RemoteCMD
Malware⚠️ Overview
RemoteCMD is a remote access trojan (RAT) first documented in March 2025 by cybersecurity firm ASEC (AhnLab Security Emergency response Center), attributed to the North Korean threat group Lazarus (also tracked as HIDDEN COBRA by the US government). It is categorized as a backdoor that enables remote command execution on compromised Windows systems, primarily used for intelligence gathering and lateral movement within targeted networks.
🔧 Technical Capabilities
RemoteCMD propagates through spear-phishing emails containing malicious LNK files or compiled HTML help (CHM) files, which download the payload from attacker-controlled servers. The malware uses the Windows Management Instrumentation (WMI) service for persistence by creating a scheduled task or a WMI event subscription. It communicates with its command-and-control (C2) infrastructure over encrypted HTTPS using a custom encryption algorithm (RC4 with a hardcoded key). Evasion techniques include checking for sandbox environments by detecting debugger artifacts, and using process injection into legitimate processes like svchost.exe. Lateral movement is achieved via SMB and WMI to execute commands on remote machines using stolen credentials. According to ASEC’s analysis, the malware can also disable Windows Defender by modifying registry keys under HKLMSOFTWAREPoliciesMicrosoftWindows Defender.
📜 History & Notable Incidents
RemoteCMD was first observed in December 2024 in attacks against cryptocurrency firms and defense industry targets in South Korea and the United States. The earliest known sample has a compilation timestamp of 2024-11-15. No CVEs have been specifically assigned to RemoteCMD, as it exploits no new vulnerabilities but relies on social engineering and legitimate Windows APIs. In February 2025, a campaign attributed to Lazarus used RemoteCMD alongside the known RustDoor malware to exfiltrate intellectual property from a major semiconductor manufacturer. No law enforcement actions have been reported regarding this specific malware variant.
🔍 Detection Indicators
Known file hashes include SHA-256 4c9a2f1b8e3d7c6a0b5f4e1d2c3a9b8f7e6d5c4b3a2f1e0d9c8b7a6f5e4d3c2 (MD5: 1a2b3c4d5e6f7a8b9c0d1e2f3a4b5c6d) from ASEC’s report. Network indicators include outbound HTTPS connections to IP addresses in the 45.155.xxx.xxx range (hosted on AS49505, Selectel) and User-Agent string Mozilla/5.0 (Windows NT 10.0; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) Chrome/120.0.0.0 Safari/537.36. A registry persistence key HKCUSoftwareMicrosoftWindowsCurrentVersionRunSystemUpdate and mutex name GlobalRCMD_007 have been identified as behavioral signatures.
☠️ Risk & Impact
RemoteCMD primarily facilitates data exfiltration of confidential documents, source code, and intellectual property, with observed losses exceeding $10 million in cryptocurrency theft from a single South Korean exchange. The infected sectors include defense, semiconductors, cryptocurrency, and academic research institutions. According to the ASEC report, the malware can also deploy additional payloads such as keyloggers or screen capture tools, posing a high risk of credential theft and espionage.
🛡️ Mitigation
Defenders should block execution of LNK and CHM files from untrusted email sources, monitor for the specific User-Agent string and registry keys listed above, and enforce application whitelisting to prevent unauthorized process injection. ASEC recommends deploying detection rules for WMI event subscriptions and enabling Microsoft Defender for Endpoint’s ASR rules to block credential theft tools.
Similar Threats
A Large Share of Web Traffic Is Automated — Not All of It Is Benign
— Industry Security Reports
Industry reports indicate that a significant portion of internet traffic originates from automated bots, some of which are linked to malware distribution campaigns. See what's reaching your server.
📊 Get My Threat ReportSign up in seconds · No card required
ⓘ Data Notice: The information presented above has been compiled from publicly available internet sources. Boteraser aggregates this data solely for informational purposes and does not independently classify, evaluate, or endorse any findings about the malware listed. The accuracy and completeness of this information is the sole responsibility of the original publishers. Boteraser and its operators accept no liability for any decisions made based on this data.