UAC-0184 Targets Ukrainian Entity in Finland With Remcos RAT

The IDAT Loader malware was used to deliver the cyber espionage tool, employing steganography, a seldom-seen technique in real-world attacks.

The threat actor tracked as UAC-0184 has been
using steganography techniques
to deliver the Remcos remote access Trojan (RAT) via a relatively new malware known as the IDAT Loader, to a Ukrainian target based in Finland.
Although the adversary initially targeted entities in Ukraine, defenses thwarted the delivery of the payload. That led to a subsequent search for alternate targets, according to an analysis out today from Morphisec Threat Labs.
While Morphisec didnt disclose campaign details due to customer confidentiality, researchers pointed Dark Reading to
parallel campaigns
allegedly by UAC-0148 that used email and spear-phishing as the initial access vector, with lures that dangled job offers targeting Ukrainian military personnel for consultancy roles with the Israel Defense Forces (IDF).
The goal was cyber espionage: The Remcos (short for Remote Control and Surveillance) RAT is used by cybercriminals to gain unauthorized access to a victims computer, remotely control infected systems, steal sensitive information, execute commands, and more.
This specific campaign
, first discovered in January, leverages a nested infection approach, starting with piece of code with the novel user-agent tag racon, which fetches the second-stage payload and performs connectivity checks and campaign analytics.
Morphisec identified that payload as the IDAT Loader, aka HijackLoader, which is an advanced loader that has been observed to work with multiple malware families, the researchers explain. It was first observed in late 2023.
IDAT refers to the image data chunk within a Portable Network Graphics (PNG) image file format. True to its name, the loader locates and extracts the Remcos RAT code, which is smuggled onto a victim machine within the IDAT block of an embedded steganographic .PNG image.
Steganography actors hide malicious payloads within seemingly innocuous image files to evade detection by security measures. Even if the image file undergoes scanning, the fact that the malicious payload is encoded makes it undetectable, enabling the malware loader to drop the image, extract the hidden payload, and execute it in memory.
The user is not intended to see the PNG image, the researchers explain. The image used in this specific attack was visually distorted. The initial download was an executable named DockerSystem_Gzv3.exe, delivered as a fake software installation package. Activation of the executable led to the subsequent attack stages.
Remcos RAT is being increasingly deployed using creative techniques. Earlier this year, for instance,
researchers discovered
a threat actor tracked as UNC-0050, known for repeatedly targeting organizations in Ukraine with Remcos RAT, targeting the countrys government in a novel attack using a rare data transfer tactic.
Meanwhile, a rise in
affordable malware meal kits
priced under $100 is driving an increase in campaigns utilizing RATs in general, which are frequently concealed within seemingly legitimate Excel and PowerPoint files attached to emails.
Remcos RAT spyware has also been discovered in the past year targeting organizations in Eastern Europe by
leveraging an old Windows UAC bypass technique
, as well as in a campaign last March and April
targeting accountants
ahead of the deadline for filing taxes in the United States.
As observed in the latest attack, threat actors are increasingly using defense evasion techniques to bypass detection by signature and behavioral-based endpoint protection solutions, the Morphisec researchers tell Dark Reading. In this case we observed a combined usage of steganography and memory injection as evasive techniques.
They add, therefore, security leaders should consider these changes in the threat landscape and consider adoption solutions that can enhance their defense in depth by reducing exposure to such potential attacks.
Tara Seals contributed to this report.

Last News
▸ ArcSight prepares for future at user conference post HP acquisition. ◂ Discovered: 07/01/2025 Category: security	▸ Samsung Epic 4G: First To Use Media Hub ◂ Discovered: 07/01/2025 Category: security	▸ Many third-party software fails security tests ◂ Discovered: 07/01/2025 Category: security

**Cyber Security Categories**
Google Dorks Database	Exploits Vulnerability	Exploit Shellcodes

CVE List

Tools/Apps

News/Aarticles

Phishing Database

Deepfake Detection

Trends/Statistics & Live Infos

Tags:
UAC-0184 Targets Ukrainian Entity in Finland With Remcos RAT