{ "id": "e794fded-20c0-46d4-8286-b369d718f7bf", "created_at": "2026-04-06T00:18:33.375804Z", "updated_at": "2026-04-10T03:37:04.493332Z", "deleted_at": null, "sha1_hash": "9b8318e830d11254f8884a7af42a1676d9c51b0b", "title": "Gamaredon campaign abuses LNK files to distribute Remcos backdoor", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 531718, "plain_text": "Gamaredon campaign abuses LNK files to distribute Remcos\r\nbackdoor\r\nBy Guilherme Venere\r\nPublished: 2025-03-28 · Archived: 2026-04-05 16:57:54 UTC\r\nFriday, March 28, 2025 06:00\r\nCisco Talos is actively tracking an ongoing campaign targeting users in Ukraine with malicious LNK files,\r\nwhich run a PowerShell downloader, since at least November 2024. \r\nThe file names use Russian words related to the movement of troops in Ukraine as a lure. \r\nThe PowerShell downloader contacts geo-fenced servers located in Russia and Germany to download the\r\nsecond stage Zip file containing the Remcos backdoor. \r\nThe second stage payload uses DLL side loading to execute the Remcos payload. \r\nTalos assesses with medium confidence that this activity is associated with the Gamaredon threat actor\r\ngroup. \r\nPhishing campaign using the invasion of Ukraine as a theme \r\nThe invasion of Ukraine is a common theme used by the Gamaredon group in their phishing campaigns and this\r\ncampaign continues the use of this technique. The actor distributes LNK files compressed inside ZIP archives,\r\nusually disguising the file as an Office document and using names that are related to the invasion.  \r\nhttps://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/\r\nPage 1 of 8\n\nAlthough Talos was not able to pinpoint the exact method by which these files are distributed, it is likely that\r\nGamaredon continues to send phishing e-mails with either the ZIP file directly attached to it or containing a URL\r\nlink to download the file from a remote host.  \r\nBelow are some examples of file names used in this campaign: \r\nOriginal Name  Translation \r\n3079807576 (Шашило О.В)/ШАШИЛО Олександр\r\nВіталійович.docx.lnk \r\n3079807576 (Shashilo O.V)/SHASHILO Oleksandr\r\nVitaliyovich.docx.lnk \r\n3151721177 (Рибак С.В)/РИБАК Станіслав\r\nВікторович.docx.lnk \r\n3151721177 (Rybak S.V)/RYBAK Stanislav\r\nViktorovich.docx.lnk \r\n3407607951 (Жолоб В.В)/ЖОЛОБ Владислав\r\nВікторович.docx.lnk \r\n3407607951 (Zholob V.V)/ZHOLOB Vladislav\r\nViktorovich.docx.lnk \r\n3710407173 (Гур'єв П.А)/ГУР'ЄВ Павло\r\nАндрійович.docx.lnk \r\n3710407173 (Gur'ev P.A)/GUR'EV Pavlo\r\nAndriyovich.docx.lnk \r\nВероятное расположение узлов связи, установок\r\nРЭБ и расчетов БПЛА противника. ЮГ\r\nКРАСНОАРМЕЙСКА.docx.lnk \r\nProbable location of communication nodes,\r\nelectronic warfare installations and enemy UAV\r\ncalculations. SOUTH OF THE RED\r\nARMY.docx.lnk \r\nГУР'ЄВ Павло Андрійович.docx.lnk  GUR'EV Pavlo Andriyevich.docx.lnk \r\nКоординаты взлетов противника за 8 днеи\r\n(Красноармейск).xlsx.lnk \r\nCoordinates of enemy takeoffs for 8 days\r\n(Krasnoarmeysk).xlsx.lnk \r\nПозиции противника запад и юго-запад.xlsx.lnk  Positions of the enemy west and southwest.xlsx.lnk \r\nРИБАК Станіслав Вікторович.docx.lnk  RYBAK Stanislav Viktorovich.docx.lnk \r\nhttps://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/\r\nPage 2 of 8\n\nШАШИЛО Олександр Віталійович.docx.lnk  SHASHILO Oleksandr Vitaliyevich.docx.lnk \r\nThe translation for these names shows the intent of this campaign in using a war-related theme. We can see some\r\nof the files use names of Russian or Ukrainian agents, as well as names alluding to troop movements in the region\r\nof conflict. \r\nThese files contain metadata indicating only two machines were used in creating the malicious shortcut files. As\r\nwe mentioned in a previous blog Gamaredon tends to use a short list of machines when creating the LNK files for\r\ntheir campaigns and the ones used in this campaign were previously seen by Talos in incidents related to this\r\nthreat group. \r\nThe LNK files contain PowerShell code used to download and execute the next stage payload, as well as a decoy\r\nfile which is shown to the user after the infection occurs as a way to disguise the compromise.  \r\nThe PowerShell code uses the cmdlet Get-Command to indirectly execute the functions to download and execute\r\nthe payload, which could be an attempt to bypass string-based detection by antivirus solutions.  \r\nThe servers used in this campaign are based out of Germany and Russia, and at the time of our assessment, all of\r\nthem return HTTP error 403 when attempting to download the payload files.  \r\nThat indicates that either the files were taken offline, or access to the file is being restricted. Gamaredon is known\r\nto restrict access to their payload servers only to victims located in Ukraine. We have found evidence in public\r\nsample databases that these servers were still hosting the files for specific regions while returning access denied\r\nerrors in our tests, like this sample available in the \"Any.run” public sandbox: \r\nhttps://app.any.run/tasks/f9dc0beb-b125-478d-9091-739d2e3325be \r\nNetwork infrastructure associated with Campaign \r\nThe servers used in this campaign are mostly hosted in two Internet Service Providers (ISP): GTHost and\r\nHyperHosting: \r\nIP  ASN  ISP \r\nhttps://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/\r\nPage 3 of 8\n\n146[.]185[.]233[.]96  63023  gthost \r\n146[.]185[.]233[.]101  63023  gthost \r\n146[.]185[.]239[.]45  63023  gthost \r\n80[.]66[.]79[.]91  60602  hyperhosting \r\n80[.]66[.]79[.]195  60602  hyperhosting \r\n81[.]19[.]131[.]95  63023  ispipoceanllc \r\n80[.]66[.]79[.]159  60602  hyperhosting \r\n80[.]66[.]79[.]200  60602  hyperhosting \r\n80[.]66[.]79[.]155  60602  hyperhosting \r\n146[.]185[.]239[.]51  63023  gthost \r\n146[.]185[.]233[.]90  63023  gthost \r\n146[.]185[.]233[.]97  63023  gthost \r\n146[.]185[.]233[.]98  63023  gthost \r\n146[.]185[.]239[.]47  63023  gthost \r\n146[.]185[.]239[.]56  63023  gthost \r\nhttps://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/\r\nPage 4 of 8\n\n146[.]185[.]239[.]33  63023  gthost \r\n146[.]185[.]239[.]60  63023  gthost \r\nThese servers are used to distribute the payload and the decoy document, but Talos found evidence of at least one\r\nserver being used as the Command and Control (C2) server for the Remcos backdoor. \r\nWe have also found evidence of an interesting artifact in the DNS resolution for some of these servers. Even\r\nthough all the communication with these servers is done directly via the IP address, the reverse DNS record for\r\nsome of these IPs show an invalid entry that is quite unique: \r\nFigure: Reverse DNS resolution for Gamaredon's campaign. Modeled using Crime Mapper (by\r\n@UK_Daniel_Card) \r\nhttps://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/\r\nPage 5 of 8\n\nWhile this doesn't necessarily mean the attackers manually changed these records, it did help uncover at least two\r\nadditional IPs matching the characteristics of the other servers in this campaign: \r\nDLL sideloading used to load Remcos backdoor \r\nGamaredon has previously been known to use custom scripts and tools in their attack chains, but Talos has\r\nobserved the use of Remcos backdoor as an alternative tool in their campaigns. \r\nOnce the ZIP payload is downloaded from the servers, it is extracted to the %TEMP% folder and executed. The\r\nbinary which is executed is a clean application which in turn loads the malicious DLL via DLL sideloading\r\nmethod. This file is actually a malicious loader which decrypts and executes the final Remcos payload from\r\nencrypted files found within the ZIP. \r\nThe PowerShell files we observed downloading the ZIP files contain hints of various applications being abused\r\nfor DLL side loading, and they contain a mix of clean and malicious files: \r\nDefenderUpdate/DPMHelper.exe \r\nDefenderUpdate/DZIPR.exe \r\nDefenderUpdate/IDRBackup.exe \r\nDefenderUpdate/IUService.exe \r\nDefenderUpdate/madHcCtrl.exe \r\nDefenderUpdate/palemoon.exe \r\nDrvx64/Compil32.exe \r\nDrvx64/IsCabView.exe \r\nDrvx64/TiVoDiag.exe \r\nDrvx64/WiseTurbo.exe \r\nSecurityCheck/Mp3tag.exe \r\nSysDrive/AcroBroker.exe \r\nSysDrive/DPMHelper.exe \r\nSysDrive/IsCabView.exe \r\nSysDrive/palemoon.exe \r\nhttps://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/\r\nPage 6 of 8\n\nSysDrive/SbieSvc.exe \r\nSysDrive/steamerrorreporter64.exe \r\nSysDrive/TiVoDiag.exe \r\nSysDrive/vmhost.exe \r\nWe can see in the previously mentioned sample downloaded by “Any.run” that it contains the clean application\r\nTivoDiag.exe, as well as two DLLs. The file “mindclient.dll” is the malicious DLL which is loaded by\r\n“TivoDiag.exe” during execution. \r\nThe payload binary is a typical Remcos backdoor which is injected into Explorer.exe. It communicates with the\r\nC2 server 146[.]185[.]233[.]96 on port 6856: \r\nCoverage \r\nWays our customers can detect and block this threat are listed below. \r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here. \r\nhttps://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/\r\nPage 7 of 8\n\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here. \r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat. \r\nCisco Secure Network/Cloud Analytics (Stealthwatch/Stealthwatch Cloud) analyzes network traffic automatically\r\nand alerts users of potentially unwanted activity on every connected device. \r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products. \r\nCisco Secure Access is a modern cloud-delivered Security Service Edge (SSE) built on Zero Trust principles. \r\nSecure Access provides seamless transparent and secure access to the internet, cloud services or private\r\napplication no matter where your users work.  Please contact your Cisco account representative or authorized\r\npartner if you are interested in a free trial of Cisco Secure Access. \r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network.  \r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.  \r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center. \r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.  \r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. \r\nSnort SIDs for this threat:  \r\nSnort 2: 64707, 64708 \r\nSnort 3:  301171 \r\nIndicators of Compromise \r\nIOCs for this threat can be found in our GitHub repository here.    \r\nSource: https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/\r\nhttps://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/\r\nPage 8 of 8\n\nhttps://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/ \n146[.]185[.]233[.]96 63023 gthost\n146[.]185[.]233[.]101 63023 gthost\n146[.]185[.]239[.]45 63023 gthost\n80[.]66[.]79[.]91 60602 hyperhosting\n80[.]66[.]79[.]195 60602 hyperhosting\n81[.]19[.]131[.]95 63023 ispipoceanllc\n80[.]66[.]79[.]159 60602 hyperhosting\n80[.]66[.]79[.]200 60602 hyperhosting\n80[.]66[.]79[.]155 60602 hyperhosting\n146[.]185[.]239[.]51 63023 gthost\n146[.]185[.]233[.]90 63023 gthost\n146[.]185[.]233[.]97 63023 gthost\n146[.]185[.]233[.]98 63023 gthost\n146[.]185[.]239[.]47 63023 gthost\n146[.]185[.]239[.]56 63023 gthost\n Page 4 of 8", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE", "ETDA", "Malpedia" ], "references": [ "https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/" ], "report_names": [ "gamaredon-campaign-distribute-remcos" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434713, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9b8318e830d11254f8884a7af42a1676d9c51b0b.pdf", "text": "https://archive.orkl.eu/9b8318e830d11254f8884a7af42a1676d9c51b0b.txt", "img": "https://archive.orkl.eu/9b8318e830d11254f8884a7af42a1676d9c51b0b.jpg" } }