{ "id": "098715e1-a134-4da3-b71b-a89fc475ea8a", "created_at": "2026-04-06T00:08:38.251877Z", "updated_at": "2026-04-10T13:12:53.313473Z", "deleted_at": null, "sha1_hash": "8456a3d98e970be587dc0e555d5485e37252f3ce", "title": "Remcos, again: Ukrainian agencies targeted in a new spying campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 80551, "plain_text": "Remcos, again: Ukrainian agencies targeted in a new spying\r\ncampaign\r\nBy Daryna Antoniuk\r\nPublished: 2023-11-17 · Archived: 2026-04-05 23:08:34 UTC\r\nA hacking group that has been targeting Ukraine for a while has launched a new campaign on government\r\nagencies using a familiar surveillance tool — Remcos.\r\nThe sophisticated remote access software, marketed as a legitimate administrative tool, can be abused by hackers\r\nto gain full control over an infected system.\r\nIn a recent campaign, hackers sent phishing letters to their targets, disguising them as official requests from\r\nUkraine’s security service (SBU), according to research by the country’s computer emergencies response team\r\n(CERT-UA).\r\nIn an email, the hackers asked victims to provide certain information, claiming it was crucial for “national\r\nsecurity.” The malicious letter warned that if recipients did not provide information within the specified period,\r\nthey would be held liable.\r\nThe requested information was allegedly listed in an attached PDF file, which, in reality, installed Remcos on the\r\ntargeted device.\r\nCERT-UA tracks the threat actor behind this campaign as UAC-0050. The agency’s spokesperson told Recorded\r\nFuture News that this group has been active since at least 2020, attacking government agencies not only in\r\nUkraine but also in the Baltic states and Russia. The group wasn't very active this year, according to CERT-UA.\r\nIn February, the group attacked Ukrainian state agencies with Remcos twice. In one instance, the hackers sent\r\nphishing letters to their victims, disguising them as official requests from the Kyiv court.\r\nEarlier that month, the group sent its victims fake emails containing a malicious file, posing as reminders to pay\r\nfor services from Ukrtelecom, a major Ukrainian internet service provider.\r\nCERT-UA’s new report didn't specify the goal of the recent campaign, but the agency’s spokesperson said that it\r\nwas most likely an espionage campaign.\r\nAlthough researchers didn't directly attribute the attacks to Russia, they noted that the domain names used by the\r\nhackers were registered via the Russian company REG.RU.\r\n‘Highly customizable’\r\nhttps://therecord.media/remcos-phishing-ukraine-government-agencies\r\nPage 1 of 3\n\nRemcos was developed by the Germany-based firm Breaking Security for remotely managing Windows systems,\r\naccording to research from cybersecurity firm Trend Micro.\r\nBreaking Security openly advertises Remcos, describing it as “a lightweight, fast, and highly customizable remote\r\nadministration tool with a wide array of functionalities.” Users can download the free version of the software or\r\nbuy the premium version for $85.\r\nIn addition to providing remote access, Remcos can also collect data from targeted devices, including computer\r\ninformation such as name, system type and processor revision number, as well as user credentials and personal\r\ninformation.\r\nRemcos can bypass antivirus protection by running as a legitimate process on Windows and gain admin privileges\r\nto disable user account control.\r\nThe software is usually embedded in a malicious ZIP file masquerading as a PDF that claims to contain an invoice\r\nor order, according to cybersecurity company Check Point.\r\nIn one attack last year, threat actors disguised a phishing email as a payment notification from a trusted bank and\r\nasked the recipient to open the attached Excel file, according to Fortinet research.\r\nThis Excel file displayed a yellow security bar warning the victim about dangerous macro code. The file message\r\nlured the victim into clicking the button to bypass the warning and execute the malicious macro code, Fortinet\r\nexplains.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/remcos-phishing-ukraine-government-agencies\r\nPage 2 of 3\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/remcos-phishing-ukraine-government-agencies\r\nhttps://therecord.media/remcos-phishing-ukraine-government-agencies\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "origins": [ "web" ], "references": [ "https://therecord.media/remcos-phishing-ukraine-government-agencies" ], "report_names": [ "remcos-phishing-ukraine-government-agencies" ], "threat_actors": [ { "id": "a2e59183-d83f-47aa-adf9-97925d8e6452", "created_at": "2023-12-08T02:00:05.762162Z", "updated_at": "2026-04-10T02:00:03.496538Z", "deleted_at": null, "main_name": "UAC-0050", "aliases": [], "source_name": "MISPGALAXY:UAC-0050", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434118, "ts_updated_at": 1775826773, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8456a3d98e970be587dc0e555d5485e37252f3ce.pdf", "text": "https://archive.orkl.eu/8456a3d98e970be587dc0e555d5485e37252f3ce.txt", "img": "https://archive.orkl.eu/8456a3d98e970be587dc0e555d5485e37252f3ce.jpg" } }