Remcos — short for Remote Control & Surveillance Software — occupies a troubling gray zone in the malware landscape. Marketed as a legitimate remote-administration tool for penetration testers and IT professionals by BreakingSecurity, it has become one of the most widely abused Remote Access Trojans (RATs) in circulation. Once installed on your computer, Remcos opens a persistent backdoor that grants an attacker complete control: they can log keystrokes, capture screenshots, activate your webcam and microphone, steal passwords, and exfiltrate files — all while remaining hidden from view. If you've noticed unexplained system slowdowns, strange network activity, or your antivirus flagging "Remcos" or "RemcosRAT," you may be dealing with an active infection that requires immediate attention.
Threat Profile
| Threat Name | Remcos (Remote Control & Surveillance Software) |
|---|---|
| Aliases | RemcosRAT, Remvio, Socmer |
| Platform | Windows (all modern versions, including 11) |
| File Type | Windows PE executable (.exe, .scr, occasionally packed/obfuscated) |
| First Observed | 2016 (commercial release by BreakingSecurity) |
| Distribution Status | Active — consistently detected in phishing campaigns and exploit kits since 2017 |
| Developer | BreakingSecurity (legitimate company; software misused by threat actors) |
| Primary Function | Remote Access Trojan (RAT) — full system control, surveillance, data theft |
| Detection Names | Trojan.Remcos, HEUR:Trojan-Spy.MSIL.Remcos, RemcosRAT, Win32/Remcos, Backdoor.Remcos |
| Typical Payload Size | 200 KB – 1.2 MB (varies with configuration and packing) |
| Severity | High — grants unrestricted remote access; used for espionage, credential theft, and ransomware delivery |
| Removal Difficulty | Moderate to High — persistence mechanisms include registry modifications, scheduled tasks, and watchdog processes |
How It Spreads
Remcos infections almost always begin with social engineering. The most common vector is phishing email: an attacker sends a message impersonating a shipping company, tax authority, bank, or business contact, with an attachment or link designed to trick you into running the malware. Because Remcos is sold as a commercial tool, threat actors can purchase legitimate licenses and customize the payload to evade signature-based antivirus detection. Once configured, the attacker deploys it through whichever method is most likely to succeed against their target.
We see Remcos delivered through malicious Microsoft Office documents (Word and Excel files with macro scripts), PDF files exploiting reader vulnerabilities, and — increasingly — archive files (.zip, .rar, .7z) containing a disguised executable with a double extension like invoice.pdf.exe. In some campaigns, attackers use password-protected archives and include the password in the email body, a tactic that bypasses email gateway scanners. Remcos is also bundled with pirated software, game cheats, and "crack" utilities distributed on torrent sites and file-hosting services.
Common distribution methods include:
- Phishing emails with malicious attachments (Office docs, executables disguised as PDFs or invoices)
- Malicious links in emails or SMS messages leading to fake download pages
- Exploit kits on compromised websites that silently install Remcos through browser vulnerabilities
- Pirated software bundles — keygens, cracks, and "free" premium tools often contain Remcos payloads
- Fake software updates (especially Java, Flash, or browser update prompts on suspicious websites)
- Secondary payload — delivered by other malware (droppers, loaders) after an initial infection
What It Does On Your Machine
Once executed, Remcos installs itself silently and establishes persistence so it survives reboots. The installer typically copies the malware executable to a hidden or system folder — often C:\Users\[Username]\AppData\Roaming\ or C:\ProgramData\ — and registers it to launch automatically via registry keys or scheduled tasks. The malware then attempts to connect to a command-and-control (C2) server controlled by the attacker, establishing a two-way communication channel that allows remote commands.
From that point forward, the attacker has near-total control. Remcos includes modules for keystroke logging (capturing everything you type, including passwords and credit card numbers), screen capturing, webcam and microphone activation, file browsing and exfiltration, clipboard monitoring, and even remote shell access for executing arbitrary commands. It can also disable Windows Defender, modify firewall rules, and inject itself into legitimate processes to avoid detection. In corporate environments, we've seen Remcos used for espionage — exfiltrating intellectual property, emails, and credentials — and as a precursor to ransomware deployment.
The malware's behavior leaves forensic traces that skilled analysts can identify. Below is a sample of indicators observed in sandbox environments when Remcos executes:
Remcos is designed to remain undetected for as long as possible. It avoids triggering obvious symptoms like popup windows or system crashes, instead operating quietly in the background while the attacker harvests data or waits for the right moment to escalate privileges or deploy additional payloads.
Manual Removal — Step by Step
Disconnect from the Internet Immediately
Unplug your Ethernet cable or disable Wi-Fi. This severs the attacker's connection to your machine and prevents further data exfiltration. Do not skip this step — Remcos operates in real time, and the attacker may be actively monitoring your system.
Boot into Safe Mode with Networking
Restart your computer and press F8 (or Shift + Restart on Windows 10/11, then Troubleshoot → Advanced Options → Startup Settings → Restart → press 5 for Safe Mode with Networking). Safe Mode prevents most malware from launching automatically, making removal safer.
Run a Full Scan with Multiple Tools
Download and install Malwarebytes (free version) and run a full system scan. Follow up with a second scan using HitmanPro or Microsoft Defender Offline. Remcos often evades single-product detection, so using multiple engines increases your chances of finding hidden components.
Manually Check Startup Locations
Open Task Manager (Ctrl + Shift + Esc), go to the Startup tab, and disable any unfamiliar entries. Then press Win + R, type msconfig, and check the Services tab for suspicious items. Pay special attention to entries without a recognizable publisher or description.
Clean Registry Keys
Press Win + R, type regedit, and navigate to HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run and HKEY_LOCAL_MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Run. Look for unfamiliar entries pointing to executables in AppData or ProgramData. Delete any suspicious entries. Warning: editing the registry incorrectly can break Windows. If you're uncertain, skip to step 10 and bring the machine to us.
Delete Malicious Files
Navigate to C:\Users\[YourUsername]\AppData\Roaming\, C:\ProgramData\, and C:\Users\Public\. Look for recently created folders or executables with random names or names mimicking legitimate software (e.g., "Windows Update Service"). Delete any files flagged by your antivirus or that match the indicators above. Empty the Recycle Bin.
Check Scheduled Tasks
Open Task Scheduler (press Win + R, type taskschd.msc). Review the list of scheduled tasks for anything unfamiliar, especially tasks that run at logon or on a recurring interval. Right-click suspicious tasks and select Delete.
Reset Browser Settings and Scan for Extensions
Remcos sometimes installs malicious browser extensions to steal credentials or inject ads. Open Chrome, Edge, or Firefox, go to the extensions page, and remove anything you don't recognize. Then reset your browser to default settings (this clears saved passwords, so export important credentials first).
Change All Passwords from a Clean Device
Once you believe Remcos is removed, do not log into sensitive accounts from the infected machine. Use a smartphone, tablet, or known-clean computer to change passwords for email, banking, social media, and any other critical accounts. Enable two-factor authentication wherever possible.
Reboot and Monitor
Restart your computer normally (not in Safe Mode) and monitor for unusual behavior: unexpected network activity, processes you don't recognize, or performance issues. Run another scan with Malwarebytes after 24 hours. If symptoms persist or you find new infections, the malware may have rootkit-level persistence that requires professional removal.
Prevention
- Never open email attachments from unknown senders. Even if an email appears legitimate (invoice, shipping notification), verify the sender's address carefully. When in doubt, contact the company directly using a phone number from their official website — not a number in the email.
- Disable Office macros by default. Go to File → Options → Trust Center → Trust Center Settings → Macro Settings, and select "Disable all macros with notification." Only enable macros for documents from trusted sources that you're expecting.
- Keep Windows and all software up to date. Enable automatic updates for Windows, browsers, Java, Adobe products, and other commonly exploited software. Many Remcos infections succeed because the attacker exploits a known vulnerability that was patched months or years ago.
- Use reputable antivirus software with real-time protection. Free options like Microsoft Defender are adequate for most users, but consider a paid solution (Bitdefender, Kaspersky, ESET) if you handle sensitive data. Keep definitions updated daily.
- Avoid pirated software and "free" cracks. If you're downloading keygens, game cheats, or premium software from torrent sites or file-hosting services, you're accepting significant malware risk. Legitimate software is almost always safer and often cheaper in the long run when you factor in cleanup costs.
- Enable two-factor authentication (2FA) on all critical accounts. Even if an attacker steals your password via Remcos, 2FA prevents them from logging in without the second factor (usually a code sent to your phone).
- Review your startup programs and scheduled tasks regularly. Make it a habit to check Task Manager's Startup tab once a month. If you see something unfamiliar, research it before assuming it's malicious — but don't ignore it.
- Use a standard (non-administrator) account for daily tasks. Running Windows as an administrator gives malware elevated privileges by default. Create a standard user account for web browsing and email, and only use an admin account when installing software or making system changes.
Bring It In
Remcos is a serious threat that requires thorough removal — incomplete cleanup leaves backdoors active, giving the attacker continued access to your files, accounts, and personal information. If you've followed the steps above and still see suspicious behavior, or if you'd rather have a professional handle it from the start, bring your machine to Computer Repair Roswell. We're located at 1655 Old Alabama Road, Suite 128, in Roswell, just off GA-400 near the Target shopping center. We handle Remcos infections regularly and can typically complete removal, verify clean startup, and restore system performance the same day you drop off.
Call us at (770) 856-1577 to check availability or schedule a drop-off. We're open Monday through Friday, 10 AM to 6 PM, and Saturdays by appointment. If you can't come to us, ask about our remote support option — in many cases, we can remove Remcos remotely once you grant us secure access. Don't let a RAT linger on your system. The longer Remcos remains active, the more data the attacker can steal and the greater the risk of secondary infections or ransomware deployment. We'll get you clean, explain what happened, and show you how to avoid it next time.