Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

Remcos RAT runtime decryption and dynamic API loading analysis

Technical Analysis
First reported
Last updated
Happening score
H score 16
1 unique sources, 1 articles

Summary

Hide ▲

A newly observed Remcos RAT variant now uses runtime decryption and dynamic Windows API loading to reduce detection and frustrate static analysis on Windows systems. The analysis also shows modular DLL delivery, real-time webcam streaming, and instant keylogging, increasing operational stealth and the speed of exfiltration.

Related Happenings

UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity

Malware Activity
First: 06.03.2026 01:19 Last: 06.03.2026 01:19 Sources 1

About this happening: A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...

Open Happening

UAT-9244 South America telecom targeting campaign

Campaign
First: 06.03.2026 01:19 Last: 06.03.2026 01:19 Sources 1

About this happening: UAT-9244 is a China-linked campaign targeting telecommunication providers in South America since 2024. It compromises Windows, Linux, and edge devices to expand access across tele...

Latest development: 06.03.2026 10:22

The first documented phase centers on **TernDoor** targeting **Windows** hosts through **DLL side-loading** with `wsprint.exe` and `BugSplatRc64.dll`. After launch, it loads in memory and establishes persistence through a scheduled task or the Registry Run key.

Open Happening

Remcos RAT variant with real-time surveillance and evasion

Malware Activity
First: 19.02.2026 18:30 Last: 19.02.2026 18:30 Sources 1

How related: A newly observed variant of Remcos RAT has introduced real-time surveillance features and stronger evasion techniques, marking a shift in how the malware operates on compromised Windows systems.

About this happening: A newly observed **Remcos RAT** variant now enables **real-time surveillance** on compromised **Windows** systems, increasing the risk of immediate **webcam monitoring** and **liv...

Open Happening

AI as a C2 proxy abuse of Microsoft Copilot and xAI Grok browsing channels

Technical Analysis
First: 17.02.2026 20:08 Last: 17.02.2026 20:08 Sources 1

About this happening: Researchers disclosed **AI as a C2 proxy**, a technique that can turn **Microsoft Copilot** and **xAI Grok** browsing features into stealthy **command-and-control relays**, increa...

Open Happening

LummaStealer infection surge via CastleLoader

Malware Activity
First: 11.02.2026 19:02 Last: 11.02.2026 19:02 Sources 1

About this happening: The **LummaStealer** infostealer operation now includes a **widespread ClickFix campaign** observed in **February 2026** that abuses **Windows Terminal (wt.exe)** instead of the R...

Latest development: 06.03.2026 08:44

Microsoft disclosed a widespread ClickFix social-engineering campaign that uses Windows Terminal (wt.exe) instead of the Windows Run dialog to trick users into launching malicious commands, then chains through Terminal, PowerShell, cmd.exe, and MSBuild.exe to download payloads, set persistence via scheduled tasks, configure Microsoft Defender exclusions, and inject Lumma Stealer into chrome.exe and msedge.exe with QueueUserAPC().

Open Happening

Timeline

  1. 19.02.2026 18:30 2 articles · 3mo ago

    Remcos RAT adds runtime decryption and real-time surveillance

    Technical Analysis Update

    Point Wild's Lat61 Threat Intelligence team detailed a newly observed Remcos RAT variant on Windows systems that streams webcam footage in real time, transmits keystrokes instantly, decrypts its configuration only at runtime, dynamically loads critical Windows APIs, retrieves webcam modules from C2 on demand, and cleans up logs, screenshots, audio recordings, browser cookies, persistence keys, and temporary files after exfiltration.

    Show sources
    Open in new tab