#remcos — Public Fediverse posts

Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.

Pulse ID: 69fa3aacdd4e111bac9bad11
Pulse Link: https://otx.alienvault.com/pulse/69fa3aacdd4e111bac9bad11
Pulse Author: AlienVault
Created: 2026-05-05 18:45:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault

When your #malspam threat actor forgets to properly configure their #remcos ....ya "Juniorer" indeed 🤣

https://app.any.run/tasks/1ff77354-94ca-4d30-b6f7-a86aff32e1af

March 2026 Phishing Email Trends Report

In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration.

Pulse ID: 69e8738326fb86b891dd3c1f
Pulse Link: https://otx.alienvault.com/pulse/69e8738326fb86b891dd3c1f
Pulse Author: AlienVault
Created: 2026-04-22 07:06:43

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Bank #CyberSecurity #Email #HTML #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Remcos #RemcosRAT #Telegram #Tesla #Trojan #ZIP #bot #AlienVault

#xworm dropping #originlogger , and reusing #remcos c2:

https://app.any.run/tasks/9e32da84-ba55-4ac9-96f2-b7ff02d15d6b

2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at https://www.malware-traffic-analysis.net/2026/01/06/index.html

I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at https://www.malware-traffic-analysis.net/2026/index.html

Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

2026-01-06 (Tuesday): #SmartApeSG CAPTCHA page uses #ClickFix technique to push #RemcosRAT.

The #Remcos #RAT C2 server is at 192.144.56[.]80.

A #pcap of the traffic, the Remcos RAT #malware, and a list of indicators are available at https://www.malware-traffic-analysis.net/2026/01/06/index.html

The russia-backed #Gamaredon group targets Ukraine once again in the ongoing campaign that employs DLL sideloading and exploits LNK files to spread #Remcos backdoor. Detect related #APT attacks with #Sigma rules from SOC Prime Platform.
https://socprime.com/blog/gamaredon-campaign-detection/?utm_source=x&utm_medium=social&utm_campaign=latest-threats&utm_content=blog-post

Gamaredon Campaign Detection: russia-backed APT Group Targets Ukraine Using LNK Files to Spread Remcos Backdoor – Source: socprime.com https://ciso2ciso.com/gamaredon-campaign-detection-russia-backed-apt-group-targets-ukraine-using-lnk-files-to-spread-remcos-backdoor-source-socprime-com/ #rssfeedpostgeneratorecho #CyberSecurityNews #Latestthreats #socprimecom #Gamaredon #Phishing #socprime #Remcos #Blog #APT

Gamaredon campaign abuses LNK files to distribute Remcos backdoor
#Gamaredon #Remcos
https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/

Crypters And Tools. Один инструмент для тысяч вредоносных файлов

Привет, Хабр! На связи вновь команда киберразведки Positive Technologies. В ноябре мы рассказывали про хакерскую группировку PhaseShifters, атаковавшую российские компании и государственные органы, и обещали продолжить активно изучать инфраструктуру злоумышленников и используемые ими сервисы. И, о удача, через некоторое время после начала поисков нам удалось обнаружить открытую директорию с экземпляром криптора, распространяемого по подписке, — Crypters And Tools . Тщательное изучение позволило расширить кластер активности, связанной с этим CaaS , найти новые узлы инфраструктуры и понять принцип работы криптора. Расширение кластера показало, что инструмент пользуется спросом у нескольких других группировок, в том числе наших знакомцев PhaseShifters, а ещё у TA558 и Blind Eagle. В этой статье расскажем о внутреннем устройстве криптора и его инфраструктуре.

https://habr.com/ru/companies/pt/articles/892896/

#криптор #инструментарий_хакеров #вредоносное_программное_обеспечение #кибератаки #латинская_америка #crypter_and_tools #caas #remcos #дарквеб #vbs

Social media post I wrote about #RemcosRAT for my employer at https://www.linkedin.com/posts/unit42_remcos-rat-keylogger-activity-7304958245322768385-tu-a/ and https://x.com/malware_traffic/status/1899207006939947440

2025-03-10 (Monday): #Remcos #RAT activity. Email distribution used a zip archive attachment with a .7z file extension. During a test infection, we saw indicators of a #Keylogger and a Hacking tool to view browser passwords.

More info at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-10-IOCs-for-Remcos-RAT-activity.txt

A #pcap of the infection traffic and the associated #malware files are available at https://malware-traffic-analysis.net/2025/03/10/index.html

Happy Friday everyone!

I don't know how I missed the beginning of this series by Elastic and their security researchers but I did, I jumped straight into part three without realizing it! So, I had to stop and backpedal. So if you are like me, here is the first installment of their series on the #REMCOS #RAT. They take you through the process of analyzing it and provide #TTPs and behaviors. One that really sticks out is the #UACBypass and the COM objects that are involved.

To leave you empty handed would be an insult to the researchers work and to you as a threat hunter! So, take this with you in the face of danger! It is a Cyborg Security Community Edition (free for you) Hunt Packaged designed to identify when COM Objects that have a higher integrity level are abused and called for malicious purposes, in this case, to bypass the user account control mechanism in Windows! Enjoy and Happy Hunting!

UAC Bypass Attempt via Elevated COM Abuse
https://hunter.cyborgsecurity.io/research/hunt-package/03036b01-dc04-4cd1-9388-bd62e1b0ff2d

Article Source:
https://www.elastic.co/security-labs/dissecting-remcos-rat-part-one

#CyberSecurity #ITSecurity #InfoSec #BlueTeam #ThreatIntel #ThreatHunting #ThreatDetection #HappyHunting #readoftheday #huntoftheday #getHunting