Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons

Social Media

Hackers News Hackers News
  • CyberSecurity News
  • Threats
  • Attacks
  • Vulnerabilities
  • Breaches
  • Comparisons
Search the Site
Popular Searches:
technology Amazon AI
Recent Posts
Critical Microsoft Defender, Sysmon Flaw Lets Attackers Disable Security
July 2, 2026
CISA Warns of Microsoft SharePoint Server Code Execution Vulnerability Exploited in Attacks
July 2, 2026
Chrome API Flaw Exposes Android Photos to Ransomware
July 2, 2026
Home/Threats/Remcos RAT Masquerade as VeraCrypt Installers Steals Users Login Credentials
Threats

Remcos RAT Masquerade as VeraCrypt Installers Steals Users Login Credentials

A sophisticated malware campaign is actively targeting South Korean users, distributing the Remcos remote access trojan (RAT). Attackers employ deceptive installers that masquerade as legitimate...

Emy Elsamnoudy
Emy Elsamnoudy
January 19, 2026 2 Min Read
35 0

A sophisticated malware campaign is actively targeting South Korean users, distributing the Remcos remote access trojan (RAT). Attackers employ deceptive installers that masquerade as legitimate VeraCrypt encryption software to deliver the malware.

This ongoing attack campaign primarily focuses on individuals connected to illegal online gambling platforms, though security experts warn that everyday users downloading encryption tools may also fall victim to the scheme.

The threat actors behind this operation are using two distinct distribution methods to spread the malicious payload.

The first approach involves fake database lookup programs that appear to check blocklists for gambling site accounts, while the second masquerades as genuine VeraCrypt utility installers.

GUI screen of the distributed Remcos RAT (Source - ASEC)
GUI screen of the distributed Remcos RAT (Source – ASEC)

Both distribution channels have been observed delivering malware through web browsers and messaging platforms like Telegram, using filenames such as “*****usercon.exe” and “blackusernon.exe” to deceive unsuspecting victims.

ASEC analysts identified that once executed, the fake installers deploy malicious VBS scripts hidden within their resource sections.

These scripts are written to the system’s temporary directory with randomized filenames before being activated.

The malware then initiates a complex infection chain involving multiple stages of obfuscated VBS and PowerShell scripts, ultimately delivering the Remcos RAT payload that gives attackers complete remote control over compromised systems.

The impact of this campaign extends beyond simple unauthorized access.

Remcos RAT is equipped with extensive data theft capabilities including keylogging, screenshot capture, webcam and microphone control, and credential extraction from web browsers.

Victims infected with this malware face significant risks of having their sensitive personal information, login credentials, and financial data compromised and transmitted to the attackers’ command-and-control servers.

Multi-Stage Infection Chain and Payload Delivery

The attack employs a sophisticated eight-stage infection process designed to evade detection by security software.

After the initial dropper executes, the malware progresses through five scripted downloader stages using obfuscated VBS and PowerShell scripts with misleading file extensions.

These intermediate scripts contain dummy comments, junk data, and files masquerading as JPG images while actually embedding Base64-encoded malicious payloads.

Malware inside the obfuscated routine and dummy data (Source -ASEC)
Malware inside the obfuscated routine and dummy data (Source -ASEC)

The infection chain culminates with a .NET-based injector that communicates with attackers via Discord webhooks.

This injector downloads the final Remcos RAT payload from remote servers, decrypts it, and injects it directly into the AddInProcess32.exe process to maintain persistence.

Notably, security researchers discovered that some variants use Korean-language strings in their configuration settings and registry keys, indicating the campaign’s targeted nature toward Korean-speaking users.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.

Tags:

AttackMalwareSecurityThreat

Share Article

Emy Elsamnoudy

Emy Elsamnoudy

Emy is a cybersecurity analyst and reporter specializing in threat hunting, defense strategies, and industry trends. With expertise in proactive security measures, Emily covers the tools and techniques organizations use to detect and prevent cyber attacks. She is a regular speaker at security conferences and has contributed to industry reports on threat intelligence and security operations. Emily's reporting focuses on helping organizations improve their security posture through practical, actionable insights.

Previous Post

Inside the Leaks that Exposed the Hidden Infrastructure Behind a Ransomware Operation

Next Post

Threat Actors Weaponizing Visual Studio Code to Deploy a Multistage Malware

No Comment! Be the first one.

Leave a Reply Cancel reply

Your email address will not be published. Required fields are marked *

Popular Posts
Critical ClamAV Vulnerabilities Let Attackers Trigger DoS
July 2, 2026
Critical Microsoft Flaws Let Attackers Gain Privileges, Steal Data
July 2, 2026
FortiBleed Vulnerability Exploited by INC and Lynx Ransomware to Steal Passwords
July 2, 2026
Top Authors
Marcus Rodriguez
Marcus Rodriguez
Jennifer sherman
Jennifer sherman
Emy Elsamnoudy
Emy Elsamnoudy
Let's Connect
156k
2.25m
285k

Related Posts

Jennifer sherman
By Jennifer sherman
Threats

GlassWorm Attacks macOS via Malicious VS Code…

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Attacks

ClickFix Attack Hides Malicious Code via Stegan Security

January 1, 2026
Sarah simpson
By Sarah simpson
Vulnerabilities

MongoBleed Detector Tool Released to Detect MongoDB Vulnerability(CVE-2025-14847)

January 1, 2026
Emy Elsamnoudy
By Emy Elsamnoudy
Breaches

Conti Ransomware Gang Leaders & Infrastructure Exposed

January 1, 2026
Hackers News Hackers News
  • [email protected]

Quick Links

  • Contact Us
  • Privacy Policy
  • Terms of service

Categories

Attacks
Breaches
Comparisons
CyberSecurity News
Threats
Vulnerabilities

Let's keep in touch

receive fresh updates and breaking cyber news every day and week!

All Rights Reserved by HackersRadar ©2026

Follow Us