Russia has long integrated cyber operations into its broader campaign against Ukraine. Beyond headline-grabbing wipers and DDoS attacks that aim to disrupt infrastructure, adversaries have repeatedly used commodity remote access tools and tailored social engineering to reach individual servicemembers and potential recruits. These operations do more than steal files. They gather intelligence, enable surveillance, and amplify fear and confusion in ways that can reduce enlistment and degrade unit readiness.

One clear pattern observed through late 2023 and early 2024 was the use of recruitment-themed lures to deliver remote access trojans. Security responders in Ukraine and private vendors traced spear-phishing and messenger-based messages that pretended to be recruitment materials or offers, but actually deployed RATs such as Remcos and bespoke reverse shells. That activity was highlighted by Ukrainian responders after Trend Micro flagged suspicious Signal messages in late December 2023 that led to CERT-UA advisories describing Remcos and ReverseSSH payloads delivered inside archive attachments labeled with military-themed filenames.

Remcos is a widely abused commercial remote administration tool. It can capture screenshots, log keystrokes, exfiltrate files, record audio, and provision persistent remote control. Because it is sold legitimately, threat actors can repackage and deploy it in targeted campaigns with relatively low development cost, making it attractive for espionage and surveillance against human targets. Early malspam campaigns that leveraged invasion- or troop-themed lures to distribute Remcos were observed in 2022 and continued in subsequent waves, illustrating how inexpensive tooling can be repurposed for strategic effect.

Why target recruits and personnel? The operational logic is straightforward and effective. First, human targets are a rich source of intelligence: documents, call signs, unit locations, and contacts. Second, compromising a recruit or administrative user can provide access to broader networks and credentials. Third, and from a strategic influence point of view, seeding anti-mobilization content or demonstrating that recruitment systems are insecure can amplify public anxiety and lower the willingness of civilians to respond to calls for service. Attackers therefore combine espionage malware with messaging and influence tactics to produce a multiplier effect on Ukraine’s manpower resilience. This mixed approach has been visible across multiple Russian-aligned clusters that have targeted Ukrainian institutions since 2022.

Tactically the intrusions share several familiar elements: lures that exploit urgency or patriotically framed services; delivery through messaging platforms or email attachments; multi-stage loaders that drop commodity RATs; and reliance on features that ask the user to disable protections or run installers from outside app stores. In many cases the first-stage lure is mundane but contextually relevant, such as alleged “recruitment lists,” interrogations of prisoners, or instructions for territorial recruitment centers. Attackers leverage that trust to get users to run archives, LNK files, or HTA scripts that ultimately invoke PowerShell or other native Windows tooling to fetch RATs.

The defensive picture must match that hybrid threat model. Technical controls are necessary but not sufficient. At the technical level organizations and units should:

  • Treat recruitment outreach as a high-risk channel. Publish and enforce a small set of official verification endpoints for recruiters and administrative staff. Train personnel to verify offers through those channels before opening attachments. (Operational policy reduces successful social engineering.)

  • Harden endpoints against common loaders and RATs. Block execution of suspicious file types from user directories, disable mshta and unnecessary script hosts where feasible, restrict PowerShell script execution using constrained language mode and signed scripts, and enforce application allowlists on administrative machines.

  • Use modern endpoint detection and response tuned to commodity RAT behaviors such as unusual process injection, suspicious network beacons, and credential dumping attempts. Hunt for Remcos indicators and reverse-shell connections in logs and memory forensics.

  • Lock down mobile installs. Require official app stores, implement mobile device management with app whitelisting for government devices, and discourage or ban unvetted third-party installs where operational security is critical. Many lures instruct users to disable protections or sideload apps; policy and technical controls can stop that vector.

Beyond controls, training and operational procedures matter. Recruiters and unit clerks are both high-value and high-risk users. They should be included in prioritized phishing simulations and defensive briefings, and recruitment workflows should incorporate out-of-band verification steps for attachments and candidate-sent media. Prepare incident playbooks that assume human compromise will occur and plan isolation and credential rotation accordingly.

Finally, defenders must accept that adversaries will continue to mix low-cost malware with influence operations. The historical record in this conflict shows a range of capabilities, from large-scale destructive wipers in early 2022 that aimed to degrade infrastructure to persistent espionage campaigns that exploit human trust. That breadth requires a layered defense that combines threat hunting, secure communications discipline, frequent training, and rapid incident response. The goal is not only to stop individual infections, but to reduce the strategic effectiveness of campaigns that seek to erode manpower and morale.

If you are responsible for recruiting operations or defending personnel systems today, treat the recruitment lifecycle as part of your attack surface. Harden the channels, train the people, and instrument the networks. The adversary will keep trying low-cost, high-impact methods. The right combination of process and technical controls will blunt those efforts and preserve both information and the integrity of manpower pipelines.