home.social

#remcos — Public Fediverse posts

Live and recent posts from across the Fediverse tagged #remcos, aggregated by home.social.

  1. Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

    Pulse ID: 69fc18195fe7d237ecac39b2
    Pulse Link: otx.alienvault.com/pulse/69fc1
    Pulse Author: Tr1sa111
    Created: 2026-05-07 04:42:01

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Remcos #RemcosRAT #bot #Tr1sa111

  2. Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

    Pulse ID: 69fc18195fe7d237ecac39b2
    Pulse Link: otx.alienvault.com/pulse/69fc1
    Pulse Author: Tr1sa111
    Created: 2026-05-07 04:42:01

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Remcos #RemcosRAT #bot #Tr1sa111

  3. Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

    Pulse ID: 69fc18195fe7d237ecac39b2
    Pulse Link: otx.alienvault.com/pulse/69fc1
    Pulse Author: Tr1sa111
    Created: 2026-05-07 04:42:01

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Remcos #RemcosRAT #bot #Tr1sa111

  4. Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

    Pulse ID: 69fc18195fe7d237ecac39b2
    Pulse Link: otx.alienvault.com/pulse/69fc1
    Pulse Author: Tr1sa111
    Created: 2026-05-07 04:42:01

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Remcos #RemcosRAT #bot #Tr1sa111

  5. Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

    Pulse ID: 69fc18195fe7d237ecac39b2
    Pulse Link: otx.alienvault.com/pulse/69fc1
    Pulse Author: Tr1sa111
    Created: 2026-05-07 04:42:01

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Remcos #RemcosRAT #bot #Tr1sa111

  6. Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

    In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.

    Pulse ID: 69fa3aacdd4e111bac9bad11
    Pulse Link: otx.alienvault.com/pulse/69fa3
    Pulse Author: AlienVault
    Created: 2026-05-05 18:45:00

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault

  7. Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

    In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.

    Pulse ID: 69fa3aacdd4e111bac9bad11
    Pulse Link: otx.alienvault.com/pulse/69fa3
    Pulse Author: AlienVault
    Created: 2026-05-05 18:45:00

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault

  8. Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

    In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.

    Pulse ID: 69fa3aacdd4e111bac9bad11
    Pulse Link: otx.alienvault.com/pulse/69fa3
    Pulse Author: AlienVault
    Created: 2026-05-05 18:45:00

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault

  9. Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

    In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.

    Pulse ID: 69fa3aacdd4e111bac9bad11
    Pulse Link: otx.alienvault.com/pulse/69fa3
    Pulse Author: AlienVault
    Created: 2026-05-05 18:45:00

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault

  10. Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader

    In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.

    Pulse ID: 69fa3aacdd4e111bac9bad11
    Pulse Link: otx.alienvault.com/pulse/69fa3
    Pulse Author: AlienVault
    Created: 2026-05-05 18:45:00

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault

  11. #reverseloader payloads at:

    http://66.179.248\.120/img/

    #remcos c2: 23.95.62\.25:7070

  12. March 2026 Phishing Email Trends Report

    In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration.

    Pulse ID: 69e8738326fb86b891dd3c1f
    Pulse Link: otx.alienvault.com/pulse/69e87
    Pulse Author: AlienVault
    Created: 2026-04-22 07:06:43

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #CyberSecurity #Email #HTML #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Remcos #RemcosRAT #Telegram #Tesla #Trojan #ZIP #bot #AlienVault

  13. March 2026 Phishing Email Trends Report

    In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration.

    Pulse ID: 69e8738326fb86b891dd3c1f
    Pulse Link: otx.alienvault.com/pulse/69e87
    Pulse Author: AlienVault
    Created: 2026-04-22 07:06:43

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #CyberSecurity #Email #HTML #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Remcos #RemcosRAT #Telegram #Tesla #Trojan #ZIP #bot #AlienVault

  14. March 2026 Phishing Email Trends Report

    In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration.

    Pulse ID: 69e8738326fb86b891dd3c1f
    Pulse Link: otx.alienvault.com/pulse/69e87
    Pulse Author: AlienVault
    Created: 2026-04-22 07:06:43

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #CyberSecurity #Email #HTML #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Remcos #RemcosRAT #Telegram #Tesla #Trojan #ZIP #bot #AlienVault

  15. March 2026 Phishing Email Trends Report

    In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration.

    Pulse ID: 69e8738326fb86b891dd3c1f
    Pulse Link: otx.alienvault.com/pulse/69e87
    Pulse Author: AlienVault
    Created: 2026-04-22 07:06:43

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #CyberSecurity #Email #HTML #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Remcos #RemcosRAT #Telegram #Tesla #Trojan #ZIP #bot #AlienVault

  16. March 2026 Phishing Email Trends Report

    In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration.

    Pulse ID: 69e8738326fb86b891dd3c1f
    Pulse Link: otx.alienvault.com/pulse/69e87
    Pulse Author: AlienVault
    Created: 2026-04-22 07:06:43

    Be advised, this data is unverified and should be considered preliminary. Always do further verification.

    #Bank #CyberSecurity #Email #HTML #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Remcos #RemcosRAT #Telegram #Tesla #Trojan #ZIP #bot #AlienVault

  17. A hilariously broken #remcos #rat at:

    https://refaccionesalma\.com\.mx/cor/ENCRYPTED.ps1

    app.any.run/tasks/3ab78a39-ee4

    dumps aspnet_compiler.exe as remcos.exe 😅 Actual exe is fe2dcfff84a13a6ef8835a51a70d8d7b77e98635fbb2524f4fc03b5cb5f9a62a, c2 mrekuro.hopto\.org:5675

  18. 2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at malware-traffic-analysis.net/2

    I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at malware-traffic-analysis.net/2

    Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

  19. 2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at malware-traffic-analysis.net/2

    I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at malware-traffic-analysis.net/2

    Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

  20. 2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at malware-traffic-analysis.net/2

    I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at malware-traffic-analysis.net/2

    Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

  21. 2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at malware-traffic-analysis.net/2

    I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at malware-traffic-analysis.net/2

    Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

  22. 2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at malware-traffic-analysis.net/2

    I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at malware-traffic-analysis.net/2

    Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.

  23. 2026-01-06 (Tuesday): #SmartApeSG CAPTCHA page uses #ClickFix technique to push #RemcosRAT.

    The #Remcos #RAT C2 server is at 192.144.56[.]80.

    A #pcap of the traffic, the Remcos RAT #malware, and a list of indicators are available at malware-traffic-analysis.net/2

  24. 2026-01-06 (Tuesday): #SmartApeSG CAPTCHA page uses #ClickFix technique to push #RemcosRAT.

    The #Remcos #RAT C2 server is at 192.144.56[.]80.

    A #pcap of the traffic, the Remcos RAT #malware, and a list of indicators are available at malware-traffic-analysis.net/2

  25. 2026-01-06 (Tuesday): #SmartApeSG CAPTCHA page uses #ClickFix technique to push #RemcosRAT.

    The #Remcos #RAT C2 server is at 192.144.56[.]80.

    A #pcap of the traffic, the Remcos RAT #malware, and a list of indicators are available at malware-traffic-analysis.net/2

  26. 2026-01-06 (Tuesday): #SmartApeSG CAPTCHA page uses #ClickFix technique to push #RemcosRAT.

    The #Remcos #RAT C2 server is at 192.144.56[.]80.

    A #pcap of the traffic, the Remcos RAT #malware, and a list of indicators are available at malware-traffic-analysis.net/2

  27. 2026-01-06 (Tuesday): #SmartApeSG CAPTCHA page uses #ClickFix technique to push #RemcosRAT.

    The #Remcos #RAT C2 server is at 192.144.56[.]80.

    A #pcap of the traffic, the Remcos RAT #malware, and a list of indicators are available at malware-traffic-analysis.net/2

  28. Some #remcos in here, c2 179.43.176.6 5eaafdddb567070ed2cca9349b837063d6720e2ddb74f0c8609809059d91d005