REMCOS was developed by Italian malware developer Viotto and advertised as remote control and surveillance software and available for purchase on underground hacking forums. REMCOS is used as a remote access tool (RAT) that creates a backdoor into the victim's system. On July 21, both a free and paid version of the software was made available for download via the website. It is likely that cybercriminals, state-actors, and hacktivists will use REMCOS for hacking activity, similar to Dark Comet and Blackshades. The author claims that REMCOS has no dependencies and is fully compatible with any Windows from XP to 10, 32 and 64 bit, including servers with all bytes sent encrypted. REMCOS takes screenshots on a time-interval basis, the offline keylogger stores logs encrypted and wipes them after sending them to the C2 operator, the online keylogger allows the attacker to see what the remote user is typing in real-time. Additionally, the camera capture allows the attacker to view a live stream of the remote camera and saves frames, and the microphone capture allows the attacker to listen to audio from the device's microphone in real-time and stores audio files when offline. While there are no indications of REMCOS used in the wild yet, users on hacking forums are already discussing the tool and its potential uses. The availability of a free version and low-cost paid version make this very attainable to the average hacker. The paid "professional" version contains additional features and is available for the following purchase prices, only payable by Bitcoin and other digital currencies:

  • Starter License: one-month license and updates at $58

  • Individual License: six-month license and updates at $189

  • Group License: three max master user/PC at $239

  • Enterprise License: 10 max master user/PC at $389

Indicators of Compromise:

File: Remcos v1.1.1.1
 MD5: 4dfea420e3fcca712cf692cc3471bf8f
 SHA1: 3d39183fa5e6643fa449a950429e91457729c40c
 SHA256: abdcc6fbcd43d3c536d80127000ea469a4dc1c32ec819d32ab35ceb3070e0edd

File: Remcos v1.1.1.1 Free.exe
 MD5: 7096b341aafc041d91058d42045ab314
 SHA1: edbf6f6850cb089f86593207908e6dce0b12e576
 SHA256: af37a152c8605763868b29dbdfcc656514b815177982f40deb02315c83e68e2 


  • August 2019: A new variant uses an AutoIt wrapper to deliver a previously unknown variant featuring new obfuscation and anti-debugging techniques. (SC Magazine)

Technical Details

  • Security News provides technical analysis of REMCOS, here.

One example of the REMCOS trojan.