microphone using a buffered recording mechanism. As audio data is received, it is\r\nprocessed and saved locally in the folder MicRecords (as defined in the configuration) as standard .wav files,\r\nusing a timestamp-based naming convention (YYYY-MM-DD HH.MM.wav), allowing recordings to be organized\r\nchronologically.\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 14 of 18\n\nFigure (13) - Audio recording\r\nRecording works in continuous parts. When one buffer becomes full and is saved to disk, the malware\r\nimmediately starts recording the next part without stopping. This allows it to monitor surrounding sounds\r\ncontinuously without any interruption .\r\nAdditional Capabilities of Remcos\r\nRemcos is a fully featured Remote Access Trojan (RAT) that gives attackers extensive control over an infected\r\nsystem. Although some features are inactive, the sample includes several advanced capabilities:\r\nWatchdog: Launches a secondary process, injects itself into it, and monitors the main process. If either\r\nprocess is terminated, the other restarts it to ensure persistence.\r\nProcess Injection: REMCOS can inject itself into a specified or hardcoded Windows process to avoid\r\ndetection.\r\nUAC Disabling: Modifies the EnableLUA registry value or uses a COM-based bypass to execute actions\r\nwith elevated privileges silently.\r\nPEB Masquerading: Patches the Process Environment Block to appear as explorer.exe, helping the\r\nmalware evade basic detection.\r\nRemote Wallpaper Change: Enables attackers to instantly change the victim’s desktop wallpaper for\r\nvisual control or intimidation.\r\nDLL Loader: Remotely loads and executes supplied DLLs.\r\nLogins Cleaner: Deletes saved credentials, browser history, and cookies.\r\nExtended System Control: Provides remote control over the mouse, keyboard, monitor, CD drive, taskbar,\r\nand Start Button.\r\nC2 communication\r\nThe sample communicates with its C2 server using raw TCP sockets, with each C2 entry stored in the format\r\ndomain:port:tls_flag. Upon execution, the malware iterates through this list and attempts to establish a direct\r\nsocket connection to each C2 address until one successfully responds.\r\nDepending on the configuration, TLS can be enabled or disabled dynamically. When TLS is enabled, the malware\r\nhandles certificate loading, key initialization, and peer verification before establishing the encrypted channel. If\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 15 of 18\n\nthe TLS setup fails, the error is logged, and the malware may continue by falling back to non-encrypted\r\ncommunication.\r\nRemcos uses a structure when sending information to its command-and-control (C2) server. Each packet begins\r\nwith a specific header followed by command-related data.\r\npacket magic | packet size | command ID | command data\r\nMagic number: 3 bytes 0xFF 0x04 0x24 marking the start of a packet.\r\nPacket size: Indicates the total size of the packet.\r\nCommand ID: Identifies the action being performed.\r\nCommand data: Contains the collected system information, separated by the delimiter \\x1E\\x1E\\x1F.\r\nInformation gathered\r\nField Description\r\nAgent Version The Remcos version\r\nAgent Identifier Unique identifier assigned to the malware instance\r\nComputer Name Name of the infected system\r\nUsername User account associated with the system\r\nGeographic Location Approximate location of the host\r\nOperating System OS name and architecture of the infected machine\r\nTotal Memory Amount of installed system RAM\r\nProcessor Information CPU model and hardware details\r\nRunning Process Path Full path of the executing malware process\r\nActive Window Title Title of the currently focused window\r\nAgent Type Type of agent (EXE or DLL)\r\nRegistry Key / Mutex Mutex or registry key used for persistence or identification\r\nInstallation Time Timestamp when the malware was installed\r\nCommand and Control (C2) IP Remote server used for communication\r\nSystem Uptime Duration since the system was last started\r\nIdle Time Time since the last user activity\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 16 of 18\n\nField Description\r\nKeylogger File Path Location where keystroke logs are stored\r\nFigure (14) - First packet sent\r\nC2 commands\r\nRemcos receives a control command from the C2 server to perform actions on the victim’s device. It has many C2\r\ncommands that let attackers monitor and control the infected system. These commands can be grouped into\r\ndifferent categories.\r\nCategory Description\r\nFile Management\r\nBrowse drives, search files, upload/download files, zip/unzip files, rename or delete\r\nfiles, and modify file attributes to explore and manipulate data on the victim system\r\nProcess Management\r\nList running processes and terminate, suspend, or resume processes to control\r\napplications and system operations\r\nService Management Start, stop, or manage Windows services to control system functionality\r\nWindow\r\nManagement\r\nList, show/hide, maximize/minimize windows and modify window titles to control\r\nthe user interface\r\nRegistry\r\nManagement\r\nRead, create, or delete registry keys and values for persistence and system\r\nconfiguration changes\r\nProgram\r\nManagement\r\nEnumerate installed applications and remotely uninstall software\r\nRemote Shell Access Establish a remote shell and execute system commands on the infected machine\r\nScript Execution\r\nExecute JavaScript, VBS, or batch scripts remotely for additional malicious\r\noperations\r\nPower Management Log off, shutdown, restart, sleep, or hibernate the system remotely\r\nPassword Recovery Extract stored passwords from the system or applications\r\nNetwork Monitoring List processes using network connections to analyze network activity\r\nProxy Management\r\nStart or stop a proxy server on the victim machine to route traffic through the\r\ncompromised host\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 17 of 18\n\nCategory Description\r\nFile Download \u0026\r\nExecution\r\nDownload and execute files from the command-and-control server to deploy\r\nadditional malware\r\nDNS Manipulation Modify or retrieve the hosts file to redirect network traffic\r\nCommunication Display messages or chat with the victim directly\r\nMultimedia Actions Play sounds or alerts on the system for notification or intimidation\r\nCredential Cleaning Remove stored browser logins and cookies to erase traces\r\nSystem Control\r\nFeatures\r\nDisable input devices, hide taskbar, control monitor power, or manage hardware\r\ncomponents\r\nMalware Self-ManagementRename, restart, update, elevate privileges, or terminate the Remcos malware to\r\nmaintain persistence and control\r\nConclusion\r\nThe sample is a multi-stage infection chain that eventually installs Remcos RAT (v7.1.0 Pro), a commercial\r\nremote-access tool commonly abused in cyberattacks. The attack begins with a heavily obfuscated\r\nJavaScript file, which then drops LuaJIT loaders and shellcode payloads.\r\nThe JavaScript maintains persistence via scheduled tasks (schtasks) and hides meaningful payload data\r\nusing junk code, large arrays, loops, and string obfuscation.\r\nThe LuaJIT loader injects the payload into colorcpl.exe , performing in-memory execution without\r\nwriting the Remcos PE to disk. The shellcode is packed using Donut, with embedded configuration and\r\npayload metadata.\r\nThe decrypted Remcos configuration reveals: C2 server addresses and ports, TLS flags, botnet name,\r\nmutex, installation paths, module flags (keylogger, screenshots, audio), and embedded license key.\r\nRemcos collects extensive host information: system username, computer name, OS version, CPU/RAM\r\ndetails, running processes, active window titles, uptime, idle time, and registry keys.\r\nActive capabilities in this sample include keylogging, screenshot capture, microphone recording, and\r\nstorage of captured data in configured folders with timestamped filenames.\r\nAdditional capabilities: watchdog process, process injection, UAC bypass, PEB masquerading, remote\r\nwallpaper change, DLL loader, credential cleaning, extended system control (mouse, keyboard, monitor,\r\nCD, taskbar).\r\nC2 communication is performed over raw TCP sockets with optional TLS, sending structured packets\r\ncontaining system info and receiving commands for full remote control.\r\nPersistence is achieved via registry autorun entries, with installation using hidden, system, and read-only\r\nattributes\r\nSource: https://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nhttps://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/\r\nPage 18 of 18",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://www.egfincirt.org.eg/remcos-rat-operations-how-attackers-gain-and-maintain-control/"
	],
	"report_names": [
		"remcos-rat-operations-how-attackers-gain-and-maintain-control"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434078,
	"ts_updated_at": 1775791857,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/388f8ac136cabd8b60e368cf95692d8d300a1a09.pdf",
		"text": "https://archive.orkl.eu/388f8ac136cabd8b60e368cf95692d8d300a1a09.txt",
		"img": "https://archive.orkl.eu/388f8ac136cabd8b60e368cf95692d8d300a1a09.jpg"
	}
}