Unveiling Remcos RAT: Mapping Command-and-Control Activities and Communication Ports
Remcos, a remote access tool developed by Breaking-Security, has evolved into a significant cybersecurity threat. Initially marketed as legitimate administrative software, it has been co-opted by malicious actors to execute remote commands, exfiltrate files, capture screens, log keystrokes, and harvest user credentials. These activities are orchestrated through command-and-control (C2) servers utilizing HTTP or HTTPS protocols.
Distribution and Deployment
Despite its legitimate facade, unauthorized versions of Remcos are actively exploited for illicit purposes. The malware is commonly disseminated via phishing emails containing malicious attachments and through files hosted on compromised websites. Attackers often employ specialized loaders, such as GuLoader and Reverse Loader, to deliver Remcos as a secondary payload, effectively bypassing initial detection mechanisms. Once installed, Remcos establishes persistence within the infected system, maintaining continuous communication with its C2 infrastructure and providing attackers with a reliable backdoor for ongoing exploitation.
Command-and-Control Infrastructure
Between October 14 and November 14, 2025, security analysts at Censys identified over 150 active Remcos C2 servers worldwide. This extensive network underscores the tool’s widespread adoption among cybercriminals. While the default communication port for Remcos is 2404, activity has also been observed on ports 5000, 5060, 5061, 8268, and 8808, indicating the adaptability of operators in their deployment strategies.
Communication Patterns and Detection
Remcos communicates through HTTP and HTTPS protocols over predictable ports. Network traffic often includes encoded POST requests and atypical TLS configurations, creating distinctive patterns that can aid in detection. Operators frequently reuse certificates across multiple servers, employ template-based setups, and utilize cost-effective hosting providers such as COLOCROSSING, RAILNET, and CONTABO, with servers located in the United States, Netherlands, Germany, and other countries. Recognizing these infrastructure patterns enables network defenders to identify and disrupt malicious communications effectively.
Persistence Mechanisms
To maintain access, Remcos employs persistence mechanisms like Scheduled Tasks and Registry Run-key entries. These methods ensure the malware remains active even after system reboots, posing a significant risk to organizations with inadequate security controls. Implementing robust network monitoring and endpoint detection measures is crucial to mitigate the threat posed by Remcos.
Conclusion
The proliferation of Remcos RAT highlights the evolving tactics of cybercriminals and the necessity for organizations to adopt comprehensive cybersecurity strategies. By understanding the distribution methods, C2 infrastructure, communication patterns, and persistence mechanisms associated with Remcos, security professionals can enhance their defenses against this pervasive threat.
