Ethical Hacking News
Cybersecurity Threat Actor Gamaredon Intensifies Spearphishing Activities Targeting Ukrainian Entities
Gamaredon, a Russian-aligned spear-phishing group, has significantly intensified its activities in recent months. The group's use of sophisticated tactics, including fast-flux DNS techniques and legitimate third-party services, makes it challenging for security researchers to detect and track its activities. Despite these challenges, Gamaredon remains a significant threat actor due to its continuous innovation and aggressive spear-phishing campaigns.
Cybersecurity researchers warn of the growing threat of Gamaredon, a Russian-aligned spear-phishing group. Gamaredon's spear-phishing campaigns have become more aggressive and sophisticated, using HTML smuggling techniques and malicious archives. The group's tradecraft has evolved to include fast-flux DNS techniques and reliance on legitimate third-party services. Gamaredon remains a significant threat actor due to its continuous innovation and aggressive spear-phishing campaigns. Another Ukrainian threat actor, UAC-0099, has been warned about cyber attacks targeting government agencies and enterprises. UAC-0099 uses phishing emails as an initial compromise vector, delivering malware families like MATCHBOIL, MATCHWOK, and DRAGSTARE. Gamaredon's latest tools include PteroDespair (PowerShell reconnaissance), PteroTickle (PowerShell weaponizer targeting Python applications), and PteroStew (VBScript downloader).
Cybersecurity researchers have been warning about the growing threat of Gamaredon, a Russian-aligned spear-phishing group that has significantly intensified its activities in recent months. According to security expert Zoltán Rusnák, Gamaredon's spear-phishing campaigns have become more aggressive and sophisticated, with emails containing malicious archives or XHTML files that employ HTML smuggling techniques.
The attacks typically involve the delivery of malicious HTA or LNK files that execute embedded VBScript downloaders such as PteroSand, along with distributing updated versions of its existing tools like PteroPSDoor, PteroLNK, PteroVDoor, and PteroPSLoad. These tools are designed to steal sensitive information from infected systems, including login credentials, files, and screenshots.
Gamaredon's tradecraft has also evolved to include the use of fast-flux DNS techniques and reliance on legitimate third-party services like Telegram, Telegraph, Codeberg, and Cloudflare tunnels to obfuscate its command-and-control (C2) infrastructure. This makes it challenging for security researchers to detect and track the group's activities.
Despite these challenges, Gamaredon remains a significant threat actor due to its continuous innovation, aggressive spear-phishing campaigns, and persistent efforts to evade detections. The group has also been observed using legitimate third-party services to spread malware, making it difficult to distinguish between benign and malicious activity.
In addition to Gamaredon, another Ukrainian threat actor, UAC-0099, has been warned by the Computer Emergency Response Team of Ukraine (CERT-UA) about a series of cyber attacks targeting government agencies, defense forces, and enterprises in the country. The attacks leverage phishing emails as an initial compromise vector, delivering malware families like MATCHBOIL, MATCHWOK, and DRAGSTARE.
The latest infection chain involves using email lures related to court summons to entice recipients into clicking on links that are shortened using URL shortening services like Cuttly. These links point to a double archive file containing an HTML Application (HTA) file, which triggers the launch of an obfuscated Visual Basic Script file that creates a scheduled task for persistence.
The execution of this payload runs a loader named MATCHBOIL, a C#-based program designed to drop additional malware on the host. This includes a backdoor called MATCHWOK and a stealer named DRAGSTARE, both written using the C# programming language. MATCHWOK is capable of executing PowerShell commands and passing the results of execution to a remote server, while DRAGSTARE is equipped to collect system information, data from web browsers, files matching specific extensions, screenshots, and running PowerShell commands received from an attacker-controlled server.
The disclosure comes as ESET continues to highlight the growing threat of Gamaredon's spear-phishing attacks against Ukrainian entities in 2024. The group's use of six new malware tools has been documented, including PteroDespair, a PowerShell reconnaissance tool; PteroTickle, a PowerShell weaponizer targeting Python applications; and PteroStew, a VBScript downloader.
These tools demonstrate Gamaredon's continuous innovation and aggression in the cyber threat landscape. As security researchers continue to monitor these threats, it is essential to stay informed about emerging trends and techniques used by threat actors like Gamaredon and UAC-0099.
Related Information:
https://www.ethicalhackingnews.com/articles/Cybersecurity-Threat-Actor-Gamaredon-Intensifies-Spearphishing-Activities-Targeting-Ukrainian-Entities-ehn.shtml
https://thehackernews.com/2025/08/cert-ua-warns-of-hta-delivered-c.html
Published: Wed Aug 6 04:29:34 2025 by llama3.2 3B Q4_K_M
