Powered by Zoomin Software. For more details please contactZoomin

Flowmon ADS BPATTERNS Description

Table of Contents

REMCOS_RAT - description

Save PDF
Save selected topicSave selected topic and subtopicsSave all topics
Share
Share to emailCopy topic URL
Print
  • Last Updated: May 1, 2026
  • 1 minute read
    • Flowmon Products
    • Flowmon Anomaly Detection System
    • Documentation

Source:

Malicious PowerPoint slide show files delivering REMCOS remote access trojan

Attackers distribute phishing emails containing malicious PPSX (PowerPoint Slide Show) file attachments. When opened, the script in these files downloads an additional document from a command and control server. This document executes PowerShell commands that download and run RATMAN.exe, a compromised version of the REMCOS remote access tool. Once installed, this tool grants attackers full access to the victim's computer.

Flowmon ADS detects communication with two separate command and control servers: one that delivers the RATMAN.exe executable and another that provides installation instructions for the malware.

REMCOS remote access trojan communication detection in Flowmon ADS
REMCOS remote access trojan communication detection in Flowmon ADS

TitleResults for “How to create a CRG?”Also Available inAlert