Latest gambit for Gamaredon: Fake Ukraine troop movement documents with malicious links

A long-running Russian state-backed hacking group appears to be behind an ongoing campaign designed to install a widely used surveillance tool on Ukrainian computers, researchers have found.

The campaign, active since at least November 2024, is attributed with medium confidence to the Gamaredon group in a report by cybersecurity firm Cisco Talos. Also known as BlueAlpha, the group has been described as one of "the most engaged" Moscow-backed cyberthreat actors in the region.

In its latest campaign, Gamaredon used phishing emails containing malicious files related to troop movements in Ukraine to infect victims. The invasion of Ukraine is a common theme in Gamaredon’s phishing campaigns, according to the researchers.

The malicious files execute a PowerShell script that connects to servers in Russia and Germany to download a ZIP file containing the Remcos spying tool.

While the exact distribution method remains unclear, researchers suggest Gamaredon likely continues to rely on phishing emails, either attaching the ZIP file directly or providing a link to download it from a remote server.

Gamaredon, active since at least 2013, is believed to operate from the Russian-annexed Crimean peninsula under the control of Russia’s Federal Security Service (FSB). In 2023 alone, Ukraine detected 277 cyber incidents attributed to the group.

Remcos, the remote administration tool deployed in the campaign, was originally developed by the Germany-based firm Breaking Security for legitimate Windows system management. The company describes it as "a lightweight, fast, and highly customizable" tool, available in both a free version and a premium version for $80.

However, when exploited by hackers, Remcos enables unauthorized surveillance, allowing attackers to collect victim data, extract login credentials from major web browsers, and bypass antivirus protection by running as a legitimate Windows process.

The campaign comes amid several recent reports on Russian cyber activity. Last week, cybersecurity researchers linked a separate Russian hacking group, Water Gamayun, to the exploitation of a previously unknown security vulnerability in Microsoft Windows. Researchers at Trend Micro said the group deployed two new backdoors, labeled SilentPrism and DarkWisp, in its attacks.

Meanwhile, cybersecurity firm Silent Push reported that hackers aligned with Russian intelligence have been impersonating organizations, including the CIA, to gather intelligence on individuals supportive of Ukraine. The campaign specifically targets Russian citizens engaged in anti-war activities—actions that are illegal in Russia and can lead to arrests.