Ethical Hacking News
Russia-linked hacking group Gamaredon has been linked to a recent phishing campaign aimed at deploying the Remcos RAT (Remote Access Trojans) in Ukraine. The attackers used Russian words related to troop movement as lures, disguising malicious files as Microsoft Office documents. This is part of an ongoing effort by this group to compromise systems through sophisticated social engineering tactics.
Russia-linked hacking group Gamaredon has been linked to a recent phishing campaign in Ukraine aimed at deploying Remcos RAT. The file names used as lures are Russian words related to troop movement, tricking recipients into opening malicious files disguised as Microsoft Office documents. The attackers use two machines previously linked to Gamaredon for similar purposes, creating malicious shortcut files compressed in ZIP archives via phishing emails. The campaign consists of four major phishing clusters impersonating reputable organizations, including the CIA and Russian volunteer corps. The attackers gather personal information from victims using Google Forms and email responses, likely for espionage and data theft purposes. This latest campaign highlights state-sponsored actors' evolving tactics in leveraging social engineering to gain access to targeted systems.
Russia-linked hacking group Gamaredon has been linked to a recent phishing campaign aimed at deploying the Remcos RAT (Remote Access Trojans) in Ukraine. According to Cisco Talos researcher Guilherme Venere, the file names used as lures in this campaign are Russian words related to the movement of troops in Ukraine. This tactic is part of a larger effort by Gamaredon to trick recipients into opening malicious files disguised as Microsoft Office documents.
The phishing campaign is believed to be the work of either Russian intelligence services or a threat actor aligned with Russia. The attackers have used two machines that were previously utilized by the Gamaredon group for similar purposes, which have been linked to this latest campaign. These machines were used to create malicious shortcut files compressed inside ZIP archives, designed to trick recipients into opening them via phishing emails.
The LNK (short-cut) files come fitted with PowerShell code responsible for downloading and executing the next-stage payload cmdlet Get-Command, as well as fetching a decoy file that's displayed to the victim to keep up the ruse. The second stage is another ZIP archive containing a malicious DLL (Dynamic Link Library) used in DLL side-loading techniques. This allows the final Remcos payload from encrypted files present within the archive.
This campaign consists of four major phishing clusters, impersonating the U.S. Central Intelligence Agency (CIA), the Russian Volunteer Corps, Legion Liberty, and Hochuzhit "I Want to Live," a hotline for receiving appeals from Russian service members in Ukraine to surrender themselves to the Ukrainian Armed Forces. The phishing pages have been found to be hosted on a bulletproof hosting provider, Nybula LLC.
The attackers rely on Google Forms and email responses to gather personal information from victims, including their political views, bad habits, and physical fitness. According to Silent Push, "all the campaigns [...] observed have had similar traits and shared a common objective: collecting personal information from site-visiting victims." This information is likely used for espionage and data theft purposes.
The threat actor assessed to be affiliated with Russia's Federal Security Service (FSB) is known for its targeting of Ukrainian organizations. It has been operational since at least 2013, indicating the ongoing efforts by this group to compromise sensitive information in Ukraine.
This latest campaign highlights the evolving tactics employed by state-sponsored actors, such as Gamaredon, and their adaptability in leveraging social engineering to gain access to targeted systems. The use of legitimate-sounding names and impersonation of reputable organizations adds a layer of sophistication to these phishing campaigns.
The cybersecurity community must remain vigilant in responding to these types of threats, as they have significant implications for national security, data protection, and the ongoing conflict between Ukraine and Russia.
Related Information:
https://www.ethicalhackingnews.com/articles/Russias-Digital-Dagger-The-Gamaredon-Groups-Latest-Malicious-Campaign-in-Ukraine-ehn.shtml
https://thehackernews.com/2025/03/russia-linked-gamaredon-uses-troop.html
https://attack.mitre.org/groups/G0047/
https://en.wikipedia.org/wiki/Sandworm_(hacker_group)
https://en.wikipedia.org/wiki/Legion_Hacktivist_Group
https://www.gqindia.com/content/legion-five-things-know
https://en.wikipedia.org/wiki/I_Want_to_Live_(hotline)
Published: Mon Mar 31 07:40:59 2025 by llama3.2 3B Q4_K_M
