OTX Bot<p>Gamaredon Targets Troops via Malware</p><p>Pulse ID: 67eb266fe6461777fb05efa7<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67eb266fe6461777fb05efa7" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67eb2</span><span class="invisible">66fe6461777fb05efa7</span></a> <br>Pulse Author: cryptocti<br>Created: 2025-03-31 23:34:07</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Gamaredon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Gamaredon</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/Malware" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Malware</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/cryptocti" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>cryptocti</span></a></p>
Recent searches
No recent searches
Search options
Only available when logged in.
dmv.community is one of the many independent Mastodon servers you can use to participate in the fediverse.
A small regional Mastodon instance for those in the DC, Maryland, and Virginia areas. Local news, commentary, and conversation.
Administered by:
Server stats:
170active users
dmv.community: About · Status · Profiles directory · Privacy policy
Mastodon: About · Get the app · Keyboard shortcuts · View source code · v4.3.4
#gamaredon
2 posts · 2 participants · 0 posts today
OTX Bot<p>Gamaredon campaign abuses LNK files to distribute Remcos backdoor</p><p>A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading to execute the Remcos backdoor. The activity is attributed to the Gamaredon threat actor group with medium confidence. The campaign uses the invasion of Ukraine as a theme in phishing attempts, distributing LNK files disguised as Office documents. The servers used are mostly hosted by GTHost and HyperHosting ISPs. The attack chain involves DLL sideloading to load the Remcos backdoor, which communicates with a C2 server on a specific port.</p><p>Pulse ID: 67e6c6b5e3b5eec595438366<br>Pulse Link: <a href="https://otx.alienvault.com/pulse/67e6c6b5e3b5eec595438366" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">otx.alienvault.com/pulse/67e6c</span><span class="invisible">6b5e3b5eec595438366</span></a> <br>Pulse Author: AlienVault<br>Created: 2025-03-28 15:56:37</p><p>Be advised, this data is unverified and should be considered preliminary. Always do further verification.</p><p><a href="https://social.raytec.co/tags/BackDoor" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>BackDoor</span></a> <a href="https://social.raytec.co/tags/CyberSecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>CyberSecurity</span></a> <a href="https://social.raytec.co/tags/Gamaredon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Gamaredon</span></a> <a href="https://social.raytec.co/tags/Germany" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Germany</span></a> <a href="https://social.raytec.co/tags/InfoSec" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>InfoSec</span></a> <a href="https://social.raytec.co/tags/LNK" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LNK</span></a> <a href="https://social.raytec.co/tags/OTX" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OTX</span></a> <a href="https://social.raytec.co/tags/Office" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Office</span></a> <a href="https://social.raytec.co/tags/OpenThreatExchange" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>OpenThreatExchange</span></a> <a href="https://social.raytec.co/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://social.raytec.co/tags/PowerShell" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PowerShell</span></a> <a href="https://social.raytec.co/tags/Remcos" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Remcos</span></a> <a href="https://social.raytec.co/tags/Russia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Russia</span></a> <a href="https://social.raytec.co/tags/SideLoading" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>SideLoading</span></a> <a href="https://social.raytec.co/tags/UK" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>UK</span></a> <a href="https://social.raytec.co/tags/Ukr" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ukr</span></a> <a href="https://social.raytec.co/tags/Ukraine" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ukraine</span></a> <a href="https://social.raytec.co/tags/Word" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Word</span></a> <a href="https://social.raytec.co/tags/bot" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>bot</span></a> <a href="https://social.raytec.co/tags/AlienVault" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>AlienVault</span></a></p>
Christoffer S.<p>(talosintelligence.com) Gamaredon APT Targets Ukraine with Remcos Backdoor Using War-Themed Lures <a href="https://blog.talosintelligence.com/gamaredon-campaign-distribute-remcos/" rel="nofollow noopener noreferrer" translate="no" target="_blank"><span class="invisible">https://</span><span class="ellipsis">blog.talosintelligence.com/gam</span><span class="invisible">aredon-campaign-distribute-remcos/</span></a></p><p>Cisco Talos is tracking a campaign targeting Ukrainian users with malicious LNK files that deliver the Remcos backdoor. The campaign, attributed with medium confidence to the Gamaredon APT group, uses Russian-language lures related to troop movements in Ukraine. The attack chain involves LNK files that execute PowerShell code to download a ZIP file containing the Remcos backdoor, which is then executed through DLL side-loading techniques. The attackers use geo-fenced servers in Russia and Germany that restrict access to Ukrainian IP addresses. This represents a continuation of Gamaredon's targeting of Ukrainian entities, though their use of the commercial Remcos backdoor marks a shift from their typical custom tooling.</p><p><a href="https://swecyb.com/tags/Cybersecurity" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Cybersecurity</span></a> <a href="https://swecyb.com/tags/ThreatIntel" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>ThreatIntel</span></a> <a href="https://swecyb.com/tags/Gamaredon" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Gamaredon</span></a> <a href="https://swecyb.com/tags/Ukraine" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Ukraine</span></a> <a href="https://swecyb.com/tags/Russia" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Russia</span></a> <a href="https://swecyb.com/tags/Phishing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Phishing</span></a> <a href="https://swecyb.com/tags/LNK" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>LNK</span></a> <a href="https://swecyb.com/tags/PowerShell" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>PowerShell</span></a> <a href="https://swecyb.com/tags/GeoFencing" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>GeoFencing</span></a> <a href="https://swecyb.com/tags/Espionage" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>Espionage</span></a> <a href="https://swecyb.com/tags/NationState" class="mention hashtag" rel="nofollow noopener noreferrer" target="_blank">#<span>NationState</span></a></p>
ExploreLive feeds
Mastodon is the best way to keep up with what's happening.
Follow anyone across the fediverse and see it all in chronological order. No algorithms, ads, or clickbait in sight.
Create accountLoginDrag & drop to upload