{
	"id": "620775f6-e633-429b-a22e-72d3393471c6",
	"created_at": "2026-04-06T00:11:36.403466Z",
	"updated_at": "2026-04-10T13:11:58.203571Z",
	"deleted_at": null,
	"sha1_hash": "2f2e04204f3be3973ae53ce708567ee50b2e79ce",
	"title": "New Phishing Attack Detection Attributed to the UAC-0050 and UAC-0096 Groups Spreading Remcos Spyware",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 46698,
	"plain_text": "New Phishing Attack Detection Attributed to the UAC-0050 and\r\nUAC-0096 Groups Spreading Remcos Spyware\r\nBy Daryna Olyniychuk\r\nPublished: 2023-02-22 · Archived: 2026-04-05 17:28:18 UTC\r\nFebruary 2023 can be marked as a month of ongoing adversary campaigns against Ukraine, exploiting the\r\nphishing attack vector and leveraging remote access software. Close on the heels of phishing attacks spreading\r\nRemcos RAT and abusing Remote Utilities software, another mass email distribution targeting Ukrainian\r\norganizations garners attention from cyber defenders. The latest CERT-UA#6011 alert details this targeted\r\nphishing campaign impersonating the Pechersk District Court of Kyiv and aimed to drop Remcos spyware on the\r\ncompromised systems.\r\nPhishing Attacks Leveraging Remcos Malware Covered in the CERT-UA#6011\r\nAlert\r\nWith the one-year anniversary of the full-scale war in Ukraine approaching, offensive forces are increasing their\r\nmalicious activity, mainly via the phishing attack vector. In February 2023, at least three ongoing adversary\r\ncampaigns against Ukraine were in the spotlight in the cyber threat arena, all of which took advantage of the\r\nremote access tools highly likely for cyber espionage activities. \r\nOn February 21, 2023, CERT-UA researchers issued a new alert warning cyber defenders of another phishing\r\nattack spreading Remcos spyware. The ongoing fraudulent email campaign follows familiar behavioral patterns\r\nobserved in earlier February’s attacks. Threat actors masquerade the sender as the Pechersk District Court of Kyiv\r\nand apply a lure RAR file striving to trick targeted users into opening it. The infection chain is triggered by\r\nextracting the archive, which contains a TXT file and another password-protected RAR file. The latter, in turn,\r\ncontains the malicious executable lure file with a fraudulent digital signature disguised as a legitimate one.\r\nLaunching the latter EXE file will end up dropping Remcos spyware on the compromised system.\r\nAfter gaining access to the targeted system and successfully spreading infection, threat actors proceed with data\r\nexfiltration and can exploit the compromised computer for network reconnaissance and further attacks on the\r\norganization’s infrastructure. \r\nCERT-UA investigation has linked the adversary behavior patterns observed in the ongoing phishing campaign\r\nwith the similar ones displayed by threat actors in another February cyber attack exploiting Remote Utilities\r\nsoftware. Researchers have discovered identical IP addresses used for one of the emails in the latest campaign and\r\nthe previous one. Based on observed behavioral similarities, CERT-UA researchers suggest tracking two hacking\r\ncollectives behind both campaigns (UAC-0050 and UAC-0096) under a single identifier UAC-0050.  \r\nDetect the Latest Remcos Spyware Campaign Targeting Ukrainian Entities \r\nhttps://socprime.com/blog/new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware/\r\nPage 1 of 2\n\nUkraine keeps fighting on the frontline of the first-ever full-scale cyber war in human history, constantly\r\nwithstanding the avalanche of cyber attacks against government bodies and business assets. To help Ukraine and\r\nits allies proactively defend against russia-affiliated intrusions of any scale and detect adversary TTPs, SOC Prime\r\nPlatform for collective cyber defense provides access to a comprehensive list of Sigma rules detecting the\r\nmalicious activity and associated with Remcos spyware and Remote Utilities software abuse. All the detections\r\nare compatible with 25+ SIEM, EDR, and XDR solutions to ensure security practitioners can leverage those\r\nmatching their security environment. \r\nHit the Explore Detections button below to reach the dedicated set of curated alerts and hunting queries enriched\r\nwith extensive metadata, including MITRE ATT\u0026CK® references and cyber threat intelligence links. To\r\nstreamline the search for relevant Sigma rules, SOC Prime Platform supports filtering by custom tags “UAC-0050”, “UAC-0096”, and “CERT-UA#6011” based on a dedicated CERT-UA alert and the corresponding\r\nidentifiers of the hacking collectives. \r\nExplore Detections\r\nSecurity performers can also streamline their threat hunting activities by searching for relevant indicators of\r\ncompromise by leveraging the novel version of Uncoder.IO tool that helps to covert IoCs into curated hunting\r\nqueries ready to run in a chosen SIEM \u0026 XDR environment. Just find relevant IoCs by using the search bar or\r\npaste the text with file, host, or network IoCs provided by CERT-UA to instantly get a performance-optimized\r\nquery. Uncoder.IO is a free project developed with privacy in mind — no authentication, no log collection, and all\r\ndata is kept session-based for your peace of mind.\r\nIOCs from the CERT-UA#6011 alert to search for Remcos-related threats via Uncoder.IO\r\nMITRE ATT\u0026CK Context\r\nTo delve into the in-depth context behind the Remcos malicious campaign reported in the CERT-UA#6011 alert,\r\nall above-referenced Sigma rules are tagged with ATT\u0026CK v12 addressing the relevant tactics and techniques: \r\nSource: https://socprime.com/blog/new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware/\r\nhttps://socprime.com/blog/new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MISPGALAXY",
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://socprime.com/blog/new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware/"
	],
	"report_names": [
		"new-phishing-attack-detection-attributed-to-the-uac-0050-and-uac-0096-groups-spreading-remcos-spyware"
	],
	"threat_actors": [
		{
			"id": "a2e59183-d83f-47aa-adf9-97925d8e6452",
			"created_at": "2023-12-08T02:00:05.762162Z",
			"updated_at": "2026-04-10T02:00:03.496538Z",
			"deleted_at": null,
			"main_name": "UAC-0050",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0050",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		},
		{
			"id": "bc289ba8-bc61-474c-8462-a3f7179d97bb",
			"created_at": "2022-10-25T16:07:24.450609Z",
			"updated_at": "2026-04-10T02:00:04.996582Z",
			"deleted_at": null,
			"main_name": "Avalanche",
			"aliases": [],
			"source_name": "ETDA:Avalanche",
			"tools": [],
			"source_id": "ETDA",
			"reports": null
		}
	],
	"ts_created_at": 1775434296,
	"ts_updated_at": 1775826718,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/2f2e04204f3be3973ae53ce708567ee50b2e79ce.pdf",
		"text": "https://archive.orkl.eu/2f2e04204f3be3973ae53ce708567ee50b2e79ce.txt",
		"img": "https://archive.orkl.eu/2f2e04204f3be3973ae53ce708567ee50b2e79ce.jpg"
	}
}