Beware the ClickFix Trap: REMCOS RAT Hiding in “Helpful” PUAs

Cybereason GSOC has observed a notable increase in infections involving REMCOS RAT, often delivered through vulnerable or potentially unwanted applications (PUAs).

The threat actors behind these REMCOS campaigns specifically target legitimate software library packages. They replace genuine DLL files with malicious versions. Once loaded, the malicious DLL proceeds to import and execute additional malicious libraries, ultimately deploying the final-stage REMCOS payload.

This multi-stage DLL replacement technique allows the attacker to evade initial detection by masquerading as legitimate software components.

Introduction: REMCOS RAT

REMCOS is marketed as Remote Control and Surveillance Software, functioning primarily as a Remote Access Trojan (RAT) that enables attackers to remotely control and monitor compromised computers.

The tool is distributed in two editions:

• A free (limited) version

• A paid (full-featured) version

Analysis of the final-stage payload in the currently observed campaigns confirms that attackers are deploying the paid version of REMCOS.

Core features included in REMCOS 7.1.0:

• Keylogging

• Real-time screen capture/screenshot grabbing

• File upload and download

• Service management (start/stop/create/delete services)

• Registry manipulation (read/write/delete keys and values)

• Command execution

• Telegram bot integration for C2 (command-and-control) communication and monitoring

• Microphone/webcam access

• Password recovery from browsers and applications

• Clipboard access

• System information collection

Callback Shellcode Injection

Windows offers several enumeration APIs designed to iterate over system resources such as windows, locales, fonts, date formats, processes, and more. A common characteristic of these APIs is that they accept a pointer to an application-defined callback function as one of their parameters.

Each time the enumeration process finds a new item, the operating system automatically calls the provided callback function, passing it relevant data (e.g., the current enumerated item). While this is a legitimate design for processing lists of items, attackers exploit this mechanism to achieve code execution without using more heavily monitored APIs like CreateThread or CreateRemoteThread.

Example: EnumDateFormatsA - This function enumerates the date formats supported by a specified locale, and DATEFMT_ENUMPROCA lpDateFmtEnumProc contains a pointer to the callback function EnumDateFormatsProc. EnumDateFormatsProc function is a placeholder for the application-defined function name.

In normal usage, the callback simply processes each date format string it receives. However, attackers abuse this by:

• Allocating executable memory

• Placing malicious shellcode into that memory region

• Passing the address of the shellcode as the callback function pointer

When Windows begins enumerating and calls the “callback function,” execution immediately transfers to the attacker-controlled shellcode.

Attack Flow

Technical Analysis

ClickFix and MSHTA

Threat actors leverage the ClickFix social engineering technique to trick victims into manually executing malicious commands using the Shell(cmd) process.

Attackers compromise legitimate/vulnerable websites or use malvertising/phishing links to host malicious pages. The victim lands on a page displaying a fake CAPTCHA. Upon interacting with the fake CAPTCHA, malicious JavaScript silently copies a pre-crafted malicious command.

The mshta.exe process downloads a JavaScript file (token) from the attacker's C2 server. This remote script spawns a PowerShell process.

PowerShell / TAR Stage (Second Stage)

The MSHTA-spawned PowerShell downloads the second-stage payload from the attacker's C2 infrastructure. The downloaded file is disguised with a .pdf extension, but it is actually a ZIP archive in disguise. The PowerShell script extracts the contents of this ZIP using the TAR Application.

Inside the extracted archive is a Potentially Unwanted Program (PUP) named Shotcut (a trojanized or repackaged version of the legitimate open-source video editor Shotcut).

Shotcut Application

Shotcut is a free, open-source, cross-platform video editor available for Windows, macOS, and Linux. Attackers have been observed trojanizing the Windows portable ZIP package of Shotcut to distribute the REMCOS RAT malware. The legitimate Shotcut application executable itself is not modified or infected. The compromise occurs only in maliciously altered DLL library files.

By comparing legitimate and malicious Shotcut ZIP packages, the following differences become apparent:

• The malicious ZIP includes additional files not present in the official version.

• Specifically, the attackers replaced an open-source multimedia framework DLL(libmlt-7.dll) with a malicious one.

Legitimate Shotcut ZIP file

Malicious Shotcut ZIP file

This malicious DLL (libmlt-7.dll) is crafted to act as a loader and imports a function from another malicious DLL. This import causes the second DLL (Libcra.dll) to be dynamically loaded into memory.

DLL Flow

Libmlt-7.dll -> Libcra.dll(loads core.dat) -> SecurePdfSDK.dll -> Shellcode -> (loads across.bin)

Libcra.dll

Upon loading, the DLL's (Libcra.dll) entry point (DllMain / DLLEntryPoint) executes automatically and initializes thread-local storage (TLS) for the malicious code. It immediately creates a new thread that points directly to the function named UserNetwork.

UserNetwork Function (core execution routine in Libcra.dll)

Once spawned as a separate thread during Libcra.dll's DllMain entry point, the UserNetwork function orchestrates the next stages of the infection:

• Loading of cAudioDecoder.dll

  • Calls LoadLibrary to dynamically load cAudioDecoder.dll — another malicious DLL likely masquerading as part of an audio/multimedia codec.

• Reading the embedded/obfuscated payload (core.dat)

  • Uses CreateFileW to open the file core.dat, and the data is stored in the buffer. 

  • Calls ReadFile to read core.dat data from the buffer and writes it to the pre-allocated heap.

• Deobfuscation of core.dat

  • The data in core.dat is obfuscated to evade static signature-based detection and string scanning.

  • Deobfuscation is performed using a combination of bit-shift left and XOR operations.

• Loading the final-stage DLL (securePdfSDK.dll)

  • Libcra.dll proceeds to load securePdfSDK.dll. This DLL contains the most critical malicious routines and acts as the primary payload handler.

SecurePdfSDK.dll

MovementCurrent Function

• Allocates new memory using the VirtualAlloc API

• Calls BCryptGenRandom (from bcrypt.dll) to generate random bytes and uses these random bytes to create junk header and footer sections around the real payload.

• Writes the deobfuscated content from core.dat in between the random junk. → This random padding + junk wrapping is a common evasion tactic: it defeats simple memory dumping.

ClassifyCard Function (shellcode execution via callback hijacking)

• Changes the memory protection of the above-described payload using the VirtualProtect API.

• Abuses the Windows API EnumSystemCodePagesW — a callback-style enumeration function.

• Instead of passing a legitimate callback, the malware passes the address of its prepared shellcode (from core.dat) as the callback pointer. → This is known as thecallback shellcode injection technique. When Windows invokes the "callback" during enumeration, control is seamlessly transferred to the attacker's shellcode without obvious CreateThread/QueueUserAPC calls.

• EnumSystemCodePagesW internally spawns a new thread to handle the enumeration callbacks.

• Execution flow jumps to the shellcode, which then loads and runs the final-stage REMCOS RAT payload.

Shellcode Analysis

After the ClassifyCard function hijacks the EnumSystemCodePagesW callback to transfer control to the shellcode (extracted and deobfuscated from core.dat), the shellcode executes entirely in memory as the ultimate payload loader for the REMCOS RAT. The shellcode begins by calling GlobalAlloc (with GPTR or similar flags) to allocate a sizable heap buffer.

The shellcode Invokes CreateFileW to open across.bin. The file handle is used in conjunction with ReadFile to read the contents of across.bin into the allocated heap buffer. This step effectively loads the final REMCOS RAT executable into memory.

Final Payload - REMCOS RAT

Once fully activated on the compromised system, this REMCOS RAT variant grants the remote attacker extensive control and data-theft features.

Key behaviors observed include:

UAC / Privilege Escalation & Evasion

• Spawns a shell process (e.g., via cmd.exe or similar) and modifies the registry to disable User Account Control notifications: specifically sets EnableLUA to 0 under HKLM\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System.

• This suppresses UAC prompts, allowing silent elevation and execution of privileged actions without user interaction.

Shell Execution & System Interaction

• Leverages ShellExecuteW API to launch files, browse directories, open applications, and access hardware devices such as the webcam/camera for surveillance or capture.

Input & Data Capture

• Implements an offline/online keylogger (Online Keylogger). Captures all keystrokes, including passwords, and logs .

• Steals clipboard data on demand or continuously, exfiltrating copied text, passwords, or sensitive snippets.

Browser Credential & Cookie Theft

• Targets popular browsers (Chrome, Firefox).

• Extracts stored logins, passwords, cookies, autofill data, and profiles from known paths.

Privilege Abuse via System Account

• Attempts to impersonate or operate under the SYSTEM account using SID S-1-5-18 (NT AUTHORITY\SYSTEM) — a built-in high-privilege account used by the OS for system services.

• This grants near-full control over the machine, bypassing many user-level restrictions.

Email Client Password Recovery

• Attempts to recover the password using the FoxMail recovery tool

Persistence & Self-Defense

• Deploys a Watchdog module and adds registry for persistence and watchdog activation.

Command-and-Control (C2) Communication

• Establishes persistent, encrypted connections to the attacker's C2 domain/server (https://pro.ip-api[.]com/line/?key=QPVvv1rHQJD2pd2&fields=25948155).

• Receives commands for remote desktop, file exfiltration, additional payload downloads, surveillance (mic/camera), screenshot capture, and more.

• Sends back stolen data, system info, logs, and screenshots.

Conclusion

The REMCOS RAT continues to see increased activity in 2025–2026, frequently delivered through sophisticated supply-chain attacks — such as the trojanized Shotcut portable ZIP packages described in this analysis. These compromises exploit users' trust in legitimate open-source tools, turning trusted software into stealthy malware droppers.

This particular campaign leverages classic tactics: DLL sideloading, callback shellcode execution (via abused APIs like EnumSystemCodePagesW), in-memory payload staging, junk padding for evasion, and multi-stage loaders — all culminating in a fully-featured remote access trojan capable of keylogging, credential theft, surveillance, privilege escalation, and persistent C2 communication.

Indicators of Compromise

Recommendations

Once an affected endpoint is identified, immediate containment is critical, as threat actors have been observed operating within hours of initial compromise. The following actions are recommended to mitigate further risk:

• Download software exclusively from official sources. Verify the SHA-256 hash of the downloaded file/package against the values published on the official site.

• Isolate and determine if forensic analysis will be performed. If it will, a forensic image (preservation copy) should be created for analysis to determine the scope of potential data at risk and the extent of threat actor activity. If not, proceed with internal/existing IT processes to restore to "gold image" (baseline)."

• Conduct a forensic analysis of the "at risk" data as identified within this article under the Critical Takeaways section under "The extension accessed the following browser data:" which details specifically what data elements may be at risk and should be considered for inventorying, resetting, and potential follow-on investigation into unauthorized or unexpected activity.

• Reset credentials associated with affected user accounts, especially those with administrative access.

• Block identified IOCs (domains, IPs, hashes) across endpoints, networks, and other security appliances.

• Reimage the infected system to ensure full eradication.

• Educate users about supply-chain compromises and click-fix/social-engineering lures.

• Restrict the installation of remote access tools unless explicitly approved.

• Audit new software installs related to remote access tools.