Hackers using Remcos malware to spy on Ukraine have become stealthier, researchers find

A hacker group linked to cyber espionage operations against Ukraine is improving its tactics to become more secretive and effective, according to a new report.

Tracked as UAC-0050, the group primarily deploys the remote surveillance tool Remcos to target government agencies in Ukraine.

Researchers at the cybersecurity firm Uptycs have discovered a new method that allows hackers to efficiently transfer malicious data while avoiding detection.

According to the report, the hackers have implemented a pipe method for their communication — a technique where different programs or parts of a computer system can work together and smoothly exchange information.

Using “pipes” within the Windows operating system creates a covert channel for data transfer and allows hackers to stay under the radar of antivirus systems. “Although not entirely new, this technique marks a significant leap in the sophistication of the group's strategies,” researchers said.

Earlier in December, Ukraine’s computer emergency response team (CERT-UA) discovered an attack by UAC-0050 targeting government agencies with Remcos.

The hackers disguised their phishing letters as requests from Ukraine’s security service (SBU) and Kyivstar, the country’s telecom operator, which was recently targeted in a cyberattack.

In a similar campaign detected by Uptycs in December, hackers sent malicious emails disguised as job offers, specifically targeting Ukrainian military personnel for consultancy roles with the Israel Defense Forces (IDF).

The group's previous campaigns followed a similar attack pattern.

CERT-UA’s spokesperson previously told Recorded Future News that UAC-0050 has been active since at least 2020, attacking government agencies not only in Ukraine but also in the Baltic states and Russia.

The group hasn't been linked to any known threat actor or specific country.

“While the possibility of state sponsorship remains speculative, the group's activities pose an undeniable risk, especially to government sectors reliant on Windows systems,” said researchers at Uptycs.

The group’s main weapon, Remcos, was developed by the Germany-based firm Breaking Security for remotely managing Windows systems, according to research from cybersecurity firm Trend Micro.

Breaking Security openly advertises Remcos, describing it as “a lightweight, fast, and highly customizable remote administration tool with a wide array of functionalities.” Users can download the free version of the software or buy the premium version for $80.

When abused by hackers, Remcos can gather information about the victim and remove cookies and login data from Internet Explorer, Firefox and Chrome, according to Uptycs.

Remcos can also bypass antivirus protection by running as a legitimate process on Windows and gain administrative privileges to disable user account control.