Malware Profile Updated 3 months ago
Download STIX
Preview STIX
Rescoms, a malicious software (malware), has been widely used by threat actors in various information-stealing campaigns. According to an ESET report, the malware was distributed using Rugmi, which contains a downloader for the encrypted payload and two other loaders. The malware was used alongside others such as Vidar, RecordBreaker or Raccoon Stealer V2, and Lumma Stealer or LummaC2. Rescoms is a remote access tool (RAT) that can be purchased, thus making it a popular choice among multiple threat actors for their operations. In the second half of 2023, there was a significant increase in the spread of AceCryptor-packed malware, including Rescoms, via multiple spam campaigns. These campaigns primarily targeted European countries, with Spain experiencing a surge in spam emails containing Rescoms as the final payload. The attackers also used AceCryptor to distribute other malware families like SmokeLoader, STOP ransomware, and Vidar stealer. Interestingly, ESET observed a change in the usage patterns of Rescoms, as attackers began to utilize AceCryptor more frequently. Artifacts found within the malware itself, such as the license ID for Rescoms, linked many of these attacks to a single threat actor. This suggests a coordinated effort behind these campaigns, rather than isolated incidents. During this period, Rescoms became the most prevalent malware family packed by AceCryptor, with over 32,000 hits. The phishing campaigns often contained AceCryptor-packed Rescoms in the attachments, targeting companies in countries like Poland.
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at.
IDVotesProfile Description
SmokeLoader is a malicious software (malware) that has been extensively used by threat actors, particularly those associated with the Phobos ransomware. It functions as a backdoor trojan, often arriving on victims' systems via spoofed email attachments embedded with hidden payloads. Once downloaded,
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Associated Malware
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
Vidar is a Windows-based malware written in C++, derived from the Arkei stealer, which is designed to infiltrate and exploit computer systems. It has been used alongside other malware variants such as Emotet, IcedID, CobaltStrike, SVCReady, CargoBay, Pushdo, Minodo, DiceLoader, AresLoader, LummaC2,
Raccoon StealerUnspecified
Raccoon Stealer is a form of malware that was first identified in 2019. Developed by Russian-speaking coders and initially promoted on Russian-language hacking forums, the malicious software was designed to steal sensitive data from victims, including credit card information, email credentials, and
Lumma StealerUnspecified
Lumma Stealer is a malicious software, or malware, that targets cryptocurrency wallets and browser user data. It has been particularly prevalent in the gaming community, with cracked video games and cheating tools often found to contain infostealer malware such as Lumma Stealer and RedLine Stealer.
LummaC2 is a relatively new information-stealing malware, first discovered in 2022. The malicious software has been under active development, with researchers identifying LummaC2 4.0 as a dynamic malware strain in November 2023. It's been used by threat actors for initial access or data theft, often
Vidar StealerUnspecified
Vidar Stealer is a form of malware, a malicious software designed to exploit and damage computer systems. It infiltrates systems through suspicious downloads, emails, or websites, often without the user's knowledge. Once inside, it can steal personal information, disrupt operations, or even hold dat
AceCryptor is a prevalent malware crypter in the current digital landscape, recognized for its ability to help other malicious software evade detection. In recent research, we've identified 279 domains hosted on dedicated AceCryptor IP addresses, with 17 of these domains flagged as malicious by bulk
Associated Threat Actors
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Associated Vulnerabilities
To see the evidence that has resulted in this association, create a free account
IDTypeVotesProfile Description
No associations to display
Source Document References
Information about the Rescoms Malware was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
7 months ago
Activity of Rugmi malware loader spikes
4 months ago
AceCryptor attacks surge in Europe – Week in security with Tony Anscombe
4 months ago
Rescoms rides waves of AceCryptor spam