A newly observed variant of Remcos RAT has introduced real-time surveillance features and stronger evasion techniques, marking a shift in how the malware operates on compromised Windows systems.
The updated strain no longer relies primarily on storing stolen data locally. Instead, it establishes direct online communication with attacker-controlled servers, enabling immediate monitoring and data theft.
The latest build can stream webcam footage in real time and transmit captured keystrokes instantly, reducing forensic traces left on infected machines.
Researchers from Point Wild’s Lat61 Threat Intelligence team detailed the changes, noting that the malware decrypts its configuration only at runtime and dynamically loads critical Windows APIs to avoid detection.
Real-Time Espionage and Modular Design
Remcos, originally a legitimate remote management tool, has long been abused as a Remote Access Trojan (RAT). It provides attackers with full control over infected systems, including file access, credential theft and surveillance capabilities. The newest variant expands these functions through encrypted C2 channels and modular plugins delivered as Dynamic Link Libraries.
Read more on remote access trojans: Android RAT Uses Hugging Face to Host Malware
The malware’s updated capabilities include:
Live webcam streaming through a downloaded DLL module
Online keylogging that transmits captured input directly to C2 servers
Encrypted C2 configuration decrypted only in memory
Dynamic API resolution to hinder static analysis
Cleanup routines that remove logs, browser data and persistence keys
Point Wild clarified that, rather than embedding webcam functionality in its main executable, Remcos now retrieves the module from its C2 server when instructed. It then loads the library at runtime using Windows API calls, executes recording functions and transmits captured footage in encrypted chunks.
Stealth, Persistence and Cleanup
The malware also checks system privileges before executing certain actions. Elevated rights allow it to modify registry keys, install persistence mechanisms and disable security services. A named mutex, Rmc-GSEGIF, ensures only one active instance runs at a time.
To further complicate analysis, Remcos encrypts its C2 address inside the binary. During execution, it reconstructs the string in memory and immediately uses it for network communication over HTTP or TCP.
After completing data exfiltration, the malware initiates a cleanup process. It deletes keylogging files, screenshots and audio recordings, clears browser cookies and removes registry entries tied to persistence. Finally, it generates a temporary Visual Basic (VB) script in the %TEMP% directory to delete its own files before terminating.
“The latest Remcos variants demonstrate a continued evolution in both stealth and functionality,” Point Wild wrote. “Overall, the persistence of Remcos and the steady refinement of its techniques highlight its ongoing effectiveness as a remote access trojan.”
Security teams are advised to monitor for suspicious outbound connections and unauthorized registry modifications to mitigate potential infections.
