Russia-Linked Gamaredon Exploits Troop Movements to Spread Remcos RAT in Ukraine

Entities in Ukraine have been targeted in a phishing campaign aimed at delivering the Remcos RAT, a remote access trojan.

According to a report by Cisco Talos researcher Guilherme Venere, the attackers use file names containing Russian words related to troop movements in Ukraine to lure victims. “The PowerShell downloader contacts geo-fenced servers in Russia and Germany to retrieve a second-stage ZIP file containing the Remcos backdoor,” Venere explained.

This activity has been linked with moderate confidence to the Russian hacking group Gamaredon, also known as Aqua Blizzard, Armageddon, Blue Otso, BlueAlpha, Hive0051, Iron Tilden, Primitive Bear, Shuckworm, Trident Ursa, UAC-0010, UNC530, and Winterflounder. The group, believed to be affiliated with Russia’s Federal Security Service (FSB), has been active since at least 2013 and is known for targeting Ukrainian organizations for espionage and data theft.

The latest campaign employs Windows shortcut (LNK) files compressed in ZIP archives, masquerading as Microsoft Office documents related to the Russo-Ukrainian war to trick recipients into opening them. These malicious archives are suspected to be delivered via phishing emails.

Links to Gamaredon were identified through two machines used to create the malicious LNK files—machines previously linked to the group. These LNK files contain PowerShell code responsible for downloading and executing the next-stage payload using the Get-Command cmdlet, as well as retrieving a decoy file to maintain the ruse.

The second stage involves another ZIP archive containing a malicious DLL, which is executed via a technique known as DLL side-loading. This DLL serves as a loader that decrypts and runs the final Remcos payload from encrypted files within the archive.

This revelation coincides with a report from Silent Push detailing another phishing campaign that targets Russian individuals sympathetic to Ukraine. This operation is suspected to be carried out either by Russian Intelligence Services or a Russia-aligned threat actor.

The campaign comprises four major phishing clusters, impersonating the U.S. Central Intelligence Agency (CIA), the Russian Volunteer Corps, Legion Liberty, and Hochuzhit (“I Want to Live”), a hotline for Russian service members in Ukraine seeking to surrender to Ukrainian forces.

These phishing sites are hosted on Nybula LLC, a bulletproof hosting provider, and use Google Forms and email responses to collect victims’ personal information, including political views, habits, and physical fitness.

“All observed campaigns share similar traits and a common objective: collecting personal information from site-visiting victims,” Silent Push noted. “These phishing honeypots are likely orchestrated by Russian Intelligence Services or a threat actor aligned with Russian interests.”