{
	"id": "b9468785-e34b-4d80-ae76-55fbdd4ade48",
	"created_at": "2026-04-10T03:22:01.559328Z",
	"updated_at": "2026-04-10T03:22:19.559046Z",
	"deleted_at": null,
	"sha1_hash": "9a2a61c0f4ac3a7450fce2e98c78d41cda9500b6",
	"title": "Check Point’s Threat Emulation Stops Large-Scale Phishing Campaign in Germany",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 74504,
	"plain_text": "Check Point’s Threat Emulation Stops Large-Scale Phishing\r\nCampaign in Germany\r\nBy bferrite\r\nPublished: 2019-06-19 · Archived: 2026-04-10 02:46:20 UTC\r\nResearch by: Kobi Eisenkraft, Moshe Hayun, published June 19th 2019\r\nIntroduction\r\nDuring the first week of June 2019, Check Point researchers encountered a new, large-scale phishing campaign\r\ntargeting German companies across all industries. The hacker’s goal was to install Remcos – a remote control tool\r\n– on the victims’ computers.\r\nAttack Flow\r\nThe attackers initially sent fake emails that appeared to be from several legitimate companies across Germany.\r\nThese emails contained invoices or urgent order attachments which were actually Remcos archives attempting to\r\nconnect with the attacker’s command and control (C\u0026C) server.\r\nFigure 1: Example of a phishing email to the victims\r\nThe attachment is usually an archive containing an executable disguised as a PDF or other document file. The\r\ndisguise is a simple comma PDF extension and folder icon.\r\nFigure 2: An executable in disguise\r\nAfter the victim opens the file, Remcos executes silently and gives the attacker full control over the victim’s\r\nmachine.\r\nFigure 3: Attack flow chart\r\nCommunication with the C\u0026C\r\nThe attacker then covers his tracks by using DDNS (Dynamic DNS), a legitimate service for mapping Internet\r\ndomain names to dynamic IP addresses. Learn more about this well-known evasion technique at:\r\nhttps://attack.mitre.org/techniques/T1311/.\r\nBy using free DDNS accounts, the attacker has a large number of IP addresses at their disposal and can use them\r\nto control the victims’ machines.\r\nFor example, the attacker uses https://www.noip.com/ service to create the domain ablegod.hopto[.]org.\r\nRemcos – a Swiss Army Knife RAT\r\nhttps://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/\r\nPage 1 of 3\n\nFigure 4: Picture from the official Remcos website\r\nDistributed and sold as a legitimate tool by a company called “Breaking Security” on a public website, Remcos is\r\nan abbreviation for Remote Control and Surveillance and is sold on a fremium model with a pro version priced\r\nfrom €58 – €389.\r\nBy using Remcos, the attacker can remotely gain full control of another machine and include the following\r\nfunctions:\r\nBypass AV products and privilege escalation:\r\nGain admin privileges\r\nDisable UAC (User Account Control)\r\nMaintain persistence on the targeted machine\r\nRun as a legitimate process (e.g. injection to Windows process)\r\nRun in the background, invisible to the victim\r\nCapabilities:\r\nKeylogger and clipboard\r\nScreenLogger\r\nAudio capture\r\nExtract passwords\r\nFigure 5: Campaign targeting Germany and other countries. 5/6 – 6/6\r\nCheck Point products successfully protect against this campaign.\r\nCheck Point Threat Emulation is a Zero-Day Protection solution that prevents infections from zero-day malware\r\nand targeted attacks using sandboxing capabilities.\r\nCheck Point SandBlast Agent provides purpose-built advanced Zero-Day Protection capabilities to protect web\r\nbrowsers and endpoints, leveraging Check Point’s industry leading network protections.\r\nProtections:\r\nCheck Point Threat Emulation:\r\nRAT.Win.Remcos.A\r\nRAT.Win.Remcos.C\r\nRAT.Win.Remcos.D\r\nCheck Point SandBlast Agent:\r\nRAT.Win.Remcos.B\r\nFigure 6: Threat emulation report blocking Remcos\r\nhttps://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/\r\nPage 2 of 3\n\nThe full Threat Emulation report can be found here –\r\nhttps://forensics.checkpoint.com/remcos_te/ThreatEmulationReport.html\r\nThe full SBA report can be found here –\r\nhttps://forensics.checkpoint.com/remcos/index.html\r\nA special thanks to our colleague Arie Olshtein for his contribution on this research!\r\nIndicators of Compromise:\r\n303b30ca9d902de72ce83e2b53a496ab2275e4ab58f1151bed1484f421ecc0fa\r\n97732c98efbaba02b124439795b3b90985ee0aba906021d5c0a348c79f866230\r\nc0808c63274677a56177fda9f78ce04bb35e0190740acb2ed268b23a0943ef35\r\na4f06a387a1c920d6ebec1098f410879fdf8d9f983209f7e8102a1c6d4b459e9\r\n5a9922e81bce762658f36f7d1946a02d63c0430d0b29caf3ee5f70ab7dfd40f2\r\n7a5aaecbf18cc78f77f307391716af241313f37eeb5a5fb4080c66574aa6b470\r\n568172c320330ceb592add095493beee53446a0310dbf894d2f8f6a1cc4080f3\r\ndc607b53277b8a0b83dee0b2893d50df0edb5550f94b88381b614ddc163ebe66\r\ne3cc136991d5c302aeef3f75712ac93f4c4eaf88425494511aaafcfc5247fad5\r\n874d254f69efa9193d96c0dbec74b5995f84f9253ba8524e0cfe0f7f612bfb62\r\n3f8fa4dc5fcbef7c853a85e9abefbe78b2da3275b96a4288db871453a0a4b853\r\n48813f9c61687fb59ca606160b24b1b560d43152ee8fb09692475dd8ac5871f1\r\na02b84b2c2fad7ba6ccd785017e5f64fe9bd1251fc3fb3cc04175d5a904568b1\r\n amblessed.ddns[.]net\r\n ableyahweh.ddns[.]net\r\nuaeoffice999.warzonedns[.]com\r\n pmv1515.duckdns[.]org\r\n forbbma.ddns[.]net\r\n alexthomas.ddns[.]net\r\n timmy66.ddns[.]net\r\n timmy55.ddns[.]net\r\nablegod.hopto[.]org\r\nSource: https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/\r\nhttps://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/\r\nPage 3 of 3",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.checkpoint.com/2019/06/19/sandblast-agent-phishing-germany-campaign-security-hack-ransomware/"
	],
	"report_names": [
		"sandblast-agent-phishing-germany-campaign-security-hack-ransomware"
	],
	"threat_actors": [],
	"ts_created_at": 1775791321,
	"ts_updated_at": 1775791339,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/9a2a61c0f4ac3a7450fce2e98c78d41cda9500b6.pdf",
		"text": "https://archive.orkl.eu/9a2a61c0f4ac3a7450fce2e98c78d41cda9500b6.txt",
		"img": "https://archive.orkl.eu/9a2a61c0f4ac3a7450fce2e98c78d41cda9500b6.jpg"
	}
}