Remcos RAT - what it is, common symptoms, and how to prevent and remove it

Remcos (Remcos RAT)

What it is

Remcos is a Windows remote access tool (RAT) sold by Breaking Security that’s widely abused by threat actors. Once on a system, it gives remote control: keylogging, screen capture, file exfiltration, command execution, and persistence. Campaigns often deliver it through phishing attachments or cracked software. Background and removal notes: https://gridinsoft.com/threats/remcos

Why it matters

A live RAT means the attacker can watch, steal, and act in real time - from grabbing credentials to deploying more malware or moving laterally.

How it works 

  • Entry: phishing docs/archives with scripts or droppers; sometimes exploit kits.

  • Establish: drops into AppData/ProgramData, sets Run keys or Scheduled Tasks.

  • Control: beacons to a C2, receives commands, records keys/screens, and exfiltrates data.

  • Expand: downloads additional payloads (stealers, ransomware) as instructed.

Red flags

  • Suspicious tasks or Run keys launching random-named EXEs from user folders.

  • Firewall prompts for unknown apps; steady outbound to dynamic DNS or unusual ports.

  • EDR detections for keylogging, clipboard grabs, or screen capture APIs.

  • New archives/scripts arriving via email right before symptoms start.

Prevent it

  • Block macro-enabled docs and executable attachments; use attachment sandboxing.

  • Enforce phishing-resistant MFA; reset passwords and revoke sessions from a clean device after cleanup.

  • Monitor for new Scheduled Tasks, Run keys, and unusual outbound connections.

  • Keep systems patched and run reputable anti-malware; isolate and reimage if integrity is uncertain.

    Glossary (A–Z)

    All A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

      • Related Articles

      • Remote Access Trojan (RAT)

        What it is A Remote Access Trojan is malware that pretends to be legit software but secretly installs a back door. Once running, it gives an outsider admin-level control of the device: they can browse files, capture screens and keystrokes, turn on ...

      • Quasar RAT

        What it is Quasar RAT is a Windows remote-access trojan that lets attackers spy, steal data, and control a PC from afar. It shows up through fake emails or cracked software and blends in as a “normal” app. More detail in Gridinsoft’s explainer: ...

      • Async RAT

        What it is Async RAT is a remote-access tool turned spy kit. Once installed, attackers can watch screens, log keystrokes, steal files and passwords, and control the device from afar. For behaviors and examples, see the Async RAT threat guide. What ...

      • EDR (Endpoint Detection and Response)

        What it is EDR is your always-on security team for laptops and servers. It watches what’s happening on each device, spots attacks in progress, and helps you respond fast - quarantine, investigate, and clean up. For details on capabilities and use ...

      • PSW.Stealer (Trojan-PWS)

        What it is A password-stealing trojan for Windows that harvests credentials and other sensitive data, then exfiltrates it to the attacker. See our overview for defenders for details. Why it matters Once stolen, credentials enable account takeovers, ...