Censys Threat Overview: Mapping Remcos C2 Activity at Internet Scale

Remcos is a commercially distributed remote access tool (RAT) that enables remote command execution, file transfer, screen capture, keylogging, and credential theft over HTTP/HTTPS C2 channels; it is actively used in unauthorized access and data theft. The report describes common distribution methods (malspam, loaders), persistence mechanisms (Scheduled Tasks, Run keys), typical C2 ports and observable network artifacts, and Censys telemetry identifying over 150 active C2 servers and hosting trends across providers and countries.