X-Force’s analysis of Hive0156’s Remcos configuration appears to be sparse on enabled functionality. However, this does not indicate a diminished threat. Hive0156’s version of Remcos is primarily configured to establish communication with the group’s C2 infrastructure and periodically wait for new commands. The group appears to operate multiple campaigns in parallel and maintains diligent use of Remcos’ campaign ID feature. Throughout 2025, X-Force observed hmu2005, gu2005, ra2005 and ra2005new campaign IDs associated with the group.
Remcos is a Remote Administration Tool developed by Breaking-Security. Details about its features can be found here.
Upon execution, Remcos will load its configuration from a blob within its resources. Once complete, Remcos will parse its configuration, which determines what actions it will take during execution.
Remcos accepts the following configuration parameters: