#remcos

Commercial Remote Access Tool widely abused in mass phishing campaigns


#remcos

Commercial RAT widely abused in mass phishing

IOCs by window

Today

0

IOCs tagged #remcos

Week

9

IOCs tagged #remcos

Month

15

IOCs tagged #remcos

Year

2,121

IOCs tagged #remcos

Counts as of 2026-04-29. Regenerated daily.

About #remcos

  • Type: commercial Remote Access Tool (Remote Control and Surveillance) sold by Breaking Security. Marketed for legitimate remote administration, but pirated and cracked builds dominate the wild and feature heavily in financially-motivated phishing campaigns.
  • Abuse pattern: delivered as a second stage from invoice / shipping / DHL phishing emails. Common loaders are Office macro documents, ISO / IMG attachments and AutoIt-compiled droppers. Lat-am, EU and English-speaking SMB targets predominate.
  • Detection signals: default config strings (RemcosClient, watchdog), TCP C2 on non-standard ports (typically 2404 / 2700 / 8080), AutoIt loader signatures, registry persistence under SOFTWARE\Remcos.
  • References: MITRE ATT&CK S0332 · Malpedia.

Recent IOCs tagged #remcos

Latest 10 IOCs from the past 30 days. Live JSON: api.tweetfeed.live/v1/month/remcos.

Date Type Value Source
Apr 28, 13:53 url http://66.179.248.120/img/ @James_inthe_box
Apr 28, 13:53 url http://23.95.62.25:7070 @James_inthe_box
Apr 28, 13:53 ip 66.179.248.120 @James_inthe_box
Apr 28, 13:53 ip 23.95.62.25 @James_inthe_box
Apr 24, 13:11 ip 23.95.117.252 @skocherhan
Apr 24, 13:11 ip 78.111.67.231 @skocherhan
Apr 24, 13:11 ip 107.175.148.103 @skocherhan
Apr 24, 13:11 ip 172.245.95.36 @skocherhan
Apr 24, 13:11 ip 204.10.160.226 @skocherhan
Apr 10, 11:47 ip 31.57.216.128 @skocherhan

Related tags

Tags that frequently co-occur with #remcos.

See all tags on the Dashboard or browse the full IOC feed.

Frequently asked questions

What is Remcos?

Remcos (Remote Control and Surveillance) is a commercial Remote Access Tool sold by Breaking Security. It is marketed for legitimate remote-administration use but pirated and cracked builds are widely abused in financially-motivated phishing campaigns. MITRE ATT&CK tracks it as S0332. Capabilities include keylogging, screen capture, file management, microphone and webcam access.

How is Remcos delivered in real campaigns?

Most commonly as a second stage from phishing emails - invoice, shipping, DHL or banking lures. The first-stage loader is typically a malicious Office macro, an ISO / IMG container or an AutoIt-compiled dropper. Latin American, European and English-speaking SMB users are the most frequently targeted demographics in current campaigns.

How is this list updated?

Every 15 minutes. The TweetFeed pipeline scrapes RSS feeds from public Twitter/X security researcher accounts and lists, extracts IOCs, tags them with the relevant malware family or threat actor, and republishes the result in CSV, JSON and RSS. Remcos-tagged IOCs are surfaced on this page within the next 15-minute tick. The page itself is regenerated daily by a GitHub Action.

What is the license? Can I use this commercially?

All TweetFeed IOC data, including this Remcos subset, is released under CC0 1.0 Universal (Public Domain Dedication). No attribution required, no warranty. Commercial use is allowed. The TweetFeed website code and branding are not covered by CC0.

License

Remcos IOC data: CC0 1.0 Public Domain. No attribution required, no warranty. Source code for the pipeline: github.com/0xDanielLopez/TweetFeed (MIT).