{
	"id": "37c145d6-b7f9-44a2-93fd-d99d8d5ef5d4",
	"created_at": "2026-04-06T00:10:46.710313Z",
	"updated_at": "2026-04-10T03:37:26.699937Z",
	"deleted_at": null,
	"sha1_hash": "17af34a9599b9392a748dd46f9db169dd4717d2d",
	"title": "Unveiling UAC-0184: The Steganography Saga of the IDAT Loader Delivering Remcos RAT to a Ukraine Entity in Finland",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4905920,
	"plain_text": "Unveiling UAC-0184: The Steganography Saga of the IDAT Loader\r\nDelivering Remcos RAT to a Ukraine Entity in Finland\r\nBy Michael Dereviashkin\r\nArchived: 2026-04-05 16:44:10 UTC\r\nMorphisec Threat Labs recently discovered multiple indicators of attacks leading to threat actor, UAC-0184. This\r\ndiscovery sheds light on the notorious IDAT loader delivering the Remcos Remote Access Trojan (RAT) to a\r\nUkrainian entity based in Finland.   \r\nIntroduction\r\nThis blog explores the broader execution course of the attack, emphasizing key unique aspects including usage of\r\nthe IDAT loader and targeting of the Ukraine entity in Finland.  Detailed technical findings of associated Remcos\r\nRAT attacks have been previously reviewed by CERT-UA (written in Ukraine), and Uptycs, describing Indicators of\r\nCompromise (IoCs), and detailed TTPs.   \r\nTargeting Ukraine Entities, in Finland \r\nWhile the adversary strategically targeted Ukraine-based entities, they apparently sought to expand to additional\r\nentities affiliated with Ukraine. Morphisec findings brought to the forefront a more specific target—Ukraine entities\r\nbased in Finland (Note: Technical information of the targets cannot be disclosed due to confidentiality).  \r\nUsage of Steganography (MITRE ID: T1001.002)  \r\nThe attack, as part of the IDAT loader, used steganography as a technique.  While steganographic, or “Stego”\r\ntechniques are well-known, it is important to understand their roles in defense evasion, to better understand how to\r\ndefend against such tactics. \r\nSteganography is used to obfuscate malicious code or files within an image or video, distributing the payload within\r\nthe media’s pixel data, making it difficult to detect.  \r\nFor example, an image with a pixel depth of 24 bit (16.7 million colors) may contain embedded code in the least\r\nsignificant bits (LSB) of each pixel, without changing how the picture looks.  \r\nWhile the media file may be scanned, since the malicious payload is obfuscated, it can evade signature-based\r\ndetection, allowing a malware loader to successfully drop the media, extract the malicious payload, and execute it in\r\nmemory. In this the case, the image looked visibly distorted, however the obfuscation was sufficient for defense\r\nevasion.  \r\nhttps://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga\r\nPage 1 of 10\n\nSteganographic techniques are used for payload obfuscation (Image credit: The Hacker News) \r\nRemcos RAT\r\nRemcos is a commercial remote access trojan (RAT). Morphisec previously described the Remcos trojan, which\r\nallows attackers to quickly and easily control an infected computer, steal personal information, and surveil a\r\nvictim’s activity. All this without investing time or developing a tool with remote administrative capabilities.\r\nMorphisec additionally covered Remcos as a payload in Guloader, and the payload in the Babadeda crypter. \r\nMorphisec’s commitment to proactive defense was pivotal in shielding its customers from this highly sophisticated\r\nthreat, with our protection mechanisms kicking in at an early stage of the attack.   \r\nDetection Timeline Insights \r\nWhile Morphisec prevented multiple attacks, a specific incident can be highlighted. During the first weeks of\r\nJanuary 2024, Morphisec’s proactive defense mechanisms prevented the execution of this malicious campaign;\r\nhttps://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga\r\nPage 2 of 10\n\nearly detection played a pivotal role, providing crucial time for containment and incident response measures. The\r\nofficial UA Cert security alert (which validated the threat) was released several days later. Morphisec’s research\r\nrevealed this, and subsequent attacks shared common artifacts with the UA Cert’s alerts, yet with multiple\r\ndifferences.  \r\nThis timeline underscores Morphisec’s proactive stance, as the security alert confirmed that Morphisec had\r\naddressed the threat. \r\nThe following screenshot demonstrates the event timeline:\r\nMorphisec’s mechanism prevented the threat several days before public disclosure by CERT-UA \r\nDelivery Insights \r\nThe screenshot below provides additional details, based on information provided by the Ukrainian CERT (UA\r\nCERT). These details describe the deceptive recruitment tactics used under the guise of soliciting for the 3rd\r\nSeparate Assault Brigade and the Israel Defense Forces (IDF). \r\nhttps://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga\r\nPage 3 of 10\n\nA related Remcos RAT attack was delivered as a phishing email claiming to be from an Israel Defense Forces\r\nconsultant (source: Uptcycs) \r\nPayload Delivery Flow Chart \r\nThis flow chart offers more clarity on the attempted delivery of the Remcos RAT by the IDAT loader. It illustrates\r\nthe key stages of the attack throughout the main execution course. \r\nIDAT Loader Overview \r\nIDAT is an advanced loader that loads various malware families, including Danabot, SystemBC, and RedLine\r\nStealer. Distinguished by its modular architecture, IDAT employs unique features like code injection and execution\r\nmodules, setting it apart from conventional loaders.  \r\nIt employs sophisticated techniques such as dynamic loading of Windows API functions, HTTP connectivity tests,\r\nprocess blocklists, and syscalls to evade detection. The infection process of IDAT unfolds in multiple stages, each\r\nserving distinct functionalities.  \r\nThe initial stage downloads or loads the second stage, housing a module table and the primary instrumentation\r\nshellcode. The second stage injects this shellcode into a legitimate DLL or a new process. Subsequently, the main\r\ninstrumentation shellcode decrypts and executes the final payload, adapting its injection or execution based on file\r\ntype and configuration flags.  \r\nInterestingly, in this case the IDAT modules were embedded within the primary executable, which is commonly\r\ndownloaded from a remote server. \r\nThe code of the analyzed IDAT is responsible for loading IDAT modules, has been observed by other security\r\nresearchers, including HijackLoader | ThretLabz (zscaler.com).\r\nIDAT Loader TTPs   \r\nhttps://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga\r\nPage 4 of 10\n\nIDAT Loader is a cyber threat that reveals a distinctive array of Tactics, Techniques, and Procedures (TTPs). This\r\nexploration analyzes the IDAT Loader with respect to this current campaign, and intentionally avoids explicit\r\nconnections to prior campaigns to spotlight its strategic position within the current frame of IDAT Loader\r\noperations.   \r\nNote: The usage of the IDAT loader to deliver Remcos RAT was previously described by threat researcher Yoroi,\r\nInnovation in Cyber Intrusions: The Evolution of TA544 . \r\nThe following screenshot looks at the primary executable, focusing on the malicious-oriented code. In the code, it\r\ncan be observed that a connection is made, and subsequently, a download is initiated from\r\n‘hxxps://aveclagare[.]org/wp-content/plugins/wpstream/public/js/youtube.min.js.’  \r\nThe code uses a distinctive user-agent ‘racon’, which serves multiple purposes.  \r\nFirstly, it plays a role as the key in the campaign delivery chain, additionally checking connectivity and alleged\r\nanalytics for the campaign. \r\nThis code’s purpose is to decrypt the API name ‘InitOnceExecuteOnce’ (used to transfer the execution point to the\r\nnext stage in malware code) and resolve it during runtime to succeed. The URL download needs to return ‘(func’ as\r\nthe content response to be used as the key for decryption. \r\nIn the subsequent code block, the primary objective is the decryption of the code block using the same key as\r\nbefore: ‘(func’. Following this, the code will dynamically resolve VirtualProtect to use it and modify the .text\r\nsection rights to RWX.  \r\nSubsequently, it copies the following stage code to a predefined function location in the .text section and transfers\r\nthe execution point to the just copied code through a regular call, deviating from the usage of\r\n‘InitOnceExecuteOnce.’ \r\nhttps://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga\r\nPage 5 of 10\n\nLeveraging Steganography for Defense Evasion \r\nAs previously noted, the IDAT loader operates on a modular basis. Its configuration involves the utilization of an\r\nembedded steganographic PNG to locate and extract the payload, identified by the value 0xEA79A5C6 as the\r\nstarting point. \r\nThe extracted code  \r\nhttps://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga\r\nPage 6 of 10\n\nThe image pixel data showing the encoding of the IDAT loader \r\nhttps://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga\r\nPage 7 of 10\n\nThe original image containing the embedded code  \r\nCode Injection \r\nIn the following stage, the goal is to load a legitimate library named— ’PLA.dll’ (Performance Logs and Alerts),\r\nwhich was chosen for this attack to inject the succeeding stage code to the loaded legitimate library, otherwise\r\npopularized as ‘Module Stomping’, a technique known for evading security solutions.  \r\nhttps://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga\r\nPage 8 of 10\n\nIndicators of Compromise (IOCs) \r\nDue to customer confidentiality, below is a summary of IOCs for these prevented attacks.   \r\nAn extensive list of IOCs can be found in the CERT-UA bulletin. \r\nIndicator Details\r\nRemcos C2 194.87.31[.]181\r\nDockerSystem_Gzv3.exe 4b36a82e1781ffa1936703971e2d94369e3059c8524d647613244c6f9a92690b  \r\nHow Morphisec Helps \r\nMorphisec’s Automated Moving Target Defense (AMTD) stops attacks like IDAT Loader and Remcos RAT\r\nacross the attack chain, detecting hidden malicious code (as was the case in this attack), and the payload malware\r\nitself. Morphisec doesn’t rely on signature or behavioral patterns. Instead, it uses patented moving target defense\r\ntechnology to prevent the attack at its earliest stages, preemptively blocking attacks on memory and applications,\r\neffectively remediating the need for response. \r\nSchedule a demo today to see how Morphisec stops this and other new emerging threats.\r\n \r\n \r\nAbout the author\r\nhttps://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga\r\nPage 9 of 10\n\nMichael Dereviashkin\r\nSource: https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga\r\nhttps://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga\r\nPage 10 of 10",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"references": [
		"https://blog.morphisec.com/unveiling-uac-0184-the-remcos-rat-steganography-saga"
	],
	"report_names": [
		"unveiling-uac-0184-the-remcos-rat-steganography-saga"
	],
	"threat_actors": [
		{
			"id": "c91f7778-69aa-45fa-be0e-4ee33daf8fbd",
			"created_at": "2023-01-06T13:46:39.110148Z",
			"updated_at": "2026-04-10T02:00:03.216613Z",
			"deleted_at": null,
			"main_name": "NARWHAL SPIDER",
			"aliases": [
				"GOLD ESSEX",
				"TA544",
				"Storm-0302"
			],
			"source_name": "MISPGALAXY:NARWHAL SPIDER",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "96c51fd5-bdae-445b-8cb0-467f8887e402",
			"created_at": "2024-03-02T02:00:03.831363Z",
			"updated_at": "2026-04-10T02:00:03.597659Z",
			"deleted_at": null,
			"main_name": "UAC-0184",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0184",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "956fc691-b6c6-4b09-b69d-8f007c189839",
			"created_at": "2025-08-07T02:03:24.860251Z",
			"updated_at": "2026-04-10T02:00:03.656547Z",
			"deleted_at": null,
			"main_name": "GOLD ESSEX",
			"aliases": [
				"Narwhal Spider ",
				"Storm-0302 ",
				"TA544 "
			],
			"source_name": "Secureworks:GOLD ESSEX",
			"tools": [
				"Cutwail",
				"Pony",
				"Pushdo"
			],
			"source_id": "Secureworks",
			"reports": null
		},
		{
			"id": "1f679d2e-c5c9-49e9-b854-2eca06a870e4",
			"created_at": "2022-10-25T16:07:24.453427Z",
			"updated_at": "2026-04-10T02:00:04.997515Z",
			"deleted_at": null,
			"main_name": "Bamboo Spider",
			"aliases": [
				"Bamboo Spider",
				"TA544"
			],
			"source_name": "ETDA:Bamboo Spider",
			"tools": [
				"AndroKINS",
				"Bebloh",
				"Chthonic",
				"DELoader",
				"Dofoil",
				"GozNym",
				"Gozi ISFB",
				"ISFB",
				"Nymaim",
				"PandaBanker",
				"Pandemyia",
				"Sharik",
				"Shiotob",
				"Smoke Loader",
				"SmokeLoader",
				"Terdot",
				"URLZone",
				"XSphinx",
				"ZLoader",
				"Zeus OpenSSL",
				"Zeus Panda",
				"Zeus Sphinx",
				"ZeusPanda",
				"nymain"
			],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434246,
	"ts_updated_at": 1775792246,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/17af34a9599b9392a748dd46f9db169dd4717d2d.pdf",
		"text": "https://archive.orkl.eu/17af34a9599b9392a748dd46f9db169dd4717d2d.txt",
		"img": "https://archive.orkl.eu/17af34a9599b9392a748dd46f9db169dd4717d2d.jpg"
	}
}