{ "id": "96a82387-b624-4bae-a0bc-53dd75af0f63", "created_at": "2026-04-06T00:07:46.77563Z", "updated_at": "2026-04-10T13:12:43.303934Z", "deleted_at": null, "sha1_hash": "79b836e4b55f71158f6e46b3f462adb2edb6d716", "title": "Remcos RAT Detection: UAC-0050 Hackers Launch Phishing Attacks Impersonating the Security Service of Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 43472, "plain_text": "Remcos RAT Detection: UAC-0050 Hackers Launch Phishing\r\nAttacks Impersonating the Security Service of Ukraine\r\nBy Veronika Zahorulko\r\nPublished: 2023-11-14 · Archived: 2026-04-05 13:26:04 UTC\r\nCERT-UA researchers have recently published a novel heads-up that covers ongoing phishing attacks against\r\nUkraine involving distribution of Remcos RAT. The group in charge of this offensive campaign, which involves\r\nmassively distributing spoofing emails with a false sender identity masquerading as the Security Service of\r\nUkraine, is tracked as UAC-0050.\r\nUAC-0050 Attack Analysis Covered in the CERT-UA#8026 Alert\r\nOn November 13, 2023, CERT-UA released a security notice unveiling a novel phishing campaign distributing\r\nRemcos RAT and attributed to the UAC-0050 group. The latter is considered behind a couple of phishing attacks\r\ntargeting Ukrainian organizations in February 2023. Both malicious operations involved spreading Remcos Trojan\r\nand relied on a false sender identity to lure victims into opening weaponized emails. \r\nIn the latest campaign, attackers take advantage of phishing emails impersonating the sender as the Security\r\nService of Ukraine and involving lure RAR files. The last archive within the malicious email includes an EXE file\r\nthat leads to deploying Remcos on the impacted instances. Adversaries maintain persistence by creating an entry\r\nin the Run key of the OS registry.\r\nThe malware configuration file contains 8 IP addresses of the C2 servers that are linked to the popular Malaysian\r\nweb hosting provider known as Shinjiru. Notably, the domain names are registered via the russian company\r\nREG.RU.\r\nDetect UAC-0050 Latest Phishing Attacks Using Remcos RAT\r\nThroughout 2023, UAC-0050 has launched a series of attacks against Ukraine abusing the phishing attack vector\r\nand distributing Remcos Trojan, including the most recent adversary campaign addressed in the CERT-UA#8026\r\nalert. SOC Prime Platform arms defenders with detection algorithms against existing and emerging threats, so\r\norganizations can continuously enhance their cyber resilience. Follow the link below to obtain relevant Sigma\r\nrules filtered by the custom tag “CERT-UA#8026” to proactively detect phishing attacks covered in the latest\r\nCERT-UA heads-up. \r\nSigma rules to detect attacks by UAC-0050 covered in the CERT-UA#8026 alert\r\nTo reach the comprehensive list of SOC content for other attacks against Ukraine linked to UAC-0050, press\r\nExplore Detections. The detection content is mapped to the MITRE ATT\u0026CK framework, enriched with CTI and\r\nrelevant metadata, and can be used across multiple security analytics platforms while bridging the gap between\r\nmultiple language formats.\r\nhttps://socprime.com/blog/remcos-rat-detection-uac-0050-hackers-launch-phishing-attacks-impersonating-the-security-service-of-ukraine/\r\nPage 1 of 2\n\nExplore Detections\r\nTeams can also hunt for file, host, and network IOCs provided by CERT-UA using SOC Prime’s open-source IDE\r\nfor Detection Engineering that now supports IOC packaging. Try Uncoder IO to automatically create\r\nperformance-optimized search queries and immediately run them in your SIEM or EDR environment while\r\nshaving seconds off your threat investigation. \r\nUse Uncoder IO to hunt for UAC-0050 adversary activity with custom search queries based on IOCs from the\r\nCERT-UA#8026 alert.\r\nMITRE ATT\u0026CK Context\r\nLeveraging MITRE ATT\u0026CK provides granular visibility into the context of offensive operations attributed to\r\nUAC-0050. Explore the table below to see the full list of dedicated Sigma rules addressing the corresponding\r\nATT\u0026CK tactics, techniques, and sub-techniques.\r\nSource: https://socprime.com/blog/remcos-rat-detection-uac-0050-hackers-launch-phishing-attacks-impersonating-the-security-service-of-ukra\r\nine/\r\nhttps://socprime.com/blog/remcos-rat-detection-uac-0050-hackers-launch-phishing-attacks-impersonating-the-security-service-of-ukraine/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "MISPGALAXY" ], "origins": [ "web" ], "references": [ "https://socprime.com/blog/remcos-rat-detection-uac-0050-hackers-launch-phishing-attacks-impersonating-the-security-service-of-ukraine/" ], "report_names": [ "remcos-rat-detection-uac-0050-hackers-launch-phishing-attacks-impersonating-the-security-service-of-ukraine" ], "threat_actors": [ { "id": "a2e59183-d83f-47aa-adf9-97925d8e6452", "created_at": "2023-12-08T02:00:05.762162Z", "updated_at": "2026-04-10T02:00:03.496538Z", "deleted_at": null, "main_name": "UAC-0050", "aliases": [], "source_name": "MISPGALAXY:UAC-0050", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434066, "ts_updated_at": 1775826763, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/79b836e4b55f71158f6e46b3f462adb2edb6d716.pdf", "text": "https://archive.orkl.eu/79b836e4b55f71158f6e46b3f462adb2edb6d716.txt", "img": "https://archive.orkl.eu/79b836e4b55f71158f6e46b3f462adb2edb6d716.jpg" } }