GammaDrop

GammaDrop is a malware dropper associated with the Russian FSB-directed threat group BlueAlpha, which overlaps with Gamaredon, Shuckworm, Hive0051, and UNC530 and has targeted Ukrainian organizations since at least 2014. Reporting states that BlueAlpha has used GammaDrop in spearphishing-driven delivery chains, including HTML smuggling with embedded JavaScript and modified deobfuscation methods such as use of the onerror HTML event. BlueAlpha has also used Cloudflare Tunnels, specifically randomly generated TryCloudflare subdomains, to conceal GammaDrop staging infrastructure and evade traditional network detection. GammaDrop’s documented role is to write the VBScript malware GammaLoad to disk and establish persistence on the victim system. GammaLoad is described as a custom loader used since at least October 2023 for data exfiltration, credential theft, persistent access, command-and-control beaconing, and execution of additional malware. The reporting also notes BlueAlpha’s use of obfuscation techniques including junk code and random variable names, as well as DNS fast-fluxing to complicate tracking and disruption of command-and-control infrastructure. High-confidence detection-relevant details mentioned in the content include delivery via HTML attachments used for HTML smuggling, suspicious use of mshta.exe, untrusted .lnk files, requests to trycloudflare.com subdomains, and unauthorized DNS-over-HTTPS activity.