{ "id": "b60e9bea-761e-46cf-b13d-08360406a071", "created_at": "2026-04-06T00:17:03.894723Z", "updated_at": "2026-04-10T03:31:27.577545Z", "deleted_at": null, "sha1_hash": "e8e349825b42d4a3661a54e7b812bd3a693282e9", "title": "Remcos software deployed in spying attempt on Ukraine’s government, CERT says", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 80537, "plain_text": "Remcos software deployed in spying attempt on Ukraine’s\r\ngovernment, CERT says\r\nBy Daryna Antoniuk\r\nPublished: 2023-02-10 · Archived: 2026-04-05 14:59:09 UTC\r\nIn a recent phishing campaign against Ukrainian government agencies, hackers attempted to install Remcos\r\nsurveillance software on victims’ computers, according to a recent alert.\r\nRemcos is a legitimate remote management software for Windows systems developed by the German firm\r\nBreaking Security. However, it is sometimes used by hackers to gain remote access and complete control over\r\nvictims’ computers.\r\nThe bogus emails contained a malicious file reminding recipients to pay for services from Ukrtelecom, a major\r\nUkrainian internet service provider, according to an alert issued Monday by Ukraine’s computer emergency\r\nresponse team (CERT-UA).\r\nOne of the archives attached to the email contained an executable file of more than 600MB in size. Running this\r\nfile installed the Remcos program on the victim's computer.\r\nCERT-UA did not disclose which Ukrainian government services were targeted by phishing emails or whether\r\nhackers managed to successfully install the spyware. The agency pinned the effort on a group labeled UAC-0050\r\nthat has been active in Ukraine since 2020. The hackers carried out previous attacks using remote desktop\r\nsoftware Remote Utilities, CERT-UA said.\r\nA possible goal of the group is espionage, according to CERT-UA, as its members mostly targeted Ukraine’s\r\ngovernment services.\r\nFamiliar in phishing\r\nBreaking Security openly advertises Remcos on its website, describing it as “a lightweight, fast, and highly\r\ncustomizable remote administration tool with a wide array of functionalities.” Users can download the free version\r\nof the software or buy the premium version for €58 ($62).\r\nThe software is usually embedded in a malicious ZIP file masquerading as a PDF that claims to contain an invoice\r\nor order, according to CheckPoint.\r\nIn one attack last year, threat actors disguised a phishing email as a payment notification from a trusted bank and\r\nasked the recipient to open the attached Excel file, according to Fortinet research.\r\nThis Excel file displayed a yellow security bar warning the victim about dangerous macro code. The file message\r\nlured the victim into clicking the button to bypass the warning and execute the malicious macro code, Fortinet\r\nexplains.\r\nhttps://therecord.media/remcos-spyware-ukraine-government-agencies-uac0050/\r\nPage 1 of 3\n\nWith Remcos software, hackers can steal user credentials, gain control over online accounts and deploy additional\r\nmalware variants on an infected computer, researchers said.\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nhttps://therecord.media/remcos-spyware-ukraine-government-agencies-uac0050/\r\nPage 2 of 3\n\nSource: https://therecord.media/remcos-spyware-ukraine-government-agencies-uac0050/\r\nhttps://therecord.media/remcos-spyware-ukraine-government-agencies-uac0050/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/remcos-spyware-ukraine-government-agencies-uac0050/" ], "report_names": [ "remcos-spyware-ukraine-government-agencies-uac0050" ], "threat_actors": [ { "id": "a2e59183-d83f-47aa-adf9-97925d8e6452", "created_at": "2023-12-08T02:00:05.762162Z", "updated_at": "2026-04-10T02:00:03.496538Z", "deleted_at": null, "main_name": "UAC-0050", "aliases": [], "source_name": "MISPGALAXY:UAC-0050", "tools": [], "source_id": "MISPGALAXY", "reports": null } ], "ts_created_at": 1775434623, "ts_updated_at": 1775791887, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/e8e349825b42d4a3661a54e7b812bd3a693282e9.pdf", "text": "https://archive.orkl.eu/e8e349825b42d4a3661a54e7b812bd3a693282e9.txt", "img": "https://archive.orkl.eu/e8e349825b42d4a3661a54e7b812bd3a693282e9.jpg" } }