Remcos Banking Fraud via Three AutoIt Persistence Chains

Three parallel persistence chains survived every cleanup attempt. Each one impersonates a legitimate business application, installs itself in %LocalAppData% under a professional-sounding directory name, and registers a scheduled task that respawns the payload every few minutes. Two of them deliver Remcos v7.0.1 Pro configured to screenshot Canadian banking portals every five seconds. The third delivers PureHVNC.

This is the fourth post in the SERPENTINE#CLOUD breach analysis series, following PureLogs, PureCrypter, and Violet RAT. Where those posts covered the Python-based loader chain and its payloads, this one covers the AutoIt-based persistence layer that kept everything alive.

Tria.ge and VT refresh (2026-02-26)

We submitted the full Remcos and UrbanEco payload set to Tria.ge on 2026-02-26 and refreshed VirusTotal detections.

---

Three chains, three payloads

All three chains use the same interpreter binary: Singer.pif, a renamed copy of AutoIt3.exe.

---

The persistence mechanism: AutoIt BYOI

The technique is Bring Your Own Interpreter. Singer.pif is a legitimate, Authenticode-signed copy of AutoIt3.exe (3/76 on VirusTotal at refresh time). Because the interpreter itself is clean, antivirus has to detect the compiled script -- a .a3x file containing obfuscated control flow and encoded payloads.

Script obfuscation

Each .a3x script uses the same pattern: a decoder function with a unique name, control flow flattening through nested loops, and dash-separated decimal encoding for string constants. The decoder function name varies per chain -- MYERSCOMPLAINTS, MOMSMEN, TUBECAREFUL -- but the algorithm is identical. Each dash-separated token is converted to a character code and reassembled into a string.

Payload extraction pipeline

Singer.pif (AutoIt3.exe)
  → .a3x compiled script
    → Decoder function extracts hex string from $VARIABLE
      → RC4 decrypt (unique key per chain)
        → LZNT1 decompress
          → PE payload
            → Process hollowing into child process

The Remcos chains (EcoOptimize, WealthWise) hollow into TapiUnattend.exe -- a legitimate Windows binary in System32. The PureHVNC chain (UrbanEco) hollows into RegAsm.exe, a .NET Framework binary, because PureHVNC requires the CLR.

Scheduled task persistence

Each chain registers Windows scheduled tasks with benign-sounding names. EcoOptimize uses two tasks (Cancellation and Involved), both triggering via wscript.exe every 5 minutes. WealthWise uses QuantifyPro. The tasks call back to the persistence directory where Singer.pif and the .a3x script sit, restarting the chain if it dies.

On one compromised machine, Defender detected QuantifyPro.bat (the WealthWise chain) 3,560 times across two days. Every ~69 seconds the scheduled task respawned the process, Defender killed it, and the task spawned it again. Defender couldn't remove the scheduled task itself.

---

Remcos v7.0.1 Pro -- banking fraud configuration

The EcoOptimize Remcos config contains 58 fields extracted from an RC4 + LZNT1 encrypted SETTINGS resource. The RC4 key is embedded in the PE's resource section. After decryption and decompression, the config is 2,467 bytes.

C2 infrastructure

Nine domains, all on port 4056 with mutual TLS:

Three base names (homoney1, homoney17, homoney177) spread across five DDNS and domain providers -- DuckDNS, Afraid.org FreeDNS (mooo.com, strangled.net, twilightparadox.com), and cheap gTLDs (.food, .click, .shop). This layout gives cross-provider fallback when domains are removed.

As of 2026-02-26, the three DuckDNS entries still resolve to 91.219.238.167 (ServerAstra, Budapest HU), the three FreeDNS entries resolve to 127.0.0.2 sinkholes, and the three paid TLD entries are NXDOMAIN.

Mutual TLS with ECC P-256

Both the client certificate and server certificate are embedded in the config. Both are self-signed ECC P-256 with ECDSA-SHA256 signatures, valid from 1970-01-01 to 2090-12-31 -- the epoch-to-far-future range that Remcos generates by default. The client's private key is also embedded, meaning anyone who extracts the config can impersonate the bot to the C2 server.

The banking keyword list

Remcos can trigger targeted screenshots when a window title matches a keyword. The EcoOptimize config has this enabled with 62 keywords and a 5-second capture interval. When the victim opens a banking portal, Remcos starts screenshotting every 5 seconds until the window closes.

Canadian banks (9 keywords): royal, rbc, bmo, scotia, Desjardins, cibc, EasyWeb, tdbank, td

US banks (3): wellsfargo, truist, chase

Payment processors (15): paytrace, shopify, square, visa, master, amex, globalgateway, firstdata, nuvei, merchant, american express, paypal, Venmo, Google Pay, bitpay

Crypto wallets (17): vanguard, fidelity, atomic, ledger, crypto, wallet, ledger live, password phrase, exodus, atomic wallet, exodus wallet, meta, meta mask, trust, trust wallet, blockchain

Payment form fields (11): cvv, csc, pin, security code, cvc, Expiration date, payment method, payment option, card number, security question, security phrase

General financial (7): quickbook, adp, intuit, bank, credit union, credit, debit

The list is heavily weighted toward Canadian banks. Every major one is covered by name. EasyWeb is TD Bank's online banking portal -- targeting the portal name rather than just the bank name catches the actual session.

Screenshots and keylogger

Screenshots land in %PROGRAMFILES%\Spotify\ as JPEG files named wnd_YYYYMMDD_HHMMSS.jpg. The keylogger writes to spotify.dat inside %APPDATA%\ledger spotify\. The keylogger runs in mode 1 -- all windows, not just targeted ones -- with no file size limit and no encryption. Everything is disguised as Spotify data.

We recovered 402 banking screenshots from the Spotify/ folder on one of the compromised workstations. They are not HVNC captures -- they are Remcos targeted screenshots triggered by the 62-keyword filter, captured every 5 seconds while the victim browsed banking portals.

Config summary

---

Config evolution -- same operator, refined targeting

WealthWise delivers a second Remcos build. Field-by-field comparison: 54 of 58 config fields are byte-identical between EcoOptimize and WealthWise. Four fields differ.

The four differences

Everything else is identical: campaign ID (With SC), install filename (remcos.exe), keylog file (spotify.dat), screenshot folder (Spotify), keylogger root directory (ledger spotify), audio folder (MicRecords), all boolean flags, all directory assignments. Same operator, same Remcos builder template, incremented for a second deployment.

Identical TLS certificates

The strongest same-operator evidence: both configs embed the same client certificate, the same server certificate, and the same ECC private key. The SHA-256 fingerprints match byte-for-byte:

• Client cert: dd492c49...afb4c5a4b (identical)
• Server cert: 48d2265b...ab1c7b410 (identical)
• Private key d-value: 91b4f645...82b4e60c (identical)

These certificates were generated once in the Remcos builder and reused across both configs. Sharing the private key means both Remcos instances authenticate to the same C2 infrastructure with the same identity.

C2 expansion

WealthWise increments the port from 4056 to 4057, keeps all 9 original domains, and adds one new domain: yrem472hd.duckdns.org. This is the only domain that breaks the homoney naming pattern. The random-style name suggests the operator was testing a second naming convention.

Keyword reduction: 62 to 50

WealthWise drops 12 keywords. The removals fall into two categories:

Crypto wallet brands removed (10): exodus, atomic wallet, exodus wallet, meta, meta mask, trust, trust wallet, blockchain, bitpay, and a duplicate atomic entry.

TD Bank keywords removed (2): tdbank, td.

Generic crypto terms (crypto, wallet, ledger) survived. The specific wallet app names (Exodus, MetaMask, Trust Wallet, Atomic Wallet) were cut. And while tdbank and td were removed, EasyWeb -- TD's online banking portal -- was retained. The operator still targets TD customers. They just stopped matching on the bank name and kept only the portal name.

The keyword changes show a narrower target set: specific wallet app names were removed, and bank matching shifted toward portal names rather than brand names. The result is a move from broad crypto-plus-banking monitoring to focused banking fraud.

---

UrbanEco -- PureHVNC, not Remcos

The third AutoIt chain doesn't deliver Remcos. It delivers PureHVNC through five layers of nesting:

Singer.pif (AutoIt3.exe)
  → Q (.a3x, TUBECAREFUL decoder)
    → RC4 + LZNT1 → Oktszoqyrp.exe (.NET AES crypter, 331 KB)
      → AES-256-CBC + GZip → Efjzzebatj.dll (PureHVNC, 790 KB)
        → Assembly.Load + reflective invoke

The first two layers match the Remcos chains: AutoIt interpreter loads the compiled script, the script decodes and RC4-decrypts the hex payload, LZNT1 (Windows native compression) decompresses it. But instead of a Remcos PE, the output is a 32-bit .NET assembly -- Oktszoqyrp.exe, an AES crypter.

Cracking the .NET crypter

IL disassembly of Oktszoqyrp.exe revealed two base64-encoded values loaded via ldstr:

The crypter decrypts an embedded blob with AES-256-CBC, strips a 4-byte size prefix, GZip-decompresses the result, and calls Assembly.Load() to reflectively load the inner assembly. The inner assembly is invoked via InvokeMember("WriteIsolatedWriter") on the type Efjzzebatj.IO.StaticWriter.

PureHVNC -- not Remcos

The inner payload is Efjzzebatj.dll, a 790 KB .NET assembly. The namespace is PureHVNC_Lib with subnamespaces for UserManagement, ContextManagement, Processing, Structures, Providers, Networking, and Messaging. This is PureHVNC -- the hidden VNC client from the PureCoder MaaS ecosystem.

Config extraction via Mono reflection (load the assembly, call TestFunction() to initialize, read ActiveProvider fields):

The 9 C2 domains:

---

Infrastructure convergence

These 9 nhvncpure domains, port 6757, and TLS certificate CN Zwfweayg are not new. They are the exact same C2 configuration we extracted from the PureLogs inner RAT (Qdjlj.dll) via protobuf config key 1690109058. Same 9 domains. Same port. Same TLS certificate. Same mutex format.

Two different PureCoder tools -- an information stealer and a hidden VNC client -- sharing the same C2 infrastructure, delivered through two completely independent loader chains. The Python-based Donut chain delivers PureLogs. The AutoIt-based BYOI chain delivers PureHVNC. Both phone home to the same 9 domains on the same port with the same TLS certificate.

The setup gives the operator redundancy. If the Python chain is removed, the AutoIt chain survives. If the AutoIt persistence is removed, the Python chain can redeploy. The nhvncpure infrastructure backs both paths -- one C2 backend for the PureCoder toolkit.

The three AutoIt chains together give the operator:

1. EcoOptimize -- Remcos banking screenshots (port 4056, homoney C2)
2. WealthWise -- Remcos banking screenshots (port 4057, homoney C2)
3. UrbanEco -- PureHVNC hands-on-keyboard access (port 6757, nhvncpure C2)

Two for passive surveillance, one for active control -- all three surviving reboots through scheduled tasks that AV can't kill.

---

Indicators of compromise

File hashes (SHA-256)

Remcos C2 domains (homoney)

As of 2026-02-26, homoney177.duckdns.org, homoney17.duckdns.org, and homoney1.duckdns.org still resolve to 91.219.238.167. The three FreeDNS domains resolve to 127.0.0.2 sinkholes and .food/.click/.shop are NXDOMAIN.

PureHVNC C2 domains (nhvncpure)

As of 2026-02-26, the non-DuckDNS nhvncpure entries (.click, .shop, .sbs, twilightparadox.com, strangled.net, mooo.com) are expired or removed in the current resolution set.

TLS certificate fingerprints (SHA-256)

Mutexes

File system artifacts

Scheduled tasks

Cancellation, Involved (EcoOptimize), QuantifyPro (WealthWise), EcoMap (UrbanEco)

---

The persistence backbone

The AutoIt chains are the persistence backbone of this campaign. The Python-based loader chain delivers the payloads. The AutoIt chains keep them alive. Every other component -- PureLogs, PureCrypter, Violet RAT -- can be redeployed through these three scheduled tasks.

The config diffing proves single-operator control. Two Remcos builds with 54/58 identical fields, identical TLS certificates including the private key, and a mutex naming pattern (Rmc-i8364b-*) that changes only the random suffix. The keyword evolution from 62 to 50 shows active refinement -- the operator watching what works and trimming what doesn't.

The UrbanEco discovery closes the infrastructure loop. PureHVNC delivered through AutoIt shares exact C2 configuration with PureLogs delivered through Python. Two independent delivery mechanisms, two different PureCoder tools, one backend.