Remote Control System (RCS), also referred to in the content as Crisis and DaVinci and associated with Hacking Team’s Galileo/Da Vinci platforms, is a commercial government spyware suite developed by the Milan-based Italian company Hacking Team (HT S.r.l.). It was marketed and sold primarily to government, intelligence, and law-enforcement customers as a lawful-intercept and remote monitoring platform. The content describes RCS as enabling operators to remotely deploy exploits and payloads, manage compromised devices, and exfiltrate data for analysis. Reported capabilities include theft of files and passwords; interception of Skype calls, emails, instant messages, and keystrokes; screenshots and audio/video capture; activation of webcams and microphones; collection of call history, address books, GPS/location data, Wi-Fi passwords, and other device data; and operation across Windows, macOS, Linux, Android, iOS, BlackBerry, Symbian, Windows Mobile, and Windows Phone. The malware was described as designed to bypass common antivirus tools and encryption by collecting data on the endpoint before or after encryption.
The content links RCS to repeated targeting of journalists, activists, dissidents, and opposition figures. Documented cases include attacks on Moroccan outlet Mamfakinch, UAE activist Ahmed Mansoor, Ethiopian Satellite Television Service (ESAT) staff, Ethiopian dissidents, and reported use in Uzbekistan. Infection vectors directly mentioned include malicious files, exploit-laden Word/RTF documents, Java archives, and socially engineered lures delivered via email, Skype, or links. Specific exploits referenced include CVE-2010-3333, CVE-2012-0158, CVE-2013-0633, CVE-2013-5331, and CVE-2012-5054. In the ESAT case, Citizen Lab assessed samples as RCS based on malware signatures, command-and-control behavior, and SSL certificates referencing "RCS Certification Authority" and "HT srl." Mentioned infrastructure and indicators include communication with 46.4.69.25, downloads from 216.118.232.254, the domain ar-24.com, and certificates tied to Hacking Team infrastructure. Sample hashes explicitly cited in the content include 4a53db7b98aa000aeaa72d6a44004ef9ed3b6c09dd04a3e6015b62d741de3437, 5bde4288c11f0701b54398ffeeddb4d6882d91b3e34bf76b1e250b8fc46be11d, bc68c8d86f2522fb4c58c6f482c5cacb284e5ef803d41a63142677855934d969, 8f9a6ae6aa56e12596d02c864998b4373a96d3f788195db3601b6e3ec54a99fb, d30bc31d6ad75de20aa3a45d338298030dc9136ba94aee93b4843e279fa3d59c, 53cd1d6a1cc64d4e8275a22216492b76db186cfb38cec6e7b3cfb7a87ccb3524, cd1fe50dbde70fb2f20d90b27a4cfe5676fa0e566a4ac14dc8dfd5c232b93933, b5462a2be69d268a7d581fe9ee36e8f31d5e1362d01626e275e8f58029e15683, 277cae7c249cb22ae43a605fbe901a0dc03f11e006b02d53426a6d11ad241a74, and 1df1bd11154224bcf015db8980a3c490b1584f49d4a34dde19c19bc0662ebda2.
The content associates RCS with suspected or documented government use in numerous countries, including Azerbaijan, Colombia, Egypt, Ethiopia, Hungary, Italy, Kazakhstan, Korea, Malaysia, Mexico, Morocco, Nigeria, Oman, Panama, Poland, Saudi Arabia, Sudan, Thailand, Turkey, the UAE, and Uzbekistan, and separately notes deployments or suspected users identified through scanning and infrastructure analysis. It also states that leaked Hacking Team documents showed sales or use involving agencies in Mexico and the United States, including the FBI and DEA. Across the cited reporting, RCS is consistently characterized as controversial because of alleged use by governments against civil society, journalists, political opponents, and human-rights defenders rather than solely for legitimate criminal investigations.
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
6 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Hacking Team enables clients to perform remote monitoring functions against citizens via their RCS (remote control systems), including their Da Vinci and Galileo platforms.
The attachment exploited CVE-2010-3333, an RTF parsing vulnerability in Microsoft Office. The document did not contain any bait content, and part of the malformed RTF that triggered the exploit was displayed in the document. | The first attacks we observed in the UAE involved a government-grade “lawful interception” trojan known as Remote Control System (RCS), sold by the Italian company Hacking Team.
Like the second file, the document also exploited the CVE-2012-0158 bug... The document exploited a bug in Microsoft Windows (CVE-2012-0158) to run a program that downloaded and executed a file... An update to Windows available since April 2012 fixes this bug. | In each case the spyware appeared to be RCS (Remote Control System), programmed and sold exclusively to governments by Milan-based Hacking Team.
Remote Control System (RCS) is sophisticated computer spyware marketed and sold exclusively to governments by Milan-based Hacking Team.
Remote Control System (RCS) is sophisticated computer spyware marketed and sold exclusively to governments by Milan-based Hacking Team.
Remote Control System (RCS) is sophisticated computer spyware marketed and sold exclusively to governments by Milan-based Hacking Team.
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Hacking Team enables clients to perform remote monitoring functions against citizens via their RCS (remote control systems), including their Da Vinci and Galileo platforms.
The most controversial item found on Mexico's purchase order is a surveillance software known as “Remote Control System," which some Mexicans suspect the government used to spy on its own citizens or to conduct politically motivated hacks.
28 distinct techniques documented for this family, organized by ATT&CK tactic.
The page, found at http://freeme.eu5.org/scandale%20(2).doc prompted the user for the installation of malicious java, file, 'adobe.jar'. This file then facilitated the installation of a multi-platform (OSX and Windows) backdoor.
A mysterious source had made three attempts to send malicious files to employees, claiming that they were news articles
when a fake document was used to implant malware on the computers of journalists who were critical of Morocco’s government
Here we see inline hooking of 'NtQuerySystemInformation' performed by the malware, a technique frequently used to allow process hiding... strings relating to popular anti-rootkit and anti-virus software, suggesting evasion of specific products
We also identify several cases where US-based spyware servers were disguised as the websites of US companies, including a small New York-based financial services firm related to an SEC investigation, a small Oregon newspaper, and ABC News. We believe that the disguises were designed to mislead targets if they discovered that their systems were communicating with these servers.
Processes such as iexexplorer.exe and wscntfy.exe are infected... This then infects the following processes: explorer.exe iexplore.exe wscntfy.exe reader_sl.exe VMwareUser.exe
RCS can record Skype calls, copy passwords, e-mails, files and instant messages...
“It is straightforward to grab the wallet.dat and related files and for malcode to get the password for this file when the user accesses their bitcoins”
RCS can record Skype calls, copy passwords, e-mails, files and instant messages, and turn on a computer or phone’s webcam and microphone to spy on nearby activity.
Citizen Lab reported that the command and control (C&C) server that the spyware sent his personal information back to was a website called ar-24[.]com...
In 2012 and early 2013, most Hacking Team servers, when viewed in a web browser, were disguised as http://www.google.com, i.e., they loaded a page that immediately redirected to Google. This redirection is never invoked by the spyware itself, and seems designed to make a Hacking Team RCS server appear to be another website to an individual who loads the server address into their web browser.
The report showed that computers infected with RCS send surveillance data back to the government operator through a series of servers in multiple third countries, called a proxy chain or circuit. This is to prevent someone who discovers a copy of the spyware or an infected computer from tracing it back to the government.
14 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Spyware that provides real-time access to computers and smartphones.
Commercial spyware/backdoor sold by Hacking Team for infecting and monitoring computers and smartphones, including encrypted communications, with persistence, process injection, API hooking, anti-security evasion, and multi-stage delivery.
Government-grade spyware suite sold by Hacking Team for covert surveillance. It can exfiltrate files, record Skype calls, emails, instant messages, and passwords, and activate webcams and microphones. It uses proxy-chain collection infrastructure to obscure the operator and has been delivered via phishing and exploit documents.
Hacking Team surveillance spyware platform referenced as a competitor to FinFisher and discussed in relation to fingerprintable decoy pages on its C2 servers.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.