Remcos
Also known as: RemcosRAT, Remvio, Socmer
Remcos (Remote Control & Surveillance) is a commercial RAT sold by Breaking Security, a company run by Italian developer Francesco Viotto. It's been marketed as "legitimate" remote administration software since 2016, priced from EUR 58 to EUR 389 per license. Breaking Security also sells a cryptor, keylogger, and mass mailer -- effectively a botnet-in-a-box toolkit. No law enforcement action has been taken against the company, and Remcos remains commercially available.
The RAT has roughly 87 C2 commands covering remote shell, screen and webcam capture, microphone recording, keylogging, credential harvesting from browsers and Windows Credential Manager, file management, SOCKS proxy, and DLL loading. The C2 protocol uses a custom binary format with magic bytes 0xFF 0x04 0x24, RC4-encrypted configuration stored in a PE resource named SETTINGS, and optional TLS v1.3 wrapping. Wire traffic uses AES-128 from version 3.0.0 onward. The default C2 port is 2404/TCP, and operators rarely change it.
Operators commonly use free dynamic DNS services like DuckDNS and ddns.net, often registering numbered fallback domains under the same subdomain pattern. C2 infrastructure tends to sit on low-cost VPS providers rather than mainstream cloud platforms.
Delivery typically starts with phishing emails carrying Office exploits (CVE-2017-0199, CVE-2017-11882 -- both still actively exploited), VHD files, or LNK files in archives. Loaders like DonutLoader, GuLoader, and HijackLoader are common intermediate stages. Recent campaigns use fileless PowerShell shellcode loaders and MSBuild.exe as a living-off-the-land binary.
Remcos is used by commodity operators and tracked threat actors alike, including UAC-0050 (targeting Ukrainian government, assessed as initial access broker for Russian APTs), Gamaredon (FSB-affiliated, Ukraine targeting since late 2024), Blind Eagle/APT-C-36 (Latin American espionage), and Gorgon Group (Pakistan-linked).
Linked Threat Actors
C2 Infrastructure
Last 7 days
| Date | C2 Hosts |
|---|---|
| Apr 14, 2026 | 44 |
| Apr 13, 2026 | 42 |
| Apr 12, 2026 | 14 |
| Apr 11, 2026 | 29 |
| Apr 10, 2026 | 29 |
| Apr 9, 2026 | 57 |
| Apr 8, 2026 | 35 |
Further Reading
Elastic's four-part deep dive covering all 87 C2 commands, config extraction, protocol internals, recording capabilities, and detection. The single best Remcos resource.
Cisco Talos exposes the developer (Viotto), the full Breaking Security product ecosystem, and HackForums origins. Includes a C2 decoder script.
FortiGuard's analysis of Remcos v7.0.4 Pro (January 2026). Full chain from RTF exploit through process hollowing, plus anti-analysis techniques.
Best resource for C2 protocol internals. Documents packet magic bytes, command ID structure, TLS handshake, geoplugin beacon, and registration flow.
Documents the "K-Loader" fileless technique. Covers AMSI/ETW bypass mechanics, PEB walking for API resolution, and in-memory execution via VirtualAlloc.
Talos documents Gamaredon's shift from custom tooling to Remcos for Ukraine targeting. Covers geo-fenced C2, LNK metadata attribution, and DLL sideloading.
January 2026 campaign using text-only staging (base64 fragments in .txt files), .NET Reactor protection, and MSBuild.exe as a living-off-the-land binary.
Unit 42's analysis of multi-stage delivery: JSE to PowerShell to AutoIt executables to process hollowing into RegAsm.exe.
Detailed CVE-2017-0199 exploitation chain: Excel OLE to HTA to PowerShell to fileless Remcos. Good for understanding the multi-stage loader architecture.
Canonical technique-to-procedure mapping with references to source reports.