• Home
  • cyber
  • AhnLab Security Intelligence Center: Remcos RAT Campaign Uses Trojanized VeraCrypt Installers to Steal Credentials
cyber Cyber Attack

AhnLab Security Intelligence Center: Remcos RAT Campaign Uses Trojanized VeraCrypt Installers to Steal Credentials

Jan 19, 2026 2 min read
AhnLab Security Intelligence Center: Remcos RAT Campaign Uses Trojanized VeraCrypt Installers to Steal Credentials

Active Remcos RAT Campaign Targets South Korean Users via Fake Gambling Tools and VeraCrypt Installers

The AhnLab Security Intelligence Center (ASEC) has uncovered an ongoing Remcos RAT campaign targeting users in South Korea, leveraging deceptive tactics to distribute malware through multiple infection vectors.

Infection Methods and Targets

The campaign primarily spreads through fake gambling-related tools and counterfeit VeraCrypt installers, exploiting trust in legitimate software. Key distribution channels include:

  • Web browsers and Telegram, with malicious files disguised as "blocklist user lookup" tools for illegal gambling sites (e.g., programs<strong></strong>*usercon.exe, blackusernon.exe).
  • Self-extracting (SFX) archives impersonating VeraCrypt installers, tricking users into executing malware under the guise of disk encryption software.

Attack Chain and Evasion Techniques

The infection process involves multi-stage obfuscation, including:

  1. Fake installers (e.g., gambling DB lookup tools, VeraCrypt impersonators) that deploy embedded VBS scripts to %TEMP%.
  2. Script-based downloaders (e.g., XX12.JPG, Config.vbs) that fetch additional payloads while masquerading as image files.
  3. Base64-encoded PE payloads hidden within fake JPG files, decrypted and injected into AddInProcess32.exe via a .NET-based injector.
  4. Discord Webhooks used to exfiltrate execution logs before deploying the final Remcos RAT payload.

Notably, the malware includes Korean-language strings and localized mutex names, indicating a targeted approach against South Korean victims.

Remcos RAT Capabilities

Once installed, the RAT enables attackers to:

  • Execute remote commands and control compromised systems.
  • Steal credentials from browsers and applications.
  • Log keystrokes (stored in %ALLUSERSPROFILE%\remcos\).
  • Capture screenshots, webcam, and microphone feeds.
  • Manage files and processes on infected machines.

Impact and Scope

The campaign demonstrates a dual-targeting strategy:

  • Gambling ecosystem participants, lured by fake "blocklist lookup" tools.
  • General users, tricked into running malicious VeraCrypt installers from untrusted sources.

Given Remcos RAT’s surveillance and credential-theft capabilities, infections can lead to severe privacy breaches, account takeovers, and financial loss. The use of heavy obfuscation and script-based evasion further complicates detection.

Source: https://gbhackers.com/remcos-rat-campaign/

AhnLab, Inc. cybersecurity rating report: https://www.rankiteo.com/company/ahnlab-inc.

"id": "AHN1768834739",
"linkid": "ahnlab-inc.",
"type": "Cyber Attack",
"date": "1/2026",
"severity": "85",
"impact": "4",
"explanation": "Attack with significant impact with customers data leaks"
{'affected_entities': [{'industry': ['Gambling', 'General users'],
                        'location': 'South Korea',
                        'type': 'Individuals and organizations'}],
 'attack_vector': ['Web browsers',
                   'Telegram',
                   'Self-extracting (SFX) archives'],
 'data_breach': {'data_exfiltration': 'Yes (via Discord Webhooks)',
                 'personally_identifiable_information': 'Yes',
                 'sensitivity_of_data': 'High',
                 'type_of_data_compromised': ['Credentials',
                                              'Keystrokes',
                                              'Screenshots',
                                              'Webcam/microphone feeds',
                                              'Files and processes']},
 'description': 'The AhnLab Security Intelligence Center (ASEC) has uncovered '
                'an ongoing Remcos RAT campaign targeting users in South '
                'Korea, leveraging deceptive tactics to distribute malware '
                'through fake gambling-related tools and counterfeit VeraCrypt '
                'installers. The malware enables remote command execution, '
                'credential theft, keylogging, and surveillance capabilities, '
                'posing severe privacy and financial risks.',
 'impact': {'data_compromised': ['Credentials',
                                 'Keystrokes',
                                 'Screenshots',
                                 'Webcam/microphone feeds',
                                 'Files and processes'],
            'identity_theft_risk': 'High',
            'operational_impact': 'Remote control of systems, potential '
                                  'account takeovers',
            'systems_affected': ['Compromised machines running Windows']},
 'investigation_status': 'Ongoing',
 'motivation': ['Credential theft', 'Surveillance', 'Financial gain'],
 'post_incident_analysis': {'root_causes': ['Deceptive distribution via fake '
                                            'gambling tools and VeraCrypt '
                                            'installers',
                                            'Multi-stage obfuscation and '
                                            'script-based evasion']},
 'references': [{'source': 'AhnLab Security Intelligence Center (ASEC)'}],
 'title': 'Active Remcos RAT Campaign Targets South Korean Users via Fake '
          'Gambling Tools and VeraCrypt Installers',
 'type': 'Malware Campaign'}
Published by
Jeremy C
Jeremy C
You might also like
Great! Next, complete checkout for full access to Rankiteo Blog.
Welcome back! You've successfully signed in.
You've successfully subscribed to Rankiteo Blog.
Success! Your account is fully activated, you now have access to all content.
Success! Your billing info has been updated.
Your billing was not updated.