A campaign targeting users in Ukraine with malicious LNK files has been observed since November 2024. The files, using Russian words related to troop movements as lures, run a PowerShell downloader contacting geo-fenced servers in Russia and Germany. The second stage payload uses DLL side loading to execute the Remcos backdoor. The activity is attributed to the Gamaredon threat actor group with medium confidence. The campaign uses the invasion of Ukraine as a theme in phishing attempts, distributing LNK files disguised as Office documents. The servers used are mostly hosted by GTHost and HyperHosting ISPs. The attack chain involves DLL sideloading to load the Remcos backdoor, which communicates with a C2 server on a specific port.