Often use geographical or administrative lures (e.g., UralMountainsSamples , Судові_рішення ).

The malware captures keystrokes, takes screenshots, and sends system data to a Command & Control (C2) server. 🔍 Technical Indicators (IOCs)

It drops a modular backdoor, often identified as Remcos RAT or Meduzot .

If you have a or a suspicious IP address from your logs, I can check if it matches known infrastructure for this group.

The attack follows a multi-stage execution pattern to evade detection:

Typically sent via spear-phishing emails disguised as official judicial or military inquiries.