Cisco Talos has discovered an ongoing cyber campaign conducted by the Gamaredon threat actor group, aimed at Ukrainian users through the distribution of malicious LNK files to deliver the Remcos backdoor.
The campaign, which has been active since November 2024, employs spear-phishing tactics to target victims, using themes related to the Ukraine conflict to trick them into executing the malicious files.
The malicious LNK files, disguised as Office documents, are distributed within ZIP archives and include filenames referencing troop movements and other war-related topics in Russian or Ukrainian languages.
The attack kicks off with the execution of a PowerShell downloader embedded in the LNK file. This downloader contacts servers located in Russia and Germany to fetch a second-stage ZIP payload containing the Remcos backdoor.
The downloaded payload utilizes DLL sideloading techniques to execute the backdoor, enabling the loading of malicious DLLs through legitimate applications to bypass traditional detection mechanisms.
Gamaredon’s phishing emails likely contain either direct attachments of the ZIP files or URLs redirecting victims to download them. The filenames used in the campaign suggest a deliberate effort to exploit sensitive geopolitical themes.
An analysis of metadata reveals that only two machines were used to create these malicious shortcut files, consistent with Gamaredon’s operational patterns observed in previous campaigns.
The PowerShell scripts embedded in the LNK files use obfuscation techniques to evade antivirus detection and extract the ZIP payload into the %TEMP% folder once executed.
The payload includes clean binaries that load malicious DLLs, decrypt, and execute the final Remcos backdoor payload, which is injected into Explorer.exe and communicates with command-and-control (C2) servers primarily based in Germany and Russia.
The C2 servers hosting the campaign are identified as being hosted by Internet Service Providers such as GTHost and HyperHosting. These servers are restricted to Ukrainian victims based on geographic location.
The Remcos backdoor provides attackers with capabilities for remote control, data exfiltration, and system manipulation. Gamaredon has been observed abusing applications like TivoDiag.exe for DLL sideloading during this campaign.
The use of advanced techniques such as DLL sideloading, geo-fenced infrastructure, and thematic phishing by Gamaredon underscores their persistence in targeting Ukraine amid ongoing geopolitical tensions.
Organizations are advised to enhance their cybersecurity defenses by implementing robust endpoint protection, email security measures, and network monitoring solutions to protect against such threats.
Indicators of Compromise (IOCs) for this threat can be accessed in Cisco Talos’ GitHub repository here to aid in threat detection and mitigation efforts.
For those interested in staying updated on cybersecurity news, follow us on Google News, LinkedIn, and X to receive instant updates on the latest developments in the field.