S0332: Remcos
Analyst context for executives and security teams
Remcos matters because it is a Windows remote control and surveillance tool that ATT&CK records as having been used in malware campaigns. For leaders, the risk is not the brand name alone; it is the combination of remote access, discovery, credential collection through keylogging, screen capture, file transfer, registry activity, command execution, proxying, and evidence removal behaviors associated with the tool in ATT&CK relationships.
Executive priority
Treat Remcos coverage as a practical test of Windows endpoint visibility and incident response readiness. Security leaders should ask whether the organization can identify unauthorized remote-control tooling, reconstruct command execution and registry changes, detect collection activity such as keylogging or screen capture, and preserve enough endpoint and network evidence when file deletion or obfuscation is present. The object is also relevant for threat intelligence prioritization because ATT&CK links it to multiple groups and a campaign, including Operation Spalax, Gamaredon Group, Gorgon Group, and LazyScripter, but local exposure should be determined from internal telemetry rather than assumed.
Technical view
ATT&CK does not provide a dedicated detection section for Remcos, so SOC and detection teams should validate coverage through the related behaviors: Windows command shell, Visual Basic, Python, and JavaScript execution; process injection; registry query and modification; user, process, window, system, file, and directory discovery; keylogging; screen capture; ingress tool transfer; proxy use; obfuscation or encoded files; file deletion; and other indicator removal. Because the tool is described as closed-source remote control and surveillance software, detection should focus on unauthorized behavior chains on Windows rather than a single static indicator.
Likely telemetry
- Windows endpoint process creation and command-line telemetry
- Script execution telemetry for Windows command shell, Visual Basic, Python, and JavaScript/JScript where available
- Registry query and modification events
- Endpoint alerts or behavioral events for process injection
- File creation, modification, transfer, and deletion events
Detection direction
- Prioritize behavior-chain detection: execution plus discovery plus registry change plus network connection is more decision-useful than a standalone tool name match.
- Tune detections for legitimate administrative and remote support tools to reduce false positives while preserving alerts for unauthorized surveillance behaviors such as keylogging and screen capture.
- Validate that file deletion and obfuscation do not erase the only evidence needed for triage; ensure endpoint and centralized logs retain process, file, registry, and network context.
- Use the ATT&CK relationships to test analytics mapped to T1010, T1012, T1027, T1027.013, T1033, T1055, T1056.001, T1057, T1059.003, T1059.005, T1059.006, T1059.007, T1070, T1070.004, T1082, T1083, T1090, T1105, T1112, and T1113.
- Review threat intelligence matches cautiously: the supplied ATT&CK data supports historical association with several groups and one campaign, but does not by itself prove current targeting or attribution in a local incident.
Mitigation priorities
- Establish and enforce policy for approved remote administration and surveillance-capable software on Windows systems.
- Harden Windows endpoints against unauthorized script execution, command shell abuse, registry modification, and process injection where business operations allow.
- Ensure endpoint protection, EDR, and logging controls cover discovery, credential collection, screen capture, file transfer, and cleanup behaviors.
- Limit user privileges and administrative access so registry modification, persistence-related changes, and surveillance functions require stronger authorization.
- Prepare IR playbooks for suspected remote access tool activity, including host isolation criteria, credential review, log preservation, and threat intelligence validation.
Analyst notes and limits
The most useful defensive takeaway is that Remcos should be assessed as a remote access and surveillance behavior cluster on Windows. ATT&CK links the tool to malware campaigns and to multiple actors/campaigns, but the supplied object has no aliases, labels, or official detection guidance. Detection engineering should therefore be mapped from the related techniques rather than from a single Remcos signature.
This take uses only the supplied ATT&CK object fields, external references, and relationships. The object lists Windows as the platform and does not specify tactics directly. Some related techniques have broader platform metadata, but that should not be interpreted as Remcos platform support beyond the supplied Windows platform. No claim is made about active exploitation, current targeting, customer exposure, or guaranteed detection.
Remcos
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1491.001 | Internal Defacement Sub-technique | Remcos has the ability to modify the desktop wallpaper.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Remcos can add itself to the Registry key |
| Enterprise | T1082 | System Information Discovery | Remcos can collect the OS version and process architecture of compromised hosts.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1115 | Clipboard Data | Remcos steals and modifies data from the clipboard.CitationRiskiq Remcos Jan 2018CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1055 | Process Injection | Remcos has a command to hide itself by injecting into another process.CitationFortinet Remcos Feb 2017 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Remcos has been spread through emails containing malicious documents.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1059.006 | Python Sub-technique | Remcos uses Python scripts.CitationRiskiq Remcos Jan 2018 |
| Enterprise | T1090 | Proxy | Remcos uses the infected hosts as SOCKS5 proxies to allow for tunneling and proxying.CitationRiskiq Remcos Jan 2018CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1112 | Modify Registry | Remcos has full control of the Registry, including the ability to modify it.CitationRiskiq Remcos Jan 2018CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1573.002 | Asymmetric Cryptography Sub-technique | Remcos can use TLS to encrypt C2 communication.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1027 | Obfuscated Files or Information | |
| Enterprise | T1543.003 | Windows Service Sub-technique | Remcos can terminate, suspend, and resume a process by PID.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1497.001 | System Checks Sub-technique | Remcos searches for Sandboxie and VMware on the system.CitationTalos Remcos Aug 2018 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Remcos can launch a remote command line to execute commands on the victim’s machine.CitationFortinet Remcos Feb 2017CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1027.013 | Encrypted/Encoded File Sub-technique | Remcos can use string encryption to hinder analysis.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1548.002 | Bypass User Account Control Sub-technique | Remcos has a command for UAC bypassing.CitationFortinet Remcos Feb 2017 |
| Enterprise | T1113 | Screen Capture | Remcos takes automated screenshots of the infected machine.CitationRiskiq Remcos Jan 2018CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1560.001 | Archive via Utility Sub-technique | Remcos can zip files and folders for upload.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1070 | Indicator Removal | Remcos can clean saved cookies and logins from the web browser.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Remcos can set `ProcessWindowStyle.Hidden` to hide windows.CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1105 | Ingress Tool Transfer | Remcos can upload and download files to and from the victim’s machine.CitationRiskiq Remcos Jan 2018CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Remcos can execute VBS remotely.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Remcos has been executed by luring victims into opening malicious email attachments including Excel files.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1568 | Dynamic Resolution | Remcos has used dynamic DNS domains in C2 communications.CitationCheck Point Blind Eagle MAR 2025 |
| Enterprise | T1056.001 | Keylogging Sub-technique | Remcos has a command for keylogging.CitationFortinet Remcos Feb 2017CitationTalos Remcos Aug 2018 |
| Enterprise | T1125 | Video Capture | Remcos can access a system’s webcam and take pictures.CitationFortinet Remcos Feb 2017 |
| Enterprise | T1012 | Query Registry | Remcos can obtain Registry data from targeted systems.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1564 | Hide Artifacts | Remcos can modify file attributes to hide the file.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1083 | File and Directory Discovery | Remcos can search for files on the infected machine.CitationRiskiq Remcos Jan 2018CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1123 | Audio Capture | Remcos can capture data from the system’s microphone.CitationFortinet Remcos Feb 2017CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Remcos can delete files and folders from victim machines.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1057 | Process Discovery | Remcos can discover running processes on compromised machines.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1614 | System Location Discovery | Remcos can identify the location of targeted devices.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1010 | Application Window Discovery | Remcos can list all windows on victim systems.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1529 | System Shutdown/Reboot | Remcos can shutdown and restart remote devices.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1033 | System Owner/User Discovery | Remcos can enumerate the username on targeted hosts.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1059.007 | JavaScript Sub-technique | Remcos has the ability to execute JavaScript remotely.CitationFortinet Remcos Campaign NOV 2024 |
| Enterprise | T1132.001 | Standard Encoding Sub-technique | Remcos can serialize collected data with Protobuf.CitationCheck Point Blind Eagle MAR 2025 |
Groups, software, and campaigns
G0140: LazyScripter
LazyScripter is threat group that has mainly targeted the airlines industry since at least 2018, primarily using open-source toolsets.[1]
G0047: Gamaredon Group
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]
In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]
G0099: APT-C-36
APT-C-36 is a suspected South American threat group that has engaged in espionage and financially motivated operations since at least 2018. APT-C-36 has targeted government institutions and entities in the financial, energy, and professional manufacturing sectors across Colombia and other Latin American countries.[1][2][3][4]
G0078: Gorgon Group
Gorgon Group is a threat group consisting of members who are suspected to be Pakistan-based or have other connections to Pakistan. The group has performed a mix of criminal and targeted attacks, including campaigns against government organizations in the United Kingdom, Spain, Russia, and the United States. [1]
C0005: Operation Spalax
Operation Spalax was a campaign that primarily targeted Colombian government organizations and private companies, particularly those associated with the energy and metallurgical industries. The Operation Spalax threat actors distributed commodity malware and tools using generic phishing topics related to COVID-19, banking, and law enforcement action. Security researchers noted indicators of compromise and some infrastructure overlaps with other campaigns dating back to April 2018, including at least one separately attributed to APT-C-36, however identified enough differences to report this as separate, unattributed activity.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 1.4 | Current bundle | 5a3832e1272f… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Riskiq Remcos Jan 2018
Klijnsma, Y. (2018, January 23). Espionage Campaign Leverages Spear Phishing, RATs Against Turkish Defense Contractors. Retrieved November 6, 2018.
Open source URL -
[2]
Talos Remcos Aug 2018
Brumaghin, E., Unterbrink, H. (2018, August 22). Picking Apart Remcos Botnet-In-A-Box. Retrieved November 6, 2018.
Open source URL -
[3]
Fortinet Remcos Feb 2017
Bacurio, F., Salvio, J. (2017, February 14). REMCOS: A New RAT In The Wild. Retrieved November 6, 2018.
Open source URL -
[4]
Remcos
(Citation: Riskiq Remcos Jan 2018)(Citation: Fortinet Remcos Feb 2017)(Citation: Talos Remcos Aug 2018)
-
[5]
mitre-attack S0332Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.