{"id":827,"date":"2025-03-30T09:39:25","date_gmt":"2025-03-30T09:39:25","guid":{"rendered":"https:\/\/techtrendfeed.com\/?p=827"},"modified":"2025-03-30T09:39:25","modified_gmt":"2025-03-30T09:39:25","slug":"gamaredon-hackers-weaponize-lnk-recordsdata-to-ship-remcos-backdoor","status":"publish","type":"post","link":"https:\/\/techtrendfeed.com\/?p=827","title":{"rendered":"Gamaredon Hackers Weaponize LNK Recordsdata to Ship Remcos backdoor"},"content":{"rendered":"<p> <br \/>\n<\/p>\n<div>\n<p>Cisco Talos has uncovered an ongoing cyber marketing campaign by the Gamaredon risk actor group, focusing on Ukrainian customers with malicious LNK information to ship the Remcos backdoor.<\/p>\n<p>Lively since no less than November 2024, this marketing campaign employs spear-phishing techniques, leveraging themes associated to the Ukraine battle to lure victims into executing the malicious information.<\/p>\n<p>The LNK information, disguised as Workplace paperwork, are distributed inside ZIP archives and carry filenames referencing troop actions and different war-related subjects in Russian or Ukrainian.<\/p>\n<p>The assault begins with the execution of a PowerShell downloader embedded in <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/coyote-malware-launches-stealthy-attack-on-windows-systems\/\" target=\"_blank\" rel=\"noreferrer noopener\">the LNK file<\/a>.<\/p>\n<p>This downloader contacts geo-fenced servers situated in Russia and Germany to retrieve a second-stage ZIP payload containing the Remcos backdoor.<\/p>\n<p>The downloaded payload employs DLL sideloading methods to execute the backdoor, a way that entails loading malicious DLLs by means of legit purposes. This strategy permits attackers to bypass conventional detection mechanisms.<\/p>\n<h2 class=\"wp-block-heading\"><strong><strong>Refined Supply Mechanisms<\/strong><\/strong><\/h2>\n<p>Gamaredon\u2019s phishing emails seemingly embody both direct attachments of the ZIP information or URLs redirecting victims to obtain them.<\/p>\n<p>The marketing campaign\u2019s filenames, corresponding to \u201cCoordinates of enemy takeoffs for 8 days\u201d or \u201cPositions of the enemy west and southwest,\u201d counsel a deliberate try to take advantage of delicate geopolitical themes.<\/p>\n<p>Metadata evaluation signifies that solely two machines had been used to create these malicious shortcut information, in step with Gamaredon\u2019s operational patterns noticed in earlier campaigns.<\/p>\n<p><a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/gbhackers.com\/north-korean-hackers-use-zip-files\/\" target=\"_blank\" rel=\"noreferrer noopener\">The PowerShell scripts<\/a> embedded within the LNK information use obfuscation methods, corresponding to leveraging the <code>Get-Command<\/code> cmdlet, to evade antivirus detection. As soon as executed, these scripts obtain and extract the ZIP payload into the <code>%TEMP%<\/code> folder.<\/p>\n<p>The payload contains clear binaries that load malicious DLLs, which decrypt and execute the ultimate Remcos backdoor payload.<\/p>\n<p>This backdoor is injected into <code>Explorer.exe<\/code> and communicates with command-and-control (C2) servers hosted on infrastructure based in Germany and Russia.<\/p>\n<h2 class=\"wp-block-heading\"><strong><strong>Focused Infrastructure and Indicators of Compromise<\/strong><\/strong><\/h2>\n<p>The marketing campaign\u2019s C2 servers are hosted by Web Service Suppliers corresponding to GTHost and HyperHosting.<\/p>\n<p>Notably, Gamaredon restricts entry to those servers primarily based on geographic location, limiting them to Ukrainian victims.<\/p>\n<p>Reverse DNS information for a few of these servers reveal distinctive artifacts which have helped researchers establish further IP addresses related to this operation.<\/p>\n<p>The Remcos backdoor itself offers attackers with sturdy capabilities for distant management, together with information exfiltration and system manipulation.<\/p>\n<p>Cisco Talos has <a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/blog.talosintelligence.com\/gamaredon-campaign-distribute-remcos\/\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">noticed<\/a> proof of fresh purposes like <code>TivoDiag.exe<\/code> being abused for DLL sideloading throughout this marketing campaign.<\/p>\n<p>Gamaredon\u2019s use of superior methods corresponding to DLL sideloading, geo-fenced infrastructure, and thematic phishing underscores its persistence in focusing on Ukraine amidst ongoing geopolitical tensions.<\/p>\n<p>Organizations are suggested to stay vigilant in opposition to such threats by implementing sturdy endpoint safety, e-mail safety measures, and community monitoring options.<\/p>\n<p>IOCs for this risk may be present in our GitHub repository\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/github.com\/Cisco-Talos\/IOCs\/tree\/main\/2025\/03\/iocs_gamaredon_remcos.txt\" target=\"_blank\" rel=\"noreferrer noopener nofollow\">right here<\/a>. \u00a0\u00a0\u00a0<\/p>\n<p class=\"has-text-align-center has-background\" style=\"background:linear-gradient(135deg,rgb(238,238,238) 94%,rgb(169,184,195) 100%)\"><strong><strong><code><strong>Discover this Information Attention-grabbing! Comply with us on\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/news.google.com\/publications\/CAAqKAgKIiJDQklTRXdnTWFnOEtEV2RpYUdGamEyVnljeTVqYjIwb0FBUAE?hl=en-IN&amp;gl=IN&amp;ceid=IN%3Aen\" target=\"_blank\" rel=\"noreferrer noopener\">Google Information<\/a>,\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/www.linkedin.com\/company\/cybersecurity-news\/\" target=\"_blank\" rel=\"noreferrer noopener\">LinkedIn<\/a>, and\u00a0<a rel=\"nofollow\" target=\"_blank\" href=\"https:\/\/x.com\/The_Cyber_News\" target=\"_blank\" rel=\"noreferrer noopener\">X<\/a>\u00a0to Get On the spot Updates<\/strong><\/code>!<\/strong><\/strong><\/p>\n<\/div>\n\n","protected":false},"excerpt":{"rendered":"<p>Cisco Talos has uncovered an ongoing cyber marketing campaign by the Gamaredon risk actor group, focusing on Ukrainian customers with malicious LNK information to ship the Remcos backdoor. Lively since no less than November 2024, this marketing campaign employs spear-phishing techniques, leveraging themes associated to the Ukraine battle to lure victims into executing the malicious [&hellip;]<\/p>\n","protected":false},"author":2,"featured_media":829,"comment_status":"open","ping_status":"open","sticky":false,"template":"","format":"standard","meta":{"footnotes":""},"categories":[58],"tags":[558,128,129,553,554,556,557,555],"class_list":["post-827","post","type-post","status-publish","format-standard","has-post-thumbnail","hentry","category-cybersecurity","tag-backdoor","tag-deliver","tag-files","tag-gamaredon","tag-hackers","tag-lnk","tag-remcos","tag-weaponize"],"_links":{"self":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/827","targetHints":{"allow":["GET"]}}],"collection":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts"}],"about":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/types\/post"}],"author":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/users\/2"}],"replies":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcomments&post=827"}],"version-history":[{"count":1,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/827\/revisions"}],"predecessor-version":[{"id":828,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/posts\/827\/revisions\/828"}],"wp:featuredmedia":[{"embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=\/wp\/v2\/media\/829"}],"wp:attachment":[{"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fmedia&parent=827"}],"wp:term":[{"taxonomy":"category","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Fcategories&post=827"},{"taxonomy":"post_tag","embeddable":true,"href":"https:\/\/techtrendfeed.com\/index.php?rest_route=%2Fwp%2Fv2%2Ftags&post=827"}],"curies":[{"name":"wp","href":"https:\/\/api.w.org\/{rel}","templated":true}]}}<!-- This website is optimized by Airlift. Learn more: https://airlift.net. Template:. Learn more: https://airlift.net. Template: 685c67a6190636ee3fc1d391. Config Timestamp: 2025-06-25 21:18:30 UTC, Cached Timestamp: 2025-07-09 23:39:59 UTC -->