{
	"id": "43f73e5c-fc63-4b03-a5d9-1aa4df08b743",
	"created_at": "2026-04-06T00:10:09.965904Z",
	"updated_at": "2026-04-10T03:22:12.682268Z",
	"deleted_at": null,
	"sha1_hash": "fa602705efaf2805c29862c89ed2f0cc14c303a2",
	"title": "Remcos RAT Distributed via Webhards - ASEC",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 2713337,
	"plain_text": "Remcos RAT Distributed via Webhards - ASEC\r\nBy ATCP\r\nPublished: 2024-01-08 · Archived: 2026-04-05 20:17:52 UTC\r\nWhile monitoring the distribution sources of malware in South Korea, AhnLab SEcurity intelligence Center\r\n(ASEC) recently found that the Remcos RAT malware disguised as adult games is being distributed via webhards.\r\nWebhards and torrents are platforms commonly used for the distribution of malware in Korea.\r\nAttackers normally use easily obtainable malware such as njRAT and UDP RAT, and disguise them as legitimate\r\nprograms such as games or adult content for distribution. Similar cases were introduced in the previous ASEC\r\nblogs multiple times:\r\nUDP RAT Malware Being Distributed via Webhards\r\nnjRAT Being Distributed through Webhards and Torrents\r\nnjRAT Malware Distributed via Major Korean Webhard\r\nhttps://asec.ahnlab.com/en/60270/\r\nPage 1 of 8\n\nhttps://asec.ahnlab.com/en/60270/\r\nPage 2 of 8\n\nAs shown in Figure 1, malware are being distributed via multiple games using the same method. The posts all\r\nhave a guide that tells users to run the Game.exe file.\r\nWhen the file is decompressed, the Game.exe file is present. Although it looks like a regular game launcher, the\r\nactual dll used to run the game exists separately, and the malicious VBS scripts are executed with the game file\r\nwhen you run Game.exe.\r\nhttps://asec.ahnlab.com/en/60270/\r\nPage 3 of 8\n\nhttps://asec.ahnlab.com/en/60270/\r\nPage 4 of 8\n\nAs shown in Figure 5, malware with malicious VBS exist in the www\\js\\plugins folder. What is ultimately\r\nexecuted is the ffmpeg.exe malware. The infection flow of the malware when it is executed is shown below.\r\nWhen ffmpeg.exe is executed, the “sexyz” string is split to extract the encrypted binary and the Key value from\r\ntest.jpg. They are then injected into explorer.exe.\r\nhttps://asec.ahnlab.com/en/60270/\r\nPage 5 of 8\n\nThe injected malware downloads Remcos RAT through the C\u0026C server shown in Figure 9 and attempts to\r\nperform additional behaviors by injecting it to ServiceModelReg.exe.\r\nhttps://asec.ahnlab.com/en/60270/\r\nPage 6 of 8\n\nAs shown in the example, users need to take caution as malware are being distributed actively via file-sharing\r\nwebsites such as Korean webhards. As such, caution is advised when running executables downloaded from a file-sharing website. It is recommended that users download programs from the official websites.\r\n[File Detection]\r\nTrojan/Win.Injector.R630725 (2024.01.08.02)\r\nTrojan/Win.Injector.R630726 (2024.01.08.02)\r\nTrojan/VBS.Runner.SC195782 (2024.01.08.02)\r\nTrojan/VBS.Runner.SC195783 (2024.01.08.02)\r\nTrojan/BAT.Agent.SC195781 (2024.01.08.02)\r\nTrojan/BAT.Agent.SC195785 (2024.01.08.02)\r\nTrojan/VBS.Runner.SC195786 (2024.01.08.02)\r\nTrojan/VBS.Runner.SC195787 (2024.01.08.02)\r\nTrojan/VBS.Runner.SC195784 (2024.01.08.02)\r\nMD5\r\n00bfd32843a34abf0b2fb26a395ed2a4\r\n2e6796377e20a6ef4b5e85a4ebbe614d\r\n2f6768c1e17e63f67e173838348dee58\r\n36aa180dc652faf6da2d68ec4dac8ddf\r\n4d04070dee9b27afc174016b3648b06c\r\nAdditional IOCs are available on AhnLab TIP.\r\nhttps://asec.ahnlab.com/en/60270/\r\nPage 7 of 8\n\nURL\r\nhttp[:]//kyochonchlcken[.]com/share/1[.]exe\r\nhttp[:]//kyochonchlcken[.]com/share/BankG[.]r6map\r\nhttp[:]//kyochonchlcken[.]com/share/Favela[.]r6map\r\nAdditional IOCs are available on AhnLab TIP.\r\nGain access to related IOCs and detailed analysis by subscribing to AhnLab TIP. For subscription details, click\r\nthe banner below.\r\nSource: https://asec.ahnlab.com/en/60270/\r\nhttps://asec.ahnlab.com/en/60270/\r\nPage 8 of 8",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://asec.ahnlab.com/en/60270/"
	],
	"report_names": [
		"60270"
	],
	"threat_actors": [],
	"ts_created_at": 1775434209,
	"ts_updated_at": 1775791332,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/fa602705efaf2805c29862c89ed2f0cc14c303a2.pdf",
		"text": "https://archive.orkl.eu/fa602705efaf2805c29862c89ed2f0cc14c303a2.txt",
		"img": "https://archive.orkl.eu/fa602705efaf2805c29862c89ed2f0cc14c303a2.jpg"
	}
}