A Russian cyber espionage group has improved a variety of its tactics, techniques, and procedures (TTPs), helping it become a more effective belligerent in the Ukraine war and beyond. Enterprises should implement fresh strategies to be effective against this adversary, which reaped dividends from the upgrade in terms of mounting larger and more successful cyberattacks.

Organizations often grow stale and outmoded over time, but the Gamaredon group (aka Aqua Blizzard, Armageddon, BlueAlpha) is fighting back against old age. It’s been around since at least 2013 — a lifetime in hacker years — and it’s still one of the Russian government’s most active and evolving threat actors.

In a report this week, ESET tracks 35 separate Gamaredon spear-phishing campaigns against Ukraine carried out last year. In that time, the APT developed a half dozen new downloaders, and adopted a variety of tactics aimed at concealing its command-and-control (C2) infrastructure.

Related:Local Police Collusion Hampers Crackdown on Asian Scam Centers

Gamaredon’s Custom Malware Tooling

Conceptually, ESET split Gamaredon’s 2025 into two halves. The first half of the year was its preparatory stage. It took January 2025 off, probably because its hackers are government employees. The Security Service of Ukraine identifies Gamaredon as the The 18th Center for Information Security within Russia’s Federal Security Service (FSB). In Russia, there is a large concentration of federal holidays in the month of January.

It resumed its malicious activity in February, but for most of the first half of 2025 it focused on building tools and techniques that would pay off later in the year. It invented five new PowerShell programs in the first quarter of the year, then one more a little later in the summer. Most of its new tools are simple downloaders, but one of them, “PteroPaste,” bundles a few more significant features.

Most notably, PteroPaste repeatedly checks for the presence of USB drives connected to compromised systems, and if it finds one, it attempts to smuggle a malicious downloader script onto it. Cleverly, it randomly selects a Word document on the infected system, appends a .lnk extension to it, and gives the smuggled loader that filename, so that any human passerby might think it an ordinary file.

Gamaredon has long used USBs as a vector for carrying its malware farther and wider than it otherwise might go, both geographically and particularly within compromised organizations, where some more sensitive systems might otherwise be air-gapped and shielded from the open Internet. Organizations can mitigate the risk of USB-borne malware by at least scanning USB files, sanitizing them at dedicated stations, or outright banning unvetted drives.

Related:SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection

Jean-Ian Boutin, ESET’s director of threat research, suggests strategies can help protect against Gamaredon’s PowerShell malware, be it the complex PteroPaste or its simpler cousins. “Depending on business needs and user roles, organizations may restrict or remove PowerShell access for non-administrative users, or disable or limit unnecessary scripting capabilities, such as Windows Management Instrumentation (WMI),” he says.

Gamaredon’s New Cyber Espionage Infrastructure

Besides creating custom initial access malware, Gamaredon seems to be equally obsessed with hiding its C2 infrastructure.

The group, for instance, began using Microsoft and Cloudflare tunneling services, and Cloudflare serverless workers, to hide its malicious activity behind legitimate domains. It also uses dead drops — pointing its malware to legitimate websites to find its hidden C2 addresses to complicate analysis and blocklisting. Most recently, Gamaredon has begun to combine these two tactics together, hiding tunneling domains at those dead drop sites.

Gamaredon has also updated two of its primary stealer tools to upload stolen files to legitimate cloud storage services like Amazon Simple Storage Service (S3) buckets. Its best new tool, the aforementioned PteroPaste, uploads to Dropbox.

Related:China-Nexus Actor Spies on US Researchers Undetected for a Year

“Defenders can no longer assume that traffic to a trusted platform is inherently safe,” Louis Eichenbaum, federal CTO at ColorTokens, tells Dark Reading. “Instead, they must determine whether that communication is expected, authorized, and consistent with normal application and user behavior.”

He explains that “organizations need a deep understanding of application workflows and communication patterns across their environments. With that knowledge, organizations can implement granular, identity-aware microsegmentation policies that break attack paths and contain compromises before they spread.”

With its tooling revamped and its infrastructure concealed, Gamaredon used the second half of 2025 to carry out significantly more cyberattacks than it did in the first, and larger ones as well. Notably, some of these attacks were part of an ongoing collaboration with another Russian state advanced persistent threat (APT), Turla (aka Snake, Venomous Bear, Waterbug, or Ourobouros). Gamaredon used its library of loaders to provide initial access for Turla’s heftier exploitation framework, Kazuar.

Characteristic of its history in general, Gamaredon’s 2025 spear-phishing campaigns exclusively targeted Ukraine’s government and military. The point of its attacks are always to steal sensitive data which might in one way or another advance Russia’s interests in the war there.

Don’t miss the latest Dark Reading Confidential podcast, Do CISOs Need a Code of Ethics? Kickbacks, no-show jobs, “dirty” VCs, and shelfware — industry expert Robert “RSnake” Hansen explains why he thinks it’s time for a CISO code of ethics. It could ensure cybersecurity bosses aren’t engaged in self-dealing that could risk enterprise, and even national, security. Listen now!





Source link

#

No responses yet

Leave a Reply

Your email address will not be published. Required fields are marked *