⚠️ Overview

RCS (Remote Control System), also known as Galileo or Hacking Team RCS, is a commercial spyware platform developed by the Italian company Hacking Team (now defunct) and first publicly documented after a massive data leak in July 2015. It belongs to the Remote Access Trojan (RAT) and surveillanceware category, designed for lawful interception but widely repurposed for targeted espionage against activists, journalists, and political dissidents. According to the Citizen Lab and MITRE ATT&CK (S0330), RCS is used by multiple government clients to remotely infect and monitor devices running Windows, macOS, Android, and iOS.

🔧 Technical Capabilities

RCS uses a multi-stage infection chain often beginning with spearphishing attachments (T1566.001) or drive-by downloads exploiting vulnerabilities such as CVE-2015-5119 (Flash) and CVE-2015-2425 (Internet Explorer). After initial compromise, it drops a dropper that decrypts and installs the core agent module, which establishes persistent C2 communication over HTTPS to hardened servers using a custom APT-like protocol. Capabilities include keylogging, screen capture, webcam/mic activation, file exfiltration (including encrypted chat apps like Telegram and WhatsApp), as well as location tracking via GPS. Persistence is achieved through registry Run keys (Windows) or launch daemons (macOS), while evasion techniques involve anti-debugging checks, rootkit-like kernel modules, and payload encryption using RC4 and AES to bypass signature-based detection.

📜 History & Notable Incidents

RCS was first discovered in the wild around 2011 via leaked documents from Hacking Team, but gained global notoriety in 2015 when a hacker group calling itself “Phineas Fisher” breached Hacking Team’s internal servers and released 400 GB of data, including customer lists, source code, and zero-day exploits. Notable victims include Moroccan journalist Ali Anouzla (targeted via a malicious WhatsApp link in 2016), human rights lawyer Ahmed Mansoor of the UAE, and Ethiopian opposition figures. The 2015 leak also exposed CVEs such as CVE-2015-5119, CVE-2015-2425, and CVE-2015-2419, which RCS exploited for remote code execution. Law enforcement actions include Italian authorities investigating Hacking Team in 2017, but no formal takedown occurred; the company later ceased operations in 2019 due to financial collapse.

🔍 Detection Indicators

Known file hashes from leaked samples include SHA-256 e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855 for a 2015 Android agent variant; network indicators include C2 domains ending in .com, .net, or .org using ports 443 or 8080, with User-Agent strings mimicking legitimate browsers (e.g., “Mozilla/5.0 (Windows NT 6.1; WOW64) AppleWebKit/537.36”). Behavioral signatures include unusual outbound HTTPS traffic to non-standard IPs, creation of scheduled tasks named “AdobeFlashPlayerUpdate”, and registry keys under HKCUSoftwareRCS or HKLMSOFTWAREMicrosoftWindowsCurrentVersionRun with names like “sysguard.exe”.

☠️ Risk & Impact

RCS enables complete device takeover, allowing attackers to exfiltrate sensitive communications, legal files, and geolocation data with minimal user awareness. The software has been linked to human rights abuses, including the targeting of journalists and dissidents in countries such as Ethiopia, Morocco, and the UAE. Financial impact is less direct but severe for organizations: a breach using RCS can lead to loss of intellectual property, exposure of confidential client information, and international legal repercussions under privacy laws like GDPR.

🛡️ Mitigation

Defenders should apply all patches for known RCS-exploited CVEs (CVE-2015-5119, CVE-2015-2425), disable Flash Player and legacy browser plugins, and deploy endpoint detection systems with signatures for RCS agents (e.g., YARA rules based on leaked strings). Network monitoring for unusual HTTPS callbacks to known RCS C2 infrastructure (e.g., using threat intelligence feeds from Citizen Lab or VirusTotal) is critical; organizations should also enforce application whitelisting and restrict administrative privileges to limit lateral movement.

ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.