{
	"id": "69b2b82d-e30d-45ba-ac77-0c6806089405",
	"created_at": "2026-04-06T00:17:35.414379Z",
	"updated_at": "2026-04-10T13:11:46.894252Z",
	"deleted_at": null,
	"sha1_hash": "5590b1765eb98ddb74ee9907f6e66c952a3ce9e9",
	"title": "The Latest Remcos RAT Driven By Phishing Campaign | FortiGuard Labs",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 829009,
	"plain_text": "The Latest Remcos RAT Driven By Phishing Campaign |\r\nFortiGuard Labs\r\nBy Xiaopeng Zhang\r\nPublished: 2022-04-06 · Archived: 2026-04-05 17:11:47 UTC\r\nRemcos RAT (Remote Access Trojan) was originally designed as a professional tool to remotely control\r\ncomputers. Remcos RAT is recognized as a malware family because it has been abused by hackers to secretly\r\ncontrol victims’ devices since its first version was published on July 21, 2016. Remcos RAT is commercial\r\nsoftware that is sold online.\r\nAffected platforms: Microsoft Windows\r\nImpacted parties: Microsoft Windows Users\r\nImpact: Controls victim’s device and collects sensitive information\r\nSeverity level: Critical\r\nFigure 1: Example of Remcos RAT being sold online\r\nOn this webpage, it provides two versions: professional edition (with all features included) and free edition (with\r\nrestricted features).\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 1 of 16\n\nThis analysis is based on Remcos RAT being used by hackers to control victims’ devices delivered by a phishing\r\ncampaign, which was caught by Fortinet’s FortiGuard Labs recently.\r\nIn this analysis, you will learn:\r\nHow the phishing campaign delivers Remcos RAT onto the victim’s device\r\nHow Remcos executes on the device\r\nWhat sensitive information it could steal from a victim\r\nHow Remcos connects to its C2 server\r\nWhat commands this Remcos provides to control the victim’s device\r\nThe Phishing Email\r\nFigure 2: Screenshot of the phishing email content\r\nAs you can see from the email content shown in Figure 2, the hacker disguised the phishing email as a payment\r\nnotification from a trusted bank and asked the recipient to open the attached Excel file that is protected by a\r\npassword.\r\nExcel File Leads to Download of Remcos via VBS and PowerShell\r\nOnce the attached Excel document is opened in the Excel program, it asks for a password to view the document,\r\nwhich has already been provided in the email. It then shows the document in the Excel program like Figure 3.\r\nBecause the file contains Macro code, it shows a yellow security warning bar to warn the victim of the danger. \r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 2 of 16\n\nFigure 3: Screen shown when the Excel document is opened in the Excel program\r\nThe file message lures the victim into clicking the Enable Content button to bypass the warning and execute the\r\nmalicious macro code.\r\nThe macro has a function called “Wookbook_Active()” that is called automatically when it opens. Its task is to\r\nextract VBS code from the cells into a file “%AppData%\\HobYQ.vbs” and then execute it.\r\nTo protect the Remcos payload file, it uses a super sophisticated way to download it. In this way, it executes both\r\nVBS and PowerShell script codes.\r\n“HobYQ.vbs” runs a segment of dynamically spliced PowerShell code to download another VBS file (“flip.vbs”)\r\nfrom the attacker’s server and run it. Next, “flip.vbs” continues to download a file (called “mem.txt”) from the\r\nserver, which is a piece of encoded VBS code that will be executed later in “flip.vbs” to download the final file\r\nfrom the same server, which is called “faze.jpg”. In Figure 4, it shows the captured traffic for the three\r\ndownloaded files, “flip.vbs,” “mem.txt,” and “faze.jpg.”\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 3 of 16\n\nFigure 4: “HobYQ.vbs” leads to downloading three files\r\nThe bottom of Figure 4 shows part of the response packet of “faze.jpg”. Of course, it is not image file, but an\r\nobfuscated PowerShell code file. There are three pieces of encoded data defined in three array variables, which\r\nhave been simplified in Figure 5 in three red boxes. The PowerShell code that is carried in “faze.jpg” is executed\r\nby “flip.vbs”.\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 4 of 16\n\nFigure 5: The simplified PowerShell code of “faze.jpg”\r\nLet me then explain how the PowerShell code works here.\r\nThe values for the two variables, $MNB and $IRjR, are both encoded GZIP compression payloads (they start with\r\n“1F 8B…”). After decompression, $MNB is .Net Framework Dll file and $IRjR is the Remcos payload file.\r\nThe binary value that is set to variable “$qgRf” is a dynamic method called tMCfkSD() for decompression.\r\nIt calls tMCfkSD() to decompress the .Net Dll from $MNB into $byUsWxe. At last, it loads the .Net Dll into\r\ncurrent PowerShell execution environment by calling “Load” and the function “Black()” from class “toooyou” is\r\ncalled with “RegAsm.exe” and compressed Remcos Payload ($IRjR).\r\n.Net Framework Dll File Performs Process Hollowing\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 5 of 16\n\nFigure 6: Break on .Net Dll toooyou.Black()\r\nThe .Net Dll is named GC.dll as you can see in Figure 6. The two passed parameters are shown in “Locals”. Its\r\ncode is obfuscated. According to my analysis, it first dynamically extracts another Dll from its resource section\r\nnamed lime.dll. Next, it decompresses the Remcos payload, which will be passed to a function called\r\n\"k78er0sdfffff.o70sdaf45gfg(System.String, Byte[])\" that is from lime.dll at the time the function is called.\r\nActually, this Dll is used to perform the process hollowing that is injecting the Remcos payload into a newly-created “RegAsm.exe” process. Once the function (k78er0sdfffff.o70sdaf45gfg()) is invoked, it finds\r\n“RegAsm.exe” from below locations on the victim’s device. In case that it fails to find the file, it exits from\r\nPowerShell without running the Remcos.\r\nThe hardcoded location list:\r\narray[\u003cModule\u003e.C1790263187] = \"C:\\\\WINDOWS\\\\syswow64\\\\\";\r\narray[\u003cModule\u003e.C2710025604] = \"C:\\\\WINDOWS\\\\system32\\\\\";\r\narray[\u003cModule\u003e.C3326009313] = \"C:\\\\WINDOWS\\\\\";\r\narray[\u003cModule\u003e.C931285936] = \"C:\\\\WINDOWS\\\\syswow64\\\\WindowsPowerShell\\\\v1.0\\\\\";\r\narray[\u003cModule\u003e.const_4] = \"C:\\\\WINDOWS\\\\system32\\\\WindowsPowerShell\\\\v1.0\\\\\";\r\narray[\u003cModule\u003e.C3873335087] = \"C:\\\\Windows\\\\Microsoft.NET\\\\Framework\\\\v4.0.30319\\\\\";\r\nIn my testing environment, it has this file at \"C:\\Windows\\\\Microsoft.NET\\Framework\\v4.0.30319\\RegAsm.exe\".\r\nAs you may know, it needs to call several APIs to finish the process hollowing, which are: CreateProcess() with\r\nCREATE_SUSPENDED flag, WriteProcessMemory(), GetThreadContext(), SetThreadContext() and so on. As\r\nshown in Figure 7, it is about to call API CreateProcessA() to create a suspended RegAsm.exe process from\r\nLime.dll.\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 6 of 16\n\nFigure 7: Call CreateProcessA() with CREATE_SUSPENDED flag\r\nWhen the Remcos payload is injected and deployed onto the RegAsm.exe, API ResumeThread() will be called to\r\nhave RegAsm.exe resume to run the Remcos RAT on the victim’s device.\r\nDive into Remcos Payload\r\nPer my analysis, Remcos was written in C++ language with templates. What we already captured is the latest\r\nversion, 3.4.0 Pro, which was published on February 10, 2022. I dissected the Remcos payload file from this\r\nsection to learn how it controls the victim’s device.\r\nFrom the analysis of its previous versions in the past years, Remcos used RC4 encryption to encrypt or decrypt\r\nboth the local data and the traffic data between Remcos and C2 servers. From the version 3.0.0 Pro on, it has\r\nchanged the encryption algorithm to AES-128 bit for encrypting or decrypting the traffic data. Therefore, it is now\r\nusing both encryption algorithms, RC4 for local data and AES for traffic data in this variant.\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 7 of 16\n\nFigure 8: Remcos configuration block encrypted in “SETTINGS” resource\r\nEvery Remcos contains an RC4 encrypted configuration block in its PE resource section, named “SETTINGS” as\r\nshown in Figure 8, where the first byte “B1” is the size of the following RC4 key that is in a red box and the rest\r\ndata is the encrypted Remcos configuration block.\r\nThe first thing Remcos does is to decrypt the configuration block, which will be referred to throughout Remcos\r\nlifetime. It contains but not limited to the C2’s server information, Remcos assigned name for attacker to\r\nrecognize the victim, Remcos sub-key name in registry, the name of log file for recording victim’s keylogger and\r\nclipboard data, many flags telling Remcos how to start its features in the victim’s device, as well as the\r\nauthentication data used to establish connection to the C2 server.\r\nThe workflow of Remcos is very clear that it starts many threads to perform auto-start work according to the flags\r\ndefined in the configuration block. It includes:\r\nAdding Remcos to the auto-run group in the system registry\r\nStarting a watchdog program (Remcos’ daemon program)\r\nRecording the victim’s audio input from an input device ( microphone)\r\nCapturing victim’s screenshots at startup\r\nDisabling UAC (User Account Control) on the victim’s device\r\nAnd so on\r\nRemcos is able to record the victim’s sensitive information in a log file (file name is from the configuration block)\r\nfrom time to time, like keyboard inputs (keylogger), data on the system clipboard, and the title of the topmost\r\nprogram that the victim’s typing in. In order to do so, it needs to set a keyboard hook by calling API\r\nSetWindowsHookExA() and starts a thread to check every 500 microseconds. Figure 9 shows the ASM code\r\nsnippet of setting such hook.\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 8 of 16\n\nFigure 9: Set keyboard Windows Hook\r\nBelow is an example of “logs.dat” with what Remcos has obtained from my test environment, such as recording\r\ndate and time, topmost program titles, victim’s idle time, and clipboard data.\r\nFigure: 10: Example of information saved in “log.dat”\r\nThe next step in the Remcos workflow is to connect to its C2 server per the information from the configuration\r\nblock.\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 9 of 16\n\nCommunicating with the C2 Server\r\nRemcos uses TLS v1.3 protocol to communicate with the C2 server, which is implemented by itself (not using\r\nWindows APIs) on the TLS handshake and authentication as I mentioned before.\r\nRemcos then collects the basic information from the victim’s system and submits it in the first packet to the C2\r\nserver. The packet number for the first packet is 4BH. The packet to go through AES encryption is shown below.\r\nFigure 11: 4BH packet plaintext content before AES encryption\r\nThe victim’s basic information is enclosed in this packet. Let’s take a look at the packet structure.\r\nThe first “24 04 FF 00” is the packet magic ID that comes from the decrypted configuration block, the subsequent\r\ndword “A1 02 00 00” (21AH) is the size of following data, the next dword “4B 00 00 00” (4BH) is the packet\r\nnumber. The entire rest data are the collected basic information of the victim’s device, which includes but not\r\nlimited to:\r\nRemcos assigned name “Shiesty” (from configuration block)\r\nVictim’s user name and computer name\r\nWindows edition information, total RAM (3757629400) in bytes\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 10 of 16\n\nRemcos version (3.4.0 Pro)\r\nThe full path of current RegAsm.exe, the title of the currently active program (the victim’s using)\r\nVictim’s idle time\r\nThe system’s uptime\r\nCPU information\r\nC2 server host\r\nRemcos payload type (EXE or DLL)\r\nAll above value fields are split by a separator - “7C 1E 1E 1F 7C” (shown as “|…|” in string).\r\nAs long as the C2 server receives this 4BH packet, it shows the victim in the “Connection” subtab, as shown in\r\nFigure 12. Since then the attacker can control the victim’s device by just right clicking on the item (red box) and\r\nselecting the commands they wanted.\r\nFigure 12: How C2 server looks when receiving a 4BH packet\r\nMeanwhile, Remcos registers a callback function that parses the C2’s commands and goes to an infinite loop to\r\nwait for the upcoming control commands from the attacker’s C2 server.\r\nControl Commands\r\nFrom the registered callback function, we learned that this Remcos variant provides 87 control commands, which\r\nhave been categorized in below groups:\r\nSystem: Screen Capture, File Manager, File Search, Process Manager, etc.\r\nSurveillance: Webcam, Microphone, Keylogger, Screenlogger, etc.\r\nNetwork: Proxy, Downloader, Open Webpage, etc.\r\nExtra: Dll Loader, Logins Cleaner, Audio Player, etc.\r\nRemcos: Reconnect, Restart, Show, Update, Close, Uninstall, etc.\r\nHeartbeat packet\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 11 of 16\n\nThe C2 server sends a heartbeat packet to Remcos every 40 seconds. Once Remcos has connected to the C2\r\nserver, the heartbeat makes sure this Remcos is alive. The C2’s command packet has same format. I’ll take the\r\nheartbeat packet as an instance to explain, which looks like:\r\n24 04 FF 00 0C 00 00 00 01 00 00 00 30 7C 1E 1E 1F 7C 32 30\r\nAfter the packet magic ID (“24 04 FF 00”) and packet size (0x0C), “01 00 00 00” is heartbeat command number\r\n(0x01), and rest is command data being split by “7C 1E 1E 1F 7C” that are 30 (ASCII “0”) and 32 30 (ASCII\r\n“20”). Remcos then obtains the title of currently active window as well as a time value and sends them to the C2\r\nserver in packet number 4CH.\r\nThe following is a control command list:\r\nName C\u0026C Number Description\r\nHeartBeat 01H HeartBeat packet.\r\nScreen Capture 10H Control the victim’s device in a remote desktop.\r\nFile Manager 98H Manager file system on victim’s device.\r\nFile Search 8FH Search file on victim’s device.\r\nProcess Manager 06H Manager running process.\r\nService Manager 34H Manager victim’s system service.\r\nRegistry Editor 2FH View, Edit victim’s system registry.\r\nInstalled Program 03H List all installed software.\r\nWindows Manager 08H Open a Task Manager similar interface.\r\nClipboard Manager 28H View, Set, and Empty victim’s system clipboard.\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 12 of 16\n\nCommand Line 0EH Start a shell (cmd.exe) with command.\r\nExecute Command 0DH Execute a command in the victim’s device, like Notepad.\r\nRemote Scripting 2EH Execute JS, VBS, and Batch on the victim’s device.\r\nSet Wallpaper 92H Set the victim’s desktop wallpaper with a picture.\r\nPower Manager 27H Log off, Sleep, Hibernate, Shut down, and Restart.\r\nWebcam 1BH Control victim’s camera to work\r\nMicrophone 1DH Turn on the victim’s audio input device, like Microphone.\r\nKeylogger 13H Start Keylogger.\r\nScreenlogger 10H Start Screenlogger.\r\nBrowser history 18H Clear browser’s history.\r\nProxy 32H Set proxy to victim’s device.\r\nOpen Webpage 0FH Open a URL with the victim’s default browser.\r\nChat 30H Pop up a chatting box to chat with the victim.\r\nMessageBox 26H Pop up a message to the victim.\r\nDownloader B2H Download and execute a file on the victim’s device.\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 13 of 16\n\nDll Loader 2CH Execute a Dll module on the victim’s device.\r\nAudio Player A3H Play an audio sound to the victim.\r\nLogins Cleaner 18H Clear browser’s logins and cookies.\r\nUpdate 24H Update Remcos.\r\nUninstall 22H Uninstall Remcos from the victim’s device.\r\nClose 21H Kill currently running Remcos.\r\nRestart 23H Restart Remcos.\r\nElevate 27H Elevate Remcos’ privileges.\r\nBesides the listed control commands, Remcos also has many sub-commands to support some of the control\r\ncommands in sub-connections, like Service Manager command 34H with sub-commands: 03H to stop a service,\r\n04H to pause a service, 01H to restart a service.\r\nConclusion\r\nIn this analysis blog, I explained how a phishing email delivers an Excel document with malicious Macro into the\r\nvictim’s device.\r\nNext, we went through how it executes multiple VBS and Powershell scripts to download the Remcos payload as\r\nwell as how the Remcos payload is deployed by a .Net Dll into the “RegAsm.exe” process via Process Hollowing.\r\nThen, I dissected Remcos’s workflow according to its code and how a configuration block is decrypted from the\r\nPE resource section. I also explained how Remcos established connection to its C2 server.\r\nFinally, through several examples, I elaborated the structure of the control and command packets in plaintext as\r\nwell as what commands Remcos is able to use to control the victim’s device and the control command list.\r\nFortinet Protections\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 14 of 16\n\nFortinet customers are already protected from this malware by FortiGuard’s Web Filtering, Antivirus, FortiMail,\r\nFortiClient, FortiEDR services, IPS services, and CDR (Content Disarm and Reconstruction) services, as follows:\r\nAll relevant URLs have been rated as \"Malicious Websites\" by the FortiGuard Web Filtering service.\r\nThe captured Excel sample and the downloaded Remcos payload files are detected as \"VBA/Remcos.REM!tr \"\r\nand \"W32/Rescoms.M!tr\" and are blocked by the FortiGuard Antivirus service.\r\nFortiEDR detects both the Excel file and Remcos payload file as malicious based on its behavior.\r\nFortinet also released IPS signature “Remcos.Botnet” to detect and block Remcos’ C\u0026C traffic to protect our\r\ncustomers.\r\nFortiGuard Content, Disarm, and Reconstruction (CDR) can protect users from this attack by enabling the\r\nfollowing option:\r\nEnable/disable stripping of linked objects in Microsoft Office documents.\r\nIn addition to these protections, Fortinet has multiple solutions designed to help train users to understand and\r\ndetect phishing threats:\r\nThe FortiPhish Phishing Simulation Service uses real-world simulations to help organizations test user awareness\r\nand vigilance to phishing threats and to train and reinforce proper practices when users encounter targeted\r\nphishing attacks.\r\nIn addition to these protections, we suggest that organizations also have their end users go through our FREE NSE\r\ntraining: NSE 1 – Information Security Awareness. It includes a module on Internet threats that is designed to help\r\nend users learn how to identify and protect themselves from various types of phishing attacks.\r\nIOCs\r\nURLs:\r\nhxxp://209[.]127[.]19[.]101/flip.vbs\r\nhxxp://209[.]127[.]19[.]101/mem.txt\r\nhxxp://209[.]127[.]19[.]101/faze.jpg\r\nshiestynerd[.]dvrlists[.]com:10174\r\nmimi44[.]ddns[.]net:2405\r\nharveyautos110[.]ddns[.]net:2404\r\nharveyautos111[.]hopto[.]org:2404\r\nharveyautos112[.]ddns[.]net:2404\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 15 of 16\n\nharvey205[.]camdvr[.]org:2404\r\nharvey206[.]casacam[.]net:2404\r\nharvey207[.]accesscam[.]org:2404\r\n23[.]226[.]128[.]197:2404\r\nachimumuazi[.]hopto[.]org:2311\r\nxhangzhi[.]duckdns[.]org:2404\r\nSample SHA-256 Involved in the Campaign:\r\n[Excel Document]\r\nFBB0575DFD7C1CFE48FB3AA895FBE6C8A554F06899A7152D04CFC39D1D4744AD\r\n[Captured Remcos samples]\r\n8F6DD0DB9E799393A61D6C9CF6495C164E1B13CB8E6B153B32359D5F07E793D2\r\nDA609D3211D60D5B11FEAEAA717834CBE86E18103A1ED4FC09C2EE3E1CFF9442\r\n737E11913EFB64ACCF1B88532C7CE8606676684D8364DDD027926F9FFC6ECFFB\r\nB263876EBC01B310A8BFC58477523981184EB7E8F2DC955F0CF8E62124EB679A\r\n2C8B78FC6C4FE463DAC9D39FDE2871F1BB2605453BC0F2D57C7549CF5D07AA86\r\nA1A1395D0602A473FCC81BA7D1D90C3FB154321D1721E0069722B902B1057CB0\r\n6B816D84ACCC3E1EBCE3EF55B64B0C5E0485228790DF903E68466690E58B5009\r\nLearn more about Fortinet’s FortiGuard Labs threat research and intelligence organization and the FortiGuard\r\nSecurity Subscriptions and Services portfolio.\r\nSource: https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nhttps://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing\r\nPage 16 of 16",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.fortinet.com/blog/threat-research/latest-remcos-rat-phishing"
	],
	"report_names": [
		"latest-remcos-rat-phishing"
	],
	"threat_actors": [
		{
			"id": "f9806b99-e392-46f1-9c13-885e376b239f",
			"created_at": "2023-01-06T13:46:39.431871Z",
			"updated_at": "2026-04-10T02:00:03.325163Z",
			"deleted_at": null,
			"main_name": "Watchdog",
			"aliases": [
				"Thief Libra"
			],
			"source_name": "MISPGALAXY:Watchdog",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434655,
	"ts_updated_at": 1775826706,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/5590b1765eb98ddb74ee9907f6e66c952a3ce9e9.pdf",
		"text": "https://archive.orkl.eu/5590b1765eb98ddb74ee9907f6e66c952a3ce9e9.txt",
		"img": "https://archive.orkl.eu/5590b1765eb98ddb74ee9907f6e66c952a3ce9e9.jpg"
	}
}