The Computer Emergency Response Team of Ukraine (CERT-UA) has warned of phishing attacks that attempt to install the Remcos remote access tool on systems belonging Ukrainian government bodies likely for cyber-espionage.

Remcos RAT (Remote Access Trojan) was originally designed as a professional tool to remotely control computers. Remcos RAT is recognized as a malware family because it has been abused by hackers to secretly control victims’ devices since its first version was published on July 21, 2016.

The attack involves a phishing email ostensibly sent by Ukrtelecom, a major Ukrainian internet service provider, to remind recipients to pay for services. The email contains an attachment in the form of a .rar archive, which includes a .txt file and another password-protected .rar file. The latter contains an executable file, which when executed, will download and install the Remcos software on the system.

The mass phishing campaign observed by CERT-UA has been linked to a threat actor the agency tracks as UAC-0050. According to CERT-UA, previous attacks by the threat actor involved the use of a free remote access tool called RemoteUtilities.