CrowdStrike Warns of Remcos RAT Attack Amid Ongoing Outage Fallout

CrowdStrike, the company responsible for the recent global IT systems outage due to a problematic Falcon Sensor update, now warns that numerous malicious actors are exploiting the situation to spread the Remcos RAT virus among its clients in Latin America.

These malicious actors are actively distributing a ZIP archive named “crowdstrike-hotfix.zip,” which purportedly aims to fix the affected computers. In reality, the archive contains a malicious loader known as Hijack Loader (also referred to as DOILoader or IDAT Loader), which in turn downloads and launches the Remcos RAT malware, exacerbating the already dire situation with non-functioning computers.

The archive also includes a text file (“instrucciones.txt”) with instructions in Spanish, directing users to execute the file (“setup.exe”) to resolve the issue. CrowdStrike experts report that the Spanish file names and instructions in the archive clearly indicate that this malicious campaign targets CrowdStrike’s clients in Latin America.

For those who missed last week’s events, a brief recap: on Friday, July 19, a configuration update released for the CrowdStrike Falcon platform caused a logical error on Windows devices, resulting in widespread “blue screen of death” (BSoD) occurrences. The incident affected millions of physical computers and virtual machines across dozens of countries worldwide. Russia was not among them, as it does not use CrowdStrike’s cybersecurity solutions.

Malicious actors swiftly capitalized on the ensuing chaos, creating dozens of fake domains impersonating CrowdStrike and offering affected companies “services” in exchange for cryptocurrency.

All Windows clients affected by the outage are advised to ensure they are communicating with CrowdStrike representatives through official channels and to follow the technical recommendations provided by legitimate support services.

Microsoft, which is actively collaborating with CrowdStrike to mitigate the incident’s impact, previously reported that the digital failure affected 8.5 million devices globally. Although this constitutes less than one percent of all Windows devices, it remains a staggeringly high number.

“This incident demonstrates the interconnected nature of our broad ecosystem — global cloud providers, software platforms, security vendors and other software vendors, and customers,” said Microsoft. “It’s also a reminder of how important it is for all of us across the tech ecosystem to prioritize operating with safe deployment and disaster recovery using the mechanisms that exist.”

On July 20, Microsoft also released its recovery tool to assist IT administrators in swiftly restoring affected devices. In turn, CrowdStrike promptly compiled all necessary recommendations and recovery guides in one place.