#remcos-rat — Public Fediverse posts
Live and recent posts from across the Fediverse tagged #remcos-rat, aggregated by home.social.
-
Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
Pulse ID: 69fc18195fe7d237ecac39b2
Pulse Link: https://otx.alienvault.com/pulse/69fc18195fe7d237ecac39b2
Pulse Author: Tr1sa111
Created: 2026-05-07 04:42:01Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#CyberSecurity #InfoSec #OTX #OpenThreatExchange #RAT #Remcos #RemcosRAT #bot #Tr1sa111
-
Malicious OpenClaw Skill Distributes Remcos RAT and GhostLoader
In March 2026, threat actors weaponized the OpenClaw AI agent framework by publishing a deceptive "DeepSeek-Claw" skill. This skill embedded malicious installation instructions designed to trick AI agents and developers into executing hidden payloads. On Windows systems, a PowerShell command downloads an MSI package containing a legitimate signed GoToMeeting executable that sideloads a malicious DLL. This loader patches ETW and AMSI for evasion, then decrypts and executes Remcos RAT using TEA encryption, enabling remote access and data theft including keylogging and cookie stealing. An alternate execution path for macOS and Linux delivers GhostLoader through obfuscated Node.js scripts, harvesting credentials via fake sudo prompts and exfiltrating SSH keys, cryptocurrency wallets, and cloud API tokens. This campaign represents an emerging threat vector exploiting autonomous AI workflows and developer trust in open-source frameworks.
Pulse ID: 69fa3aacdd4e111bac9bad11
Pulse Link: https://otx.alienvault.com/pulse/69fa3aacdd4e111bac9bad11
Pulse Author: AlienVault
Created: 2026-05-05 18:45:00Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Cloud #CyberSecurity #DataTheft #Encryption #InfoSec #Linux #Mac #MacOS #Nodejs #OTX #OpenThreatExchange #PowerShell #RAT #RCE #Remcos #RemcosRAT #Rust #SSH #Windows #bot #cryptocurrency #developers #AlienVault
-
March 2026 Phishing Email Trends Report
In March 2026, trojans represented 21% of attachment-based threats, while phishing attacks using fake pages dropped from 42% to 15% month-over-month. Script-based malware increased significantly, with HTML at 14% and JavaScript at 11%. Compressed files including ZIP (14%), RAR (8%), and 7Z (5%) were common distribution methods. Document-based threats utilized PDF (13%), XLS (5%), and DOCX (2%) files. Attackers impersonated courier services like FedEx and DHL, as well as financial institutions including Hana Bank and Woori Bank. Distribution methods included HTML scripts and PDF hyperlinks leading to credential-stealing pages. Notable malware families included RemcosRAT and AgentTesla, with command-and-control infrastructure utilizing Telegram API tokens and external mail servers for data exfiltration.
Pulse ID: 69e8738326fb86b891dd3c1f
Pulse Link: https://otx.alienvault.com/pulse/69e8738326fb86b891dd3c1f
Pulse Author: AlienVault
Created: 2026-04-22 07:06:43Be advised, this data is unverified and should be considered preliminary. Always do further verification.
#Bank #CyberSecurity #Email #HTML #InfoSec #Java #JavaScript #Malware #OTX #OpenThreatExchange #PDF #Phishing #RAT #Remcos #RemcosRAT #Telegram #Tesla #Trojan #ZIP #bot #AlienVault
-
SmartApeSG campaign pushes Remcos RAT, NetSupport RAT, StealC, and Sectop RAT (ArechClient2)
#SmartApeSG #RemcosRAT #Stealc #SecTopRAT
https://isc.sans.edu/diary/32826 -
New XWorm 7.1 and Remcos RAT campaigns are abusing trusted #Windows utilities and memory-based execution to evade detection, giving attackers remote access to infected systems. The campaign also exploits a #WinRAR vulnerability to gain initial access.
Read: https://hackread.com/xworm-7-1-remcos-rat-windows-tools-evade-detection/
-
SmartApeSG campaign uses ClickFix page to push Remcos RAT
#SmartApeSG #RemcosRAT
https://isc.sans.edu/diary/32796 -
2026-01-22 (Thursday): #RemcosRAT infection persistent on an infected Windows host. This was caused by #ClickFix instructions from #SmartApeSG through a fake CAPTCHA page. Details of this #Remcos #RAT infection are available at https://www.malware-traffic-analysis.net/2026/01/06/index.html
I've also added three other blog entries from infections I generated in my lab on Tuesday, 2026-01-20. Those can be found at https://www.malware-traffic-analysis.net/2026/index.html
Those three other entries cover #LummaStealer, #VIPRecovery, and #Xworm. The VIP Recovery and Xworm infections followed the same chain of events, which includes #steganography through base64 text embedded in an image.
-
SHADOW#REACTOR – Text-Only Staging, .NET Reactor, and In-Memory Remcos RAT Deployment
#RemcosRAT
https://www.securonix.com/blog/shadowreactor-text-only-staging-net-reactor-and-in-memory-remcos-rat-deployment/ -
Watch out as a new email attack uses fake employee reports to deliver Guloader and Remcos RAT malware, tricking users into running dangerous files disguised as performance reviews.
Read: https://hackread.com/fake-employee-reports-guloader-remcos-rat-malware/
-
2026-01-06 (Tuesday): #SmartApeSG CAPTCHA page uses #ClickFix technique to push #RemcosRAT.
The #Remcos #RAT C2 server is at 192.144.56[.]80.
A #pcap of the traffic, the Remcos RAT #malware, and a list of indicators are available at https://www.malware-traffic-analysis.net/2026/01/06/index.html
-
New malware campaign uses #Windows shortcut files to deliver the #REMCOS backdoor, giving attackers full control over victims' systems.
🔗 https://hackread.com/attack-windows-shortcut-files-install-remcos-backdoor/
-
New Phishing Campaign Uses DBatLoader to Drop Remcos RAT: What Analysts Need to Know – Source:hackread.com https://ciso2ciso.com/new-phishing-campaign-uses-dbatloader-to-drop-remcos-rat-what-analysts-need-to-know-sourcehackread-com/ #1CyberSecurityNewsPost #CyberSecurityNews #cybersecurity #CyberAttack #0CISO2CISO #DBatLoader #RemcosRAT #Hackread #Phishing #security #malware #RAT
-
Fileless Remcos RAT Attack Evades Antivirus Using PowerShell Scripts https://hackread.com/fileless-remcos-rat-attack-antivirus-powershell-scripts/ #Cybersecurity #CyberAttack #PowerShell #RemcosRAT #Security #Malware #TROJAN
-
⚠️ Watch out for ZIP and shortcut files on #Windows as attackers are using fake PDF icons to trick users into installing #Remcos trojan and take over computers.
Read: https://hackread.com/fileless-remcos-rat-attack-antivirus-powershell-scripts/
-
Russia-linked Gamaredon targets Ukraine with Remcos RAT – Source: securityaffairs.com https://ciso2ciso.com/russia-linked-gamaredon-targets-ukraine-with-remcos-rat-source-securityaffairs-com/ #rssfeedpostgeneratorecho #informationsecuritynews #ITInformationSecurity #SecurityAffairscom #CyberSecurityNews #PierluigiPaganini #SecurityAffairs #SecurityAffairs #BreakingNews #Cyberwarfare #SecurityNews #hackingnews #Cybercrime #Gamaredon #RemcosRAT #hacking #Malware #ukraine #Russia
-
Malspam Monday is when I check the inboxes of my honey pot accounts for anything interesting distributed through email.
Today, I found an example of #GuLoader for #Remcos #RAT
Details at https://github.com/malware-traffic/indicators/blob/main/2025-03-24-GuLoader-for-Remcos-RAT.txt
-
Social media post I wrote about #RemcosRAT for my employer at https://www.linkedin.com/posts/unit42_remcos-rat-keylogger-activity-7304958245322768385-tu-a/ and https://x.com/malware_traffic/status/1899207006939947440
2025-03-10 (Monday): #Remcos #RAT activity. Email distribution used a zip archive attachment with a .7z file extension. During a test infection, we saw indicators of a #Keylogger and a Hacking tool to view browser passwords.
More info at https://github.com/PaloAltoNetworks/Unit42-timely-threat-intel/blob/main/2025-03-10-IOCs-for-Remcos-RAT-activity.txt
A #pcap of the infection traffic and the associated #malware files are available at https://malware-traffic-analysis.net/2025/03/10/index.html
-
Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT https://cybersecuritynews.com/beware-weaponized-excel-fileless-remcos-rat/ #CybersecurityThreats #FilelessMalware #CyberSecurity #Vulnerability #RemcosRAT #Malware
-
Beware Of Weaponized Excel Document That Delivers Fileless Remcos RAT https://gbhackers.com/weaponized-excel-fileless-remcos-rat/ #CVE/vulnerability #CyberSecurityNews #PhishingAttack #CVE20170199 #RemcosRAT #Phishing
-
South Korean Researchers Observe Remcos RAT Distributed Through Fake Shipping Lures https://thecyberexpress.com/remcos-rat-malicious-uuencoding-uue-shipping/ #TheCyberExpressNews #CybersecurityNews #RemcosRATmalware #TheCyberExpress #FirewallDaily #cybersecurity #Cyberattack #UUEncoding #RemcosRAT #malware #AhnLab #UUE
-
Remcos RAT Distributed As UUEncoding (UUE) File To Steal Logins https://gbhackers.com/remcos-rat-uuencoding-theft/ #CyberSecurityNews #PhishingAttack #EmailSecurity #cybersecurity #RemcosRAT #Phishing #Malware
-
🚩 Active #RemcosRAT campaign is distributed via GitHub through abuse of comments in legitimate repositories.
Some malicious links:
- https://github[.]com/ustaxes/UsTaxes/files/15421286/2022and2023TaxDocuments[.]zip
- https://github[.]com/ustaxes/UsTaxes/files/15419438/2023TaxDocuments[.]zip
- https://github[.]com/PolicyEngine/policyengine-us/files/15487603/2023.TAX.ORGANIZER.pdf[.]zip
- https://github[.]com/hmrc/claim-tax-refund/files/15487332/TaxrefundlistPDF[.]zipThey also got creative and registered the user "user-attachments" on GitHub 😄
- https://github[.]com/user-attachments/files/15592343/Rachel.Completed.Organizer.Season.TAX.2023[.]zipRemcos C2 servers:
- pattreon.duckdns[.]org:7035
- deytrycooldown.duckdns[.]org:7070
- newlink.duckdns[.]org:5111
* Botnet: RemoteHost -
The Computer Emergency Response Team of Ukraine (CERT-UA) reports that the threat actor group UAC-0184 is increasingly using popular messengers and social engineering in 2024 to target the Ukrainian military, and steal documents/messenger data (e.g. Signal). Malware delivered include IDAT, RemcosRAT, VIOTTOKEYLOGGER, XWorm, SIGTOP and TUSC. A lot of IOC provided, and images depict infection chains or lure messages. 🔗 (Ukrainian language) https://cert.gov.ua/article/6278521
#CERTUA #UAC0184 #Ukraine #cyberespionage #threatintel #IOC #RemcosRAT #IDAT #xworm
-
Fortinet reports on a recent phishing campaign containing Scalable Vector Graphics (SVG) files. The malicious attachment downloads a ZIP file and begins the infection chain. ScrubCrypt, described as an "antivirus evasion tool", is used to load the final payload VenomRAT while maintaining a connection with the C2 server to install plugins like XWorm, NanoCore, RemcosRAT and a crypto wallet stealer. They provides detailed insights into how the threat actor distributes VenomRAT and other plugins. IOC listed. 🔗 https://www.fortinet.com/blog/threat-research/scrubcrypt-deploys-venomrat-with-arsenal-of-plugins
#ScrubCrypt #VenomRAT #RemcosRAT #XWorm #NanoCore #threatintel #IOC
-
ESET Research reports that AceCryptor use surged in the second half of 2023. This included Remcos RAT campaigns for the first time, using compromised accounts for credibility in phishing emails. AceCryptor + Remcos campaigns targeted Poland, Bulgaria, Spain, and Serbia. Campaigns were described, MITRE ATT&CK TTPs and IOC provided. 🔗 https://www.welivesecurity.com/en/eset-research/rescoms-rides-waves-acecryptor-spam/
#AceCryptor #threatintel #IOC #Remcos #RemcosRAT #VidarStealer #Stopransomware #SmokeLoader
-
The attackers’ goal was to covertly install Remcos RAT malware on organizations’ employees’ computers with the ability to further compromise and obtain valuable data.