• Vulnerable U
  • Posts
  • Russian Hackers Target Ukraine With Stealthy Malware Attack

Russian Hackers Target Ukraine With Stealthy Malware Attack

A Russia-backed campaign is using deceptive documents to hack Ukraine-linked targets. Here's how the malware works and what defenders should watch for.

At first glance, it looks like an ordinary Office document. The filename might mention troop movements or a Ukrainian official’s name. It’s inside a ZIP file, maybe even accompanied by a decoy doc that opens without issue. But double-click it, and you’re not opening a report, you’re triggering the next stage of a stealthy malware delivery chain.

That’s the tactic observed by Cisco Talos in a recently uncovered campaign by Gamaredon, the Russian state-linked threat group that’s been actively targeting Ukrainian entities since 2013. This time, the group is leveraging malicious Windows shortcut files (.LNK) to deliver the Remcos backdoor, a commercially available remote access tool.

Talos has been tracking the campaign since at least November 2024, and while the technical components may be familiar, the execution is anything but sloppy. From the use of war-themed lure filenames to geo-fenced payload delivery, this campaign reflects how even simple tools can be highly effective when paired with context-aware targeting and reliable infrastructure.

Familiar Themes, Updated Execution

Gamaredon has repeatedly used the invasion of Ukraine as bait in its phishing campaigns, and this one is no exception. Many of the malicious LNK files in this campaign are disguised with filenames referencing Ukrainian or Russian individuals, battlefield data, or troop activity. For example:

Original Name 

Translation 

3079807576 (Шашило О.В)/ШАШИЛО Олександр Віталійович.docx.lnk 

3079807576 (Shashilo O.V)/SHASHILO Oleksandr Vitaliyovich.docx.lnk 

3151721177 (Рибак С.В)/РИБАК Станіслав Вікторович.docx.lnk 

3151721177 (Rybak S.V)/RYBAK Stanislav Viktorovich.docx.lnk 

3407607951 (Жолоб В.В)/ЖОЛОБ Владислав Вікторович.docx.lnk 

3407607951 (Zholob V.V)/ZHOLOB Vladislav Viktorovich.docx.lnk 

3710407173 (Гур'єв П.А)/ГУР'ЄВ Павло Андрійович.docx.lnk 

3710407173 (Gur'ev P.A)/GUR'EV Pavlo Andriyovich.docx.lnk 

Вероятное расположение узлов связи, установок РЭБ и расчетов БПЛА противника. ЮГ КРАСНОАРМЕЙСКА.docx.lnk 

Probable location of communication nodes, electronic warfare installations and enemy UAV calculations. SOUTH OF THE RED ARMY.docx.lnk 

ГУР'ЄВ Павло Андрійович.docx.lnk 

GUR'EV Pavlo Andriyevich.docx.lnk 

Координаты взлетов противника за 8 дней (Красноармейск).xlsx.lnk 

Coordinates of enemy takeoffs for 8 days (Krasnoarmeysk).xlsx.lnk 

Позиции противника запад и юго-запад.xlsx.lnk 

Positions of the enemy west and southwest.xlsx.lnk 

РИБАК Станіслав Вікторович.docx.lnk 

RYBAK Stanislav Viktorovich.docx.lnk 

ШАШИЛО Олександр Віталійович.docx.lnk 

SHASHILO Oleksandr Vitaliyevich.docx.lnk 

These files are typically compressed into ZIP archives to bypass email filters, with metadata showing they were created on just two known machines — a consistent pattern for Gamaredon.

Once opened, the LNK files execute PowerShell code designed to reach out to attacker-controlled infrastructure and download a ZIP file containing the next-stage payload.

This campaign continues the trend of Russian-aligned groups exploiting familiar platforms and emotional triggers. In a similar case, attackers recently targeted Signal’s messaging features to conduct espionage, abusing trust in secure communication tools.

Staging & Payload Delivery

source: Cisco Talos

The PowerShell downloader relies on obfuscated commands using Get-Command to evade string-based detection. It connects to servers located in Russia and Germany, but Cisco notes that the infrastructure is geo-fenced — returning HTTP 403 errors unless requests originate from specific Ukrainian regions. In public sandbox testing (e.g., Any.run), the files appear unavailable, yet samples confirm that downloads were still accessible from designated locations.

The second-stage ZIP file, once retrieved, contains a mix of:

  • A clean executable

  • A malicious DLL used for DLL sideloading

  • Decoy documents to mask infection

Gamaredon uses the clean binary to trigger the DLL, which in turn decrypts and executes Remcos — giving the attacker remote access to the compromised machine.

The use of deceptive file types and region-aware delivery mirrors tactics seen in other Russian campaigns. One recent operation abused malicious RDP files to gain access to internal networks, reinforcing how common file formats are weaponized at scale.

Infrastructure Breakdown

The campaign’s C2 and payload infrastructure is hosted across multiple providers, primarily:

  • GTHost (ASN 63023)

  • HyperHosting (ASN 60602)

Cisco Talos also noted that the threat actors used reverse DNS records with invalid but unique entries, which helped analysts uncover additional IP addresses matching the attacker’s infrastructure profile.

Some key IPs involved:

  • 146.185.233.96

  • 80.66.79.91

  • 81.19.131.95

These IPs not only served payloads and decoys but at least one also functioned as a Remcos command-and-control (C2) server.

Tooling: Remcos, PowerShell, and Sideloading

Remcos is not new to the scene. It’s a commercial remote access tool (RAT) often abused by threat actors for command execution, screen capture, keylogging, and data exfiltration.

In this campaign, Remcos is deployed via a DLL sideloading method. The clean executable serves as a launcher, while the malicious DLL handles decryption and payload execution. Some of the clean applications used to facilitate this include:

  • TivoDiag.exe

  • Mp3tag.exe

  • palemoon.exe

  • Compil32.exe

source: Cisco Talos

These files are packaged with the LNK payloads in folders like SysDrive/ or Drvx64/ and extracted to the %TEMP% directory during execution.

The final Remcos binary is injected into explorer.exe and communicates over port 6856 with the attacker’s C2 server.

Attribution and Consistency

Cisco assesses with medium confidence that the activity is tied to Gamaredon, based on:

  • Reuse of LNK metadata creation machines seen in past Gamaredon campaigns

  • The Ukrainian targeting

  • Infrastructure overlaps

The group has a long history of using low-complexity but high-impact tactics, typically favoring custom tools and fast-moving phishing campaigns. The use of Remcos in this case marks a shift toward leveraging widely available tooling to reduce operational overhead while maintaining access capabilities.

Operational Insights

Gamaredon’s campaign highlights several enduring challenges in threat detection:

  • Shortcut abuse remains under-monitored in many environments

  • DLL sideloading continues to be a reliable method of evading AV

  • Geo-fencing payload delivery frustrates sandboxing and intel sharing

The fact that such a targeted campaign is built around commodity malware and public infrastructure speaks volumes about both attacker adaptability and defensive blind spots.

Defending Against This Campaign

Cisco has released IOCs for this campaign on GitHub, including:

  • IPs and domains

  • Sample filenames

  • Associated executables and DLL hashes

For defenders, mitigations should include:

  • Blocking known IPs and reviewing DNS logs for any related domains

  • Scanning for .lnk files in email attachments and ZIPs

  • Auditing %TEMP% directories and sideloading vectors

  • Enforcing script execution policies for PowerShell

  • Using EDR to monitor for suspicious child processes from explorer.exe

Whether it’s email-based malware or social engineering attacks, the goal is still credential access and foothold establishment. Another active campaign recently used device code phishing tactics to compromise cloud-based accounts, bypassing traditional MFA defenses.

Gamaredon’s latest wave shows that even well-worn techniques, when delivered with regional nuance and infrastructure discipline, still get results. For Ukrainian targets, and those supporting them, the threat is ever changing and we need to stay on top of these tactics.

Stay tuned to Vulnu for ongoing coverage of state-aligned threats, malware distribution tactics, and intelligence-driven defense strategies.