Attacks spreading the Remcos RAT malware have been launched by Russian state-backed cyberespionage operation Gamaredon against Ukraine as part of a phishing campaign that has been underway since November, reports Security Affairs.
Gamaredon, also known as ACTINIUM, Armageddon, Callisto, and Primitive Bear, distributes phishing emails using troop-related lures that include malicious LNK files containing PowerShell code, which facilitates second-stage payload and decoy file deployment to evade detection, according to an analysis from Cisco Talos. Extraction of the payload to the %TEMP% folder is then followed by side-loading of another DLL that loads, decrypts, and executes Remcos RAT. Further analysis of Gamaredon's PowerShell scripts indicates legitimate app exploitation and the utilization of clean and malicious files, said Cisco Talos researchers. "We can see in the previously mentioned sample downloaded by "Any.run" that it contains the clean application TivoDiag.exe, as well as two DLLs. The file "mindclient.dll" is the malicious DLL which is loaded by "TivoDiag.exe" during execution," the report noted.
Coverage from Tech Radar indicates that a sophisticated phishing-as-a-service platform, known as Kali365, Octopi365, and Freedom365, is actively targeting Microsoft accounts.
Check Point Research reported that in May 2026, the hospitality, travel, and recreation sector faced an average of 2,291 weekly cyberattacks per organization, a 24% increase from the previous month and more than double the volume seen in May 2023.
Get daily email updates
SC Media's daily must-read of the most current and pressing daily news
