Remcos RAT

    Friday, June 27, 2025 In: Threat Research Print

    Date: 06/27/2025

    Severity: High

    Summary

    Remcos RAT, a sophisticated Remote Access Trojan originally marketed as a legitimate tool, is now widely abused for espionage, credential theft, and system control. Created by Breaking Security, it has been adopted by APT groups and cybercriminals for malicious purposes. Recent campaigns used stealthy, fileless PowerShell loaders to deploy Remcos entirely in memory. This technique evades antivirus detection and enables persistent, covert access to infected systems.

    Indicators of Compromise (IOC) List 

    Domains\URLs : 

    readysteaurants.com

    https://0x0.st/8KuV.ps1

    IP Address : 

    193.142.146.101

    162.254.39.129

    107.173.4.16

    Hash : 

    bf32ff64ac0cfee67f4b2df27733576a

    b63178f562b948b850f4676d4b8db1c0

    55e5c8b8cba2ca2f152bf70dde2113f53f3dd42649cae535f55f0362b426e97c

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domains\URLs : 

    domainname like "readysteaurants.com" or url like "readysteaurants.com" or siteurl like "readysteaurants.com" or domainname like "https://0x0.st/8KuV.ps1" or url like "https://0x0.st/8KuV.ps1" or siteurl like "https://0x0.st/8KuV.ps1"

    IP Address : 

    dstipaddress IN ("162.254.39.129","193.142.146.101","107.173.4.16") or srcipaddress IN ("162.254.39.129","193.142.146.101","107.173.4.16")

    Hash 1 : 

    md5hash IN ("b63178f562b948b850f4676d4b8db1c0","bf32ff64ac0cfee67f4b2df27733576a")

    Hash 2 : 

    sha256hash In ("55e5c8b8cba2ca2f152bf70dde2113f53f3dd42649cae535f55f0362b426e97c")

    Reference:

    https://www.csk.gov.in/alerts/Remcos_RAT.html


    Tags

    MalwareRATRemcos RATCredentialTheftAPT

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.