Gamaredon Group

Gamaredon is a Russia-aligned advanced persistent threat group focused on cyberespionage against Ukraine. The content states the group has targeted Ukrainian governmental institutions since at least 2013, and in 2025 exclusively targeted Ukrainian government and military organizations. The Security Service of Ukraine attributes Gamaredon to the 18th Center of Information Security of Russia’s Federal Security Service (FSB), and one cited description identifies Armageddon as a unit of the FSB. Known aliases in the provided content include Actinium, APT-C-53, Aqua Blizzard, Armageddon, DEV-0157, Gamaredon, Iron Tilden, Primitive Bear, SectorC08, Shuckworm, Trident Ursa, UNC530, and BlueAlpha. The group is described as one of the most active Russia-aligned APT groups targeting Ukraine and maintained an aggressive cyberespionage campaign throughout 2025. ESET reported 35 distinct spearphishing campaigns in 2025, with most occurring in the second half of the year. Delivery methods mentioned include archive attachments, XHTML files using HTML smuggling, malicious hyperlinks, Office attachments with embedded malicious macros, malicious LNK files, and RAR archives exploiting CVE-2025-8088 to place HTA downloaders in Startup folders for execution at next login. Gamaredon expanded and refreshed its tooling in 2024 and 2025. The content states it developed six new PowerShell-based tools/downloaders in 2025 and also revived the VBScript weaponizer PteroSetup. Named tools and components mentioned include PteroPaste, PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, PteroSand, PteroPSDoor, PteroVDoor, PteroLNK, PteroGraphin, PteroStew, PteroQuark, PteroBox, PteroTickle, and PteroDespair. PteroPaste is described as combining downloader, USB weaponizer, and persistence-orchestration or runner functionality; it can copy a malicious downloader to connected USB drives while disguising it as a Word document shortcut, retrieve encrypted command-and-control information from Dropbox, and connect to infrastructure hidden behind tunneling services. Other tools fetched PowerShell or VBScript payloads, obtained C2 information from services such as Telegra.ph or GoFile, or supported lateral movement. The group’s tradecraft emphasizes simple but rapidly updated malware, persistent spearphishing, and concealment of infrastructure behind legitimate services. The content states Gamaredon used Cloudflare Tunnels, Cloudflare Workers, Microsoft dev tunnels, Loophole, dynamic DNS, PaaS platforms, No-IP, Clever Cloud, and Supabase to hide backend infrastructure. It also abused legitimate messaging, social media, blogging, paste, and cloud-storage services as dead drops or staging locations, including Telegram, Dropbox, GoFile, Mastodon, Rentry, Telegraph, Codeberg, and resolver websites. The group registered domains to stage payloads and used domains and third-party services to make detection and disruption more difficult. For execution and command and control, the content explicitly notes use of PowerShell, hidden execution via hidcon to run batch files in a hidden console window, and HTTP/HTTPS for C2 communications. Gamaredon tools decrypted additional payloads from C2, decoded Base64-encoded downloader source code, and decoded Telegram content to reveal C2 IP addresses. The group also deployed scripts on compromised systems that automatically scanned for interesting documents, listed files such as Office documents, and used macros that could scan for Microsoft Word and Excel files and inject additional malicious macros. Collection and exfiltration behavior in the content includes automated scanning for interesting documents, file listing, username gathering, and theft from removable media. A Gamaredon file stealer can gather the victim username for transmission to C2 and steal data from newly connected logical volumes, including USB drives. Updated stealers such as PteroPSDoor and PteroVDoor were reported to exfiltrate stolen files to S3-compatible cloud storage providers including Wasabi, Tebi, and Intercolo, with cloud storage becoming the group’s primary exfiltration method in 2025. The content also states that ESET observed collaboration between Gamaredon and the Russia-aligned Turla threat actor in early 2025, and notes prior collaboration with InvisiMole. One cited report says Gamaredon used its loader malware to provide initial access for Turla’s Kazuar framework. Overall, the provided material characterizes Gamaredon as a long-running, Russia-aligned FSB-linked espionage actor that persistently targets Ukrainian state and military entities through large-scale spearphishing, frequent tooling refreshes, USB propagation, and extensive abuse of legitimate online services to conceal command-and-control and exfiltration.