RCS Labs (also known as RCS S.p.A. or RCS Lab) is a Milan-based company that develops interception and offensive cyber tools marketed to law-enforcement and intelligence agencies. Its product line covers passive and active interception of telecommunications, network injection, and mobile implants for iOS and Android.
The company drew international scrutiny in June 2022, when Google's Threat Analysis Group (TAG) and Lookout published research attributing a spyware family called Hermit to RCS Labs. The reports documented Hermit deployments in Kazakhstan and Italy, and an earlier campaign linked to Syria. According to Google TAG, some infections relied on cooperation with local internet service providers to disable a target's mobile data, then delivered a malicious "recovery" app via SMS. On iOS, the operators reportedly abused Apple enterprise developer certificates to side-load the implant outside the App Store, prompting Apple to revoke the relevant accounts.
RCS Labs has historical ties to the broader Italian surveillance industry, which also includes Hacking Team (later rebranded as Memento Labs after acquisition by InTheCyber/Tykelab-adjacent investors). In 2022 RCS Lab was acquired by Cy4Gate, an Italian listed cyber-intelligence firm, consolidating a domestic surveillance champion.
For policy researchers, RCS Labs is a recurring case study in three debates:
- Export control gaps. EU Regulation 2021/821 (the recast Dual-Use Regulation) explicitly added cyber-surveillance items to its scope, but enforcement against EU-based vendors remains uneven.
- Commercial spyware proliferation. RCS appears alongside NSO Group, Intellexa, Candiru, and FinFisher in civil-society inventories of vendors whose tools have been found on journalists' or dissidents' devices.
- ISP complicity. The Hermit findings highlighted how mobile carriers can be enlisted, knowingly or not, in targeted infections.
The company has generally declined to confirm specific customers, citing contractual confidentiality and compliance with applicable export rules.
Example
In June 2022, Google's Threat Analysis Group publicly linked RCS Labs to the Hermit spyware after finding infections of Android and iOS devices in Italy and Kazakhstan.
Frequently asked questions
Hermit is a modular mobile spyware family attributed by Google TAG and Lookout to RCS Labs in 2022, capable of recording calls, exfiltrating data, and tracking location on Android and iOS.
Keep learning