#Remcos

Commercial Remote Access Tool widely abused in mass phishing campaigns

Subscribe (RSS)


#Remcos

Commercial RAT widely abused in mass phishing

Subscribe (RSS)


IOCs by window

Today

0

IOCs tagged #Remcos

Week

6

IOCs tagged #Remcos

Month

36

IOCs tagged #Remcos

Year

1,328

IOCs tagged #Remcos

Counts as of 2026-07-03. Regenerated daily.

About #Remcos

  • Type: commercial Remote Access Tool (Remote Control and Surveillance) sold by Breaking Security. Marketed for legitimate remote administration, but pirated and cracked builds dominate the wild and feature heavily in financially-motivated phishing campaigns.
  • Abuse pattern: delivered as a second stage from invoice / shipping / DHL phishing emails. Common loaders are Office macro documents, ISO / IMG attachments and AutoIt-compiled droppers. Lat-am, EU and English-speaking SMB targets predominate.
  • Detection signals: default config strings (RemcosClient, watchdog), TCP C2 on non-standard ports (typically 2404 / 2700 / 8080), AutoIt loader signatures, registry persistence under SOFTWARE\Remcos.
  • References: MITRE ATT&CK S0332 · Malpedia.

Recent IOCs tagged #Remcos

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/remcos.

Date Type Value Source
Jul 02, 09:19 domain blue-paper-f69f.acrypters.workers.dev @skocherhan
Jul 02, 09:19 url http://blue-paper-f69f.acrypters.workers.dev @skocherhan
Jul 02, 09:19 domain guhudeolokghguhumandeylikebroemdfhhfhsjj.duckdns.org @skocherhan
Jul 02, 09:19 url http://guhudeolokghguhumandeylikebroemdfhhfhsjj.duckdns.org @skocherhan
Jul 02, 09:19 url http://103.83.87.107 @skocherhan
Jul 02, 09:19 ip 103.83.87.107 @skocherhan
Jun 25, 13:13 sha256 6ee59d04e7cdebd187d2dc4a8360a132462ee6648359470b51cd5715cc2b... @bomccss
Jun 20, 08:51 domain aumri.ae @skocherhan
Jun 20, 08:51 url http://aumri.ae @skocherhan
Jun 20, 08:51 domain dentalux202.ydns.eu @skocherhan

Related tags

Tags that frequently co-occur with #Remcos.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Remcos?

Remcos (Remote Control and Surveillance) is a commercial Remote Access Tool sold by Breaking Security. It is marketed for legitimate remote-administration use but pirated and cracked builds are widely abused in financially-motivated phishing campaigns. MITRE ATT&CK tracks it as S0332. Capabilities include keylogging, screen capture, file management, microphone and webcam access.

How is Remcos delivered in real campaigns?

Most commonly as a second stage from phishing emails - invoice, shipping, DHL or banking lures. The first-stage loader is typically a malicious Office macro, an ISO / IMG container or an AutoIt-compiled dropper. Latin American, European and English-speaking SMB users are the most frequently targeted demographics in current campaigns.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Remcos-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Remcos subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Remcos IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).