Remcos (Remote Control and Surveillance) is a commercial remote access tool sold by Breaking Security that has been extensively abused by cybercriminals and APT groups. It provides full remote control capabilities including keylogging, screen capture, webcam access, file management, and credential theft.

Remcos RAT

Remcos RAT (also known as Remcos, Breaking Security) is a C++-based remote access trojan active since 2016. Commercial surveillance RAT. Key capabilities include: remote desktop, keylogger, webcam, microphone, sold as 'legitimate tool' by Breaking Security for EUR 58-389.

Overview & Background

Commercial surveillance RAT. First observed in 2016, Remcos RAT is attributed to eCrime (MaaS). The malware is written in C++ and provides operators with comprehensive remote access capabilities.

Active Threat

Remcos RAT continues to be actively distributed and used in campaigns targeting organizations worldwide. Its capabilities include: remote desktop, keylogger, webcam, microphone, sold as 'legitimate tool' by Breaking Security for EUR 58-389.

Language: C++
Active since: 2016
Attribution: eCrime (MaaS)
Also known as: Remcos, Breaking Security

Technical Capabilities

Remote Desktop: Core Remcos RAT capability T1059
Keylogger: Core Remcos RAT capability T1059
Webcam: Core Remcos RAT capability T1059
Microphone: Core Remcos RAT capability T1059
Sold As 'Legitimate Tool' By Breaking Security For Eur 58-389: Core Remcos RAT capability T1059

Distribution Methods

Remcos RAT is typically distributed through phishing emails with malicious attachments, cracked software downloads, and malvertising campaigns. Common delivery mechanisms include Office macros, ISO/IMG containers, and script-based downloaders.

Phishing emails: Malicious attachments and links T1566.001
Malvertising: SEO poisoning and malicious ads T1189
Cracked software: Bundled with pirated applications

MITRE ATT&CK Mapping

Tactic	Technique	Usage
Initial Access	T1566.001 Phishing Attachment	Malicious email attachments
Execution	T1204.002 Malicious File	User executes RAT payload
Persistence	T1547.001 Registry Run Keys	Autostart persistence
Defense Evasion	T1027 Obfuscated Files	Payload obfuscation
Credential Access	T1056.001 Keylogging	Keystroke capture
Collection	T1113 Screen Capture	Screenshot collection
Collection	T1125 Video Capture	Webcam access
C2	T1071.001 Web Protocols	HTTP/HTTPS C2 communication

Detection & Defense

Endpoint detection: Monitor for C++ processes with network connections from unusual locations
Network monitoring: Detect C2 traffic patterns associated with Remcos RAT
Email security: Block malicious attachments and links in phishing campaigns
Application whitelisting: Restrict execution of unauthorized binaries
YARA rules: Deploy detection signatures for known Remcos RAT variants

Protect Against Remote Access Trojans

Mjolnir Security provides comprehensive detection and response capabilities against Remcos RAT and similar RAT threats.

RAT DetectionEndpoint SecurityThreat HuntingIncident ResponseMDR Services

RAT Detection & Removal Identify and remediate Remcos RAT infections including persistence mechanisms and lateral movement artifacts.
Threat Intelligence Continuous monitoring for Remcos RAT campaigns and infrastructure targeting your organization.
24/7 Incident Response Rapid containment and forensic investigation. Call +1 833 403 5875.

Written by: Mjolnir Security  |  Published: November 25, 2025