The Remexi Backdoor malware has been observed since at least 2014, and is believed to be employed by Iranian adversaries. Originally, the malware’s function was relatively limited, allowing for traditional reverse shell backdoor functions.
Overtime the malware has grown far more capable, including as an information theft tool. The malware is now known to be able to capture clipboard data, perform file discovery across a system, capturing ket strokes through keylogging, and screen capture for windows of interest.
Targeting has included government, including diplomatic agencies, as well as other industries of interest for the Iranian government.
The malware has been observed being delivered via targeted spear phishing operations, as well, as manual placement post-compromise.
The malware is able to establish persistence using Registry Run Keys, and Winlogon Helper DLL.
The malware has been observed using BITSAdmin for its C2 channel.