Gamaredon campaign abuses LNK files to distribute Remcos backdoor

    Monday, March 31, 2025 In: Threat Research Print

    Date: 03/31/2025

    Severity: Medium

    Summary

    A campaign targeting users in Ukraine is using malicious LNK files, which run a PowerShell downloader. These files are named with Russian words related to troop movements in Ukraine to lure victims. The downloader connects to geo-fenced servers in Russia and Germany to retrieve a second-stage Zip file containing the Remcos backdoor. The backdoor is executed via DLL side loading. This activity is believed to be associated with the Gamaredon threat actor group.

    Indicators of Compromise (IOC) List

    IP Address

    146.185.233.101 

    146.185.233.79 

    146.185.233.90 

    146.185.233.96 

    146.185.233.97 

    146.185.233.98 

    146.185.233.99 

    146.185.239.33 

    146.185.239.45 

    146.185.239.47 

    146.185.239.51 

    146.185.239.56 

    146.185.239.60 

    80.66.79.155 

    80.66.79.159 

    80.66.79.195 

    80.66.79.200 

    80.66.79.91 

    81.19.131.95 

    Hash

    15a2e86d950ac4b11cc38c437f7d38b6be47f5e03ab9bdf05db344afddbc73ae 

0321758329ca44f1c9f7e15a37f081df39ba37598b1547d2f2bbc839b34f0b2b 

033de779278ecfdee7117d5d0a710e22eb501421e0c5f93e4ea3e82f414bbb90 

048642a4773c5b3bb0b1cbc260a4f08c5db6c95a390971347ea5b055ed1b4dbe 

0737b47a47defc6051cec713f53d8fd4d532ff0011fc94d6b01c5a525bfbae44 

0c0d6e88326574a8b761f71c9e0bb186ce17bdd4fe1ac68d080113fa3f0a6fdd 

0ca3239a90cc3421062090129932050f793e2fb81498711703a9d32967aba9ce 

121746df4264aca0c138d35bbe5e2c6eaaa60b72967a527687e83d7e2c653207 

134d02ddcc75a2d7e0e1824d430ba2e9a2a96682452fa6ec84660ed5d0a88023 

15a5e11ea8f416f7d27d02ce876bfa8dcd22cdedb93764bffc8db4c5a922ae18 

236850ae28015cf9b0f20a677ade5bef2a85bef665585c48d88cc00a823323ad 

27e226d57abfb671b676eb82fe286db0964d35fff73c905573550052e0242176 

28a5acd85516b62d870bd89df464360ecc705324c8e5266e81e7622b25c9d4ff 

292fce69ac86ae1db56589d018bd390596847a9fe531797102a18c9ff7697d42 

2bc8446ee880b1097e1220e1922251f209b5368e1388c135c032ba01f32b8b5a 

330d36e248881a0a24a7d0612f3ac9a5a24cc960b36c2fe9ba0d63941b12fc18 

393421a3673ef684fb916c4b61efdde54d76f14787b422e1a469e5e97b5c098a 

4117245310c57f687d0c353c06a6eda4c1e93ebee33fb5f712142c272a3c1108 

43a9f0a3963d700a6d586c65fc7fdd1bb562b861942c384e7767213cf1059ef9 

48c9152e48c525960663f98579edaa35f94025015403bb382f32cb78d69fd850 

502104d48d0a4735a6a051744277c9231f8da156311ec99367bca50b7a47a613 

5300b4624e8e95c8dd86859f1f84c054c26a4869c4c3d714e9c6d7a01b2c11ae 

58c651a2fa72cee6d867fc80790b9b26eca30b9cb0dbb129ac1b175b25d38c3a 

5a26624600d7ef102375317a32db739531bfab91335131edd1e2362f2753e693 

5b2ad349dd02a00bc8860294657139d681b0c786afcbcb1ffab77f57b01e7b00 

5baa482ac4553b9939c49c16da6e0f4fda2cf9f2ae0248774214943c2d86389c 

693874fcf694a9a9ad04fe75d96de7fe9ebe2e07ee1441c79ac3e8eb8aeb06b5 

71b900826c223ca6c73882346375434b7f29f3955e3904bd240b88fc6ab6e802 

7919c32cf82736197cf7ea99056560c18e28f8b726a6be8700625508524e5167 

79af449339eb1410e8f3ed8d7fe7649b079e0143a06ef91cc78f296b0e927901 

7c50be91304ee573c2bc8823f67ea4f45a1988ceb73ffe5ebcaccaf59e5c1cce 

7df17642229f1776a5fb8e64365d95ce345484cbadec23332a3c00657c2f360f 

7ea77f4746f21e89df52c9a54c12135f3f45f7a342e8b1dba09abf2a7e8c4f15 

802f56cc84689a68112a2cf76ddce70e1e3956038e19bb8c58f74d5713d72a5f 

8087db3c43840caccb9756893cdaff707311dc195f34de471cc259b1b62e3411 

83024c7a9ba256a36fb9b751926170c08dd4daa1866c119856cd091b1275897f 

83dab2e356e1069fe48bfba91e1c2cc73ce2738e2870813f9997cee984be583f 

86a22e164f96a2d194095419c746cdf12737b78af629d251e0c881f381932a48 

8800edc6961be56a9d44f843d224f19b47834bd57037cff2041b7c563d3d2422 

899a46e956e82b9da2b86eae8cbdec1e68521c708a87bce1a2ae11b20538eb55 

9139646892f67f12dd2a9d2b43a7ae28f1556f5e42332effcf6ea17a63794a44 

949ef0168d19d61cc39a369d18f5c2949686801bbea6f7136f66cfe92fe85907 

94ca1389a8af382e347772bb4d977aa7516ea742c99306b78c486f5104b34a1b 

953b5b7878bb2c4f40f2b131a01399c1b170731206bc09cb5a133ab996ec691c 

995f76b1f695f92179f2ec93fd1f67d5a58753bc6d0ff00a46653d634e3000fe 

9b01625fb72ba8c3c840ab46d1eaebcff87a0f109f36c6744ba191ee82784981 

a3e5337650a53d3d6cbe13b1cd32e493f0292dec9d9483de8f8322fe634f63c5 

a73226550f0b97c3f25411ba62181aa011e8410dec4a1444412f40114704d4c2 

a98810a2ba2427067d2412bf67f47f93e22989607d69fc17ff9ac6fc774674cc 

ab1fc7f73bf3867dfc471f9aeb815af0d83e4e2c5eeb85365a266daf53af39cb 

acb3954b95e3c897d5ac69a8cc09ed81aace7b3193aa637f5ceb2a4a23204078 

b34cc0a4ee0bfff6d788387730a748ad9055456a648d072d436e44ef7050babc 

bf7bed4724ec1cf1dda5ac1a1ace33eaa52394c0ee9976ade1bbef17d4b1a717 

c160899ba65ab2c3651dcb98fa13dddea892f72c0aaa1ff63cb98aac67367c56 

c4d4213ff3b737fe20248362687a0cd3008b630a65b230b06fba282379665c83 

c64554c29d798e6006aa5845da7252f18c01e305f61071e314a23ab143ed73f8 

c85f1325590ee8600759334d3a2c807eae599eff4a4255dab0f59c31667e6bdd 

c8a636d150a0045eb799ccc7c5e2fa46156f3f72167b9e49456a358e484eac8b 

c91841bd675c5a02d577567baa3a71be3cd37fdb59412f133a3773de6ee10602 

cb6458227f8b4b3edbac12bef66edd5b0d8d3712637a6c77db67040360897023 

cd229d29ef929feb9a74a6b265fd26caa3fd5be2d2150ba359336307799872be 

cdd21e4f9ff1d1cfcf4888342fa2be5452eb3cbe7ba28e4e98fa44c879fe0265 

d00418cd52123f9f6a9bd0edafc77d7fa39f68de6be84ec07ed67a735872f939 

d0e8a91af95d62dc58dbfd64970f1b255c6bffedeaf21b3e6ec4e89496f6c67a 

d4fbc5702731a01d96cbaa21bd60333f1d03a994adb5b931687281282c938f12 

d73bac6e8a5679394152bb33e64fbe5840ff13953b9ca024003a5045dce715ae 

d7c0655c6f1db4acb14bb4c1ddec34ce8f3849c9e0bf9e28d28c8f1c00121fd7 

dc02cfebbc64d6dbcc3a1b1a2cc91cb763c0be9a72ac141c2f06db74aa56cfe7 

dc92d2870219833832ea758afcb19c285f65bf3a6a3ace225b499f744d6063a4 

e66e9df50f40aa73dc847f6afdf9852000782841df6b808a75e090e9787604dd 

e6df89bb9d51817fff1b7704e70d406584d80839e1bb1cb319c4150015b84914 

eb8da26034035f08946acb6fc127e3b2db884a024a61aea99397c46aedc70145 

ecb3d3466686f3201719528b067e306d58f1c61228e1d6e8c7c510cc1536ebd9 

ecf7e135bcdcad3274e94c6ab918b683da619e91a9e0c68bd8d6355b33bfc5da 

ef0b2e0c337e11a94279025f9cdeba519d1aee7c1af3013053fe510955e2aa85 

f028c4086990756ee37dee303015053c73ec1c4d358e3a6a50b3e88a6c7ffe8e 

f06702618720df5bd9b12ee68fa6b498cacea0ce162cd92267748a6dede6f789 

f76dfaab6e248d88241a17b5a58fd2405d0d1954364bce9144156eba3904dd6a 

fbd030b53088a536d7e6b6a80e4767c097fbfcb11a921dd7c0fa938322f96842 

ff26b2cc11696d5931757cc6bdafb1163f48b7f41f17d1e593ea3ee9f5176e2e

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    dstipaddress IN ("146.185.239.56","146.185.233.99","146.185.233.97","146.185.239.47","80.66.79.200","146.185.233.98","146.185.239.45","80.66.79.159","80.66.79.195","80.66.79.91","146.185.233.101","146.185.233.96","146.185.239.51","146.185.233.79","146.185.233.90","146.185.239.33","146.185.239.60","80.66.79.155","81.19.131.95") or ipaddress IN ("146.185.239.56","146.185.233.99","146.185.233.97","146.185.239.47","80.66.79.200","146.185.233.98","146.185.239.45","80.66.79.159","80.66.79.195","80.66.79.91","146.185.233.101","146.185.233.96","146.185.239.51","146.185.233.79","146.185.233.90","146.185.239.33","146.185.239.60","80.66.79.155","81.19.131.95") or publicipaddress IN ("146.185.239.56","146.185.233.99","146.185.233.97","146.185.239.47","80.66.79.200","146.185.233.98","146.185.239.45","80.66.79.159","80.66.79.195","80.66.79.91","146.185.233.101","146.185.233.96","146.185.239.51","146.185.233.79","146.185.233.90","146.185.239.33","146.185.239.60","80.66.79.155","81.19.131.95") or srcipaddress IN ("146.185.239.56","146.185.233.99","146.185.233.97","146.185.239.47","80.66.79.200","146.185.233.98","146.185.239.45","80.66.79.159","80.66.79.195","80.66.79.91","146.185.233.101","146.185.233.96","146.185.239.51","146.185.233.79","146.185.233.90","146.185.239.33","146.185.239.60","80.66.79.155","81.19.131.95")

    Detection Query 2

    sha256hash IN ("f76dfaab6e248d88241a17b5a58fd2405d0d1954364bce9144156eba3904dd6a","28a5acd85516b62d870bd89df464360ecc705324c8e5266e81e7622b25c9d4ff","ab1fc7f73bf3867dfc471f9aeb815af0d83e4e2c5eeb85365a266daf53af39cb","2bc8446ee880b1097e1220e1922251f209b5368e1388c135c032ba01f32b8b5a","953b5b7878bb2c4f40f2b131a01399c1b170731206bc09cb5a133ab996ec691c","cdd21e4f9ff1d1cfcf4888342fa2be5452eb3cbe7ba28e4e98fa44c879fe0265","fbd030b53088a536d7e6b6a80e4767c097fbfcb11a921dd7c0fa938322f96842","9139646892f67f12dd2a9d2b43a7ae28f1556f5e42332effcf6ea17a63794a44","c85f1325590ee8600759334d3a2c807eae599eff4a4255dab0f59c31667e6bdd","27e226d57abfb671b676eb82fe286db0964d35fff73c905573550052e0242176","15a5e11ea8f416f7d27d02ce876bfa8dcd22cdedb93764bffc8db4c5a922ae18","0737b47a47defc6051cec713f53d8fd4d532ff0011fc94d6b01c5a525bfbae44","eb8da26034035f08946acb6fc127e3b2db884a024a61aea99397c46aedc70145","8087db3c43840caccb9756893cdaff707311dc195f34de471cc259b1b62e3411","0321758329ca44f1c9f7e15a37f081df39ba37598b1547d2f2bbc839b34f0b2b","dc92d2870219833832ea758afcb19c285f65bf3a6a3ace225b499f744d6063a4","71b900826c223ca6c73882346375434b7f29f3955e3904bd240b88fc6ab6e802","ff26b2cc11696d5931757cc6bdafb1163f48b7f41f17d1e593ea3ee9f5176e2e","c8a636d150a0045eb799ccc7c5e2fa46156f3f72167b9e49456a358e484eac8b","995f76b1f695f92179f2ec93fd1f67d5a58753bc6d0ff00a46653d634e3000fe","d00418cd52123f9f6a9bd0edafc77d7fa39f68de6be84ec07ed67a735872f939","048642a4773c5b3bb0b1cbc260a4f08c5db6c95a390971347ea5b055ed1b4dbe","d7c0655c6f1db4acb14bb4c1ddec34ce8f3849c9e0bf9e28d28c8f1c00121fd7","0ca3239a90cc3421062090129932050f793e2fb81498711703a9d32967aba9ce","393421a3673ef684fb916c4b61efdde54d76f14787b422e1a469e5e97b5c098a","bf7bed4724ec1cf1dda5ac1a1ace33eaa52394c0ee9976ade1bbef17d4b1a717","c4d4213ff3b737fe20248362687a0cd3008b630a65b230b06fba282379665c83","693874fcf694a9a9ad04fe75d96de7fe9ebe2e07ee1441c79ac3e8eb8aeb06b5","8800edc6961be56a9d44f843d224f19b47834bd57037cff2041b7c563d3d2422","b34cc0a4ee0bfff6d788387730a748ad9055456a648d072d436e44ef7050babc","dc02cfebbc64d6dbcc3a1b1a2cc91cb763c0be9a72ac141c2f06db74aa56cfe7","58c651a2fa72cee6d867fc80790b9b26eca30b9cb0dbb129ac1b175b25d38c3a","ecf7e135bcdcad3274e94c6ab918b683da619e91a9e0c68bd8d6355b33bfc5da","7ea77f4746f21e89df52c9a54c12135f3f45f7a342e8b1dba09abf2a7e8c4f15","5300b4624e8e95c8dd86859f1f84c054c26a4869c4c3d714e9c6d7a01b2c11ae","c64554c29d798e6006aa5845da7252f18c01e305f61071e314a23ab143ed73f8","7919c32cf82736197cf7ea99056560c18e28f8b726a6be8700625508524e5167","802f56cc84689a68112a2cf76ddce70e1e3956038e19bb8c58f74d5713d72a5f","15a2e86d950ac4b11cc38c437f7d38b6be47f5e03ab9bdf05db344afddbc73ae","a3e5337650a53d3d6cbe13b1cd32e493f0292dec9d9483de8f8322fe634f63c5","d0e8a91af95d62dc58dbfd64970f1b255c6bffedeaf21b3e6ec4e89496f6c67a","cd229d29ef929feb9a74a6b265fd26caa3fd5be2d2150ba359336307799872be")

    Detection Query 3

    sha256hash IN ("236850ae28015cf9b0f20a677ade5bef2a85bef665585c48d88cc00a823323ad","79af449339eb1410e8f3ed8d7fe7649b079e0143a06ef91cc78f296b0e927901","502104d48d0a4735a6a051744277c9231f8da156311ec99367bca50b7a47a613","330d36e248881a0a24a7d0612f3ac9a5a24cc960b36c2fe9ba0d63941b12fc18","83024c7a9ba256a36fb9b751926170c08dd4daa1866c119856cd091b1275897f","9b01625fb72ba8c3c840ab46d1eaebcff87a0f109f36c6744ba191ee82784981","899a46e956e82b9da2b86eae8cbdec1e68521c708a87bce1a2ae11b20538eb55","ef0b2e0c337e11a94279025f9cdeba519d1aee7c1af3013053fe510955e2aa85","acb3954b95e3c897d5ac69a8cc09ed81aace7b3193aa637f5ceb2a4a23204078","5a26624600d7ef102375317a32db739531bfab91335131edd1e2362f2753e693","4117245310c57f687d0c353c06a6eda4c1e93ebee33fb5f712142c272a3c1108","033de779278ecfdee7117d5d0a710e22eb501421e0c5f93e4ea3e82f414bbb90","0c0d6e88326574a8b761f71c9e0bb186ce17bdd4fe1ac68d080113fa3f0a6fdd","121746df4264aca0c138d35bbe5e2c6eaaa60b72967a527687e83d7e2c653207","134d02ddcc75a2d7e0e1824d430ba2e9a2a96682452fa6ec84660ed5d0a88023","292fce69ac86ae1db56589d018bd390596847a9fe531797102a18c9ff7697d42","43a9f0a3963d700a6d586c65fc7fdd1bb562b861942c384e7767213cf1059ef9","48c9152e48c525960663f98579edaa35f94025015403bb382f32cb78d69fd850","5b2ad349dd02a00bc8860294657139d681b0c786afcbcb1ffab77f57b01e7b00","5baa482ac4553b9939c49c16da6e0f4fda2cf9f2ae0248774214943c2d86389c","7c50be91304ee573c2bc8823f67ea4f45a1988ceb73ffe5ebcaccaf59e5c1cce","7df17642229f1776a5fb8e64365d95ce345484cbadec23332a3c00657c2f360f","83dab2e356e1069fe48bfba91e1c2cc73ce2738e2870813f9997cee984be583f","86a22e164f96a2d194095419c746cdf12737b78af629d251e0c881f381932a48","949ef0168d19d61cc39a369d18f5c2949686801bbea6f7136f66cfe92fe85907","94ca1389a8af382e347772bb4d977aa7516ea742c99306b78c486f5104b34a1b","a73226550f0b97c3f25411ba62181aa011e8410dec4a1444412f40114704d4c2","a98810a2ba2427067d2412bf67f47f93e22989607d69fc17ff9ac6fc774674cc","c160899ba65ab2c3651dcb98fa13dddea892f72c0aaa1ff63cb98aac67367c56","c91841bd675c5a02d577567baa3a71be3cd37fdb59412f133a3773de6ee10602","cb6458227f8b4b3edbac12bef66edd5b0d8d3712637a6c77db67040360897023","d4fbc5702731a01d96cbaa21bd60333f1d03a994adb5b931687281282c938f12","d73bac6e8a5679394152bb33e64fbe5840ff13953b9ca024003a5045dce715ae","e66e9df50f40aa73dc847f6afdf9852000782841df6b808a75e090e9787604dd","e6df89bb9d51817fff1b7704e70d406584d80839e1bb1cb319c4150015b84914","ecb3d3466686f3201719528b067e306d58f1c61228e1d6e8c7c510cc1536ebd9","f028c4086990756ee37dee303015053c73ec1c4d358e3a6a50b3e88a6c7ffe8e","f06702618720df5bd9b12ee68fa6b498cacea0ce162cd92267748a6dede6f789")

    Reference:  

    https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/        


    Tags

    MalwareThreat ActorBackdoorREMCOSUkraineCyberEspionageDLLGamaredon

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.