Remcos RAT Enhances Real-Time Surveillance and Evasion Techniques

First reported

19.02.2026 18:30

Last updated

1 unique sources, 1 articles

Summary

Hide ▲

A new variant of Remcos RAT has been observed with expanded real-time surveillance capabilities and improved evasion techniques. This version establishes direct online communication with attacker-controlled servers, enabling immediate monitoring and data theft. The malware now streams webcam footage in real time and transmits captured keystrokes instantly, reducing forensic traces on infected Windows systems. Researchers from Point Wild's Lat61 Threat Intelligence team detailed the changes, noting the malware's use of dynamic API loading and runtime decryption to avoid detection.

Timeline

19.02.2026 18:30 1 articles · 6h ago

Remcos RAT Enhances Real-Time Surveillance and Evasion Techniques
A newly observed variant of Remcos RAT has introduced real-time surveillance capabilities and stronger evasion techniques. The malware now streams webcam footage in real time and transmits captured keystrokes instantly. It decrypts its configuration only at runtime and dynamically loads critical Windows APIs to avoid detection. The malware also includes cleanup routines to remove logs, browser data, and registry entries.
Show sources

Remcos RAT Expands Real-Time Surveillance Capabilities — www.infosecurity-magazine.com — 19.02.2026 18:30
Open in new tab

Information Snippets

The new Remcos variant no longer stores stolen data locally but instead communicates directly with attacker-controlled servers.
First reported: 19.02.2026 18:30

1 source, 1 article
Show sources
- Remcos RAT Expands Real-Time Surveillance Capabilities — www.infosecurity-magazine.com — 19.02.2026 18:30
The malware streams webcam footage in real time and transmits captured keystrokes instantly.
First reported: 19.02.2026 18:30

1 source, 1 article
Show sources
- Remcos RAT Expands Real-Time Surveillance Capabilities — www.infosecurity-magazine.com — 19.02.2026 18:30
Remcos decrypts its configuration only at runtime and dynamically loads critical Windows APIs to avoid detection.
First reported: 19.02.2026 18:30

1 source, 1 article
Show sources
- Remcos RAT Expands Real-Time Surveillance Capabilities — www.infosecurity-magazine.com — 19.02.2026 18:30
The malware uses modular plugins delivered as Dynamic Link Libraries (DLLs) for expanded functionality.
First reported: 19.02.2026 18:30

1 source, 1 article
Show sources
- Remcos RAT Expands Real-Time Surveillance Capabilities — www.infosecurity-magazine.com — 19.02.2026 18:30
Remcos checks system privileges before executing certain actions, such as modifying registry keys and disabling security services.
First reported: 19.02.2026 18:30

1 source, 1 article
Show sources
- Remcos RAT Expands Real-Time Surveillance Capabilities — www.infosecurity-magazine.com — 19.02.2026 18:30
The malware encrypts its C2 address inside the binary and reconstructs it in memory for communication.
First reported: 19.02.2026 18:30

1 source, 1 article
Show sources
- Remcos RAT Expands Real-Time Surveillance Capabilities — www.infosecurity-magazine.com — 19.02.2026 18:30
After data exfiltration, Remcos initiates a cleanup process to delete logs, browser data, and registry entries.
First reported: 19.02.2026 18:30

1 source, 1 article
Show sources
- Remcos RAT Expands Real-Time Surveillance Capabilities — www.infosecurity-magazine.com — 19.02.2026 18:30