Remcos RAT C2 Activity Mapped Along with The Ports Used for Communications

Remcos, a commercial remote access tool distributed by Breaking-Security and marketed as administrative software, has become a serious threat in the cybersecurity landscape.

Developed in the mid-2010s, this malware enables attackers to execute remote commands, steal files, capture screens, log keystrokes, and collect user credentials through command-and-control servers using HTTP or HTTPS channels.

Despite being positioned as legitimate software with both free and paid versions, unauthorized copies are actively used in the wild for data theft and unauthorized system access.

The malware spreads through email campaigns containing malicious attachments and files hosted on compromised websites.

Attackers also use specialized loaders such as GuLoader and Reverse Loader to deliver Remcos as a second-stage payload, allowing them to bypass initial detection systems.

Once installed, the malware establishes persistence and maintains continuous communication with its control infrastructure, creating a reliable backdoor for ongoing attacks.

Censys security analysts noted that between October 14 and November 14, 2025, they consistently tracked over 150 active Remcos command-and-control servers worldwide.

Infrastructure

This substantial infrastructure demonstrates the tool’s widespread adoption among threat actors.

The servers typically operated on port 2404, the default choice for Remcos, with additional activity observed on ports 5000, 5060, 5061, 8268, and 8808, showing operators’ flexibility in deployment strategies.

Understanding C2 Communication Networks reveals how Remcos maintains control. The malware communicates through HTTP and HTTPS protocols on predictable ports, with network traffic frequently containing encoded POST requests and unusual TLS configurations that create distinctive patterns.

Operators typically reuse certificates across multiple servers, employ template-based setups, and leverage inexpensive hosting providers like COLOCROSSING, RAILNET, and CONTABO across the United States, Netherlands, Germany, and other countries.

This infrastructure pattern enables network defenders to identify and block communications at detection points.

The detected persistence mechanisms include Scheduled Tasks and Registry Run-key entries, allowing attackers to maintain access even after system restarts.

This combination of command execution, file transfer capabilities, and resilient persistence makes Remcos particularly dangerous for organizations with weak security controls, requiring immediate network monitoring and endpoint detection measures.

Follow us on Google News, LinkedIn, and X to Get More Instant Updates, Set CSN as a Preferred Source in Google.