Russian Hackers Target Ukraine with Remcos RAT in New Phishing Campaign

By /

Listen to this Post

Cyber Espionage in Ukraine: A Growing Threat

A new phishing campaign has been uncovered targeting entities in Ukraine, delivering a remote access trojan (RAT) called Remcos. Researchers at Cisco Talos revealed that the attackers use Russian-language file names linked to military movements in Ukraine to lure victims. The malicious campaign, which leverages geo-fenced servers in Russia and Germany, has been attributed to the Gamaredon hacking group, a well-known Russian cyber-espionage entity allegedly connected to the Federal Security Service (FSB).

Key Findings of the Attack

  • Use of Phishing Emails: The attackers send ZIP files containing malicious Windows shortcut (LNK) files, disguised as official documents related to the Russo-Ukrainian war.
  • PowerShell Exploitation: These LNK files include PowerShell scripts that download additional malware from Russian and German servers.
  • DLL Side-Loading Technique: The downloaded ZIP contains a malicious DLL that ultimately decrypts and executes the Remcos RAT payload.
  • Attribution to Gamaredon: The same machines used to create these LNK files were previously linked to Gamaredon, strengthening the connection.

Parallel Cyber Threats in Russia

Interestingly, while Ukrainian entities are being targeted by Gamaredon, another phishing campaign appears to be directed at Russian individuals sympathetic to Ukraine. The Silent Push cybersecurity team identified four major phishing clusters attempting to collect personal information from Russians.

These campaigns masquerade as:

– The U.S. Central Intelligence Agency (CIA)

– The Russian Volunteer Corps

– Legion Liberty

  • Hochuzhit (“I Want to Live”), a Ukrainian surrender hotline for Russian soldiers

These phishing pages operate on bulletproof hosting services like Nybula LLC and use Google Forms and emails to extract political views, habits, and personal details from victims. The responsible actors are suspected to be either Russian Intelligence Services or hackers aligned with Russian interests.

What Undercode Says:

This incident highlights the increasing sophistication of cyber warfare in the Russia-Ukraine conflict. The ongoing geopolitical struggle has expanded beyond the battlefield into the realm of digital espionage and psychological operations.

  1. The Role of Gamaredon in Russian Cyber Strategy
    Gamaredon has been active since at least 2013 and consistently engages in intelligence gathering, data theft, and system compromise. This attack follows a well-established pattern, where malware is distributed via phishing emails, exploiting victims’ trust to deploy RATs like Remcos.

2. The Evolution of Phishing Tactics

The use of military-themed file names makes the phishing attempt particularly deceptive. Additionally, by hosting payloads on geo-fenced servers in Russia and Germany, the attackers ensure that only targeted victims can access the malware, reducing exposure to cybersecurity researchers.

3. The Double-Edged Sword of Cyber Warfare

While Ukraine faces aggressive cyberattacks from Russia, Russian individuals are also being targeted by unknown entities impersonating organizations like the CIA and pro-Ukrainian groups. This suggests a broader cyberwarfare effort, where both sides deploy phishing campaigns to gather intelligence and disrupt enemy operations.

4. Implications for Cybersecurity

This campaign underscores the need for:

  • Stronger email security and phishing awareness training for government and military personnel
  • Advanced threat intelligence tools to detect and block geo-fenced malware downloads
  • International cooperation to track and expose cybercriminal groups linked to state-sponsored espionage

5. Future Trends in Cyber Threats

As AI-driven phishing attacks become more prevalent, traditional email filters and security measures may struggle to keep up. Cybercriminals are evolving their tactics, making threat intelligence sharing among global cybersecurity firms crucial.

Fact Checker Results:

  • Gamaredon’s involvement in Ukraine cyberattacks has been well-documented since 2013.
  • Phishing campaigns targeting both Ukrainian and Russian entities have increased since the onset of the Russo-Ukrainian war.
  • The use of geo-fenced servers and deceptive military-related file names aligns with previously observed Russian cyber tactics.

References:

Reported By: https://thehackernews.com/2025/03/russia-linked-gamaredon-uses-troop.html
Extra Source Hub:
https://www.quora.com/topic/Technology
Wikipedia
Undercode AI

Image Source:

Pexels
Undercode AI DI v2

Join Our Cyber World:

💬 Whatsapp | 💬 TelegramFeatured Image

Explore More: