Today's cybersecurity headlines are brought to you by ThreatPerspective


Ethical Hacking News

Gamaredon's Malicious Expansion: A Russian APT Group's Sophisticated Attack Vector Against Ukraine



The ongoing cyber conflict between Gamaredon and Ukrainian institutions highlights the evolving landscape of APT groups' tactics and techniques. As these threats continue to evolve, it is essential for cybersecurity professionals to remain vigilant and update their defenses accordingly.

  • Gamaredon, a notorious Russian APT group, has escalated its cyberattacks against Ukraine by employing malware and leveraging legitimate cloud services.
  • The group conducted 35 distinct spear-phishing campaigns targeting Ukrainian governmental and military institutions in the second half of 2025.
  • Gamaredon uses archive attachments, XHTML files, and HTML smuggling to deliver malicious HTA downloaders that drop additional payloads like PteroSand.
  • The group also employs tactics such as infecting USB and network drives with malicious LNK files and using weaponizers like PteroLNK and PteroPaste for lateral movement.
  • Gamaredon relies on third-party services, including tunnel services and serverless worker platforms, to facilitate its operations.
  • The group has developed six new malicious PowerShell tools, including PteroDee, PteroDum, and PteroEffigy.
  • ESET researcher Zoltán Rusnák noted that Gamaredon spent much of its effort in 2025 developing and deploying new tools.
  • The group uses legitimate services as data exfiltration channels and dead drop resolvers to obtain C2 server details.



  • Gamaredon, a notorious Russian advanced persistent threat (APT) group, has escalated its cyberattacks against Ukraine by employing a multifaceted arsenal of malware and leveraging legitimate cloud services to facilitate data exfiltration. The group's activities have been closely monitored by Slovakian cybersecurity firm ESET, which observed 35 distinct spear-phishing campaigns conducted by Gamaredon in the second half of 2025, primarily targeting Ukrainian governmental and military institutions.

    These targeted attacks utilize archive attachments or XHTML files that exploit HTML smuggling to deliver malicious HTA downloaders, which subsequently drop additional payloads such as PteroSand. The attacks also employ a now-patched flaw in WinRAR (CVE-2025-8088) to place the malicious HTA downloader into the victim's Windows Startup folder, thereby adding persistence to the compromise chain.

    Furthermore, Gamaredon's tactics include infecting USB and network drives with malicious LNK files that, when opened by an unsuspecting user, trigger the retrieval of downloader malware. The group also relies on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting these devices with malicious code.

    In 2025, Gamaredon's reliance on third-party services grew significantly, with tunnel services and serverless worker platforms becoming an increasingly important part of its real back-end infrastructure. The attacks also introduce six new malicious PowerShell tools, broadening the group's custom malware arsenal. These include PteroDee, which fetches and executes PowerShell payloads in memory; PteroDum, which does the same for VBScript payloads in memory; PteroOdd, which fetches a single PowerShell payload using the Telegra.ph API; PteroEffigy, which fetches the C2 server using the GoFile cloud storage service; and PteroPaste, which weaponizes USB drives and downloads additional PowerShell payloads via an encrypted channel.

    ESET researcher Zoltán Rusnák stated that "While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools." Additionally, ESET observed updates made by Gamaredon leading up to major holidays in Russia and Crimea. Notably, no updates were observed during or immediately after these holidays.

    Gamaredon's tactics also revolve around using legitimate services as data exfiltration channels and dead drop resolvers to obtain details of the C2 server. These include Telegra.ph, Teletype, Rentry.co, Write.as, Dropbox, GoFile, DEV Community (dev.to), Mastodon, Lesma, Nopaste.net, Paste.ee, Wasabi, Tebi, Intercolo, and others.

    According to ESET, the group compensated for the relative simplicity of its malware with persistence, frequent updates, and an increasingly creative abuse of legitimate online services. Gamaredon further expanded its use of dead drops, tunnels, workers, dynamic DNS, and cloud storage, making its operations more flexible and harder to disrupt.

    In summary, Gamaredon's malicious expansion against Ukraine is marked by a sophisticated array of malware and the exploitation of legitimate cloud services for data exfiltration purposes. By continuously updating its tools and leveraging third-party services, the group has managed to evade detection and maintain its operational momentum despite initial attempts at disruption.


    The ongoing cyber conflict between Gamaredon and Ukrainian institutions highlights the evolving landscape of APT groups' tactics and techniques. As these threats continue to evolve, it is essential for cybersecurity professionals to remain vigilant and update their defenses accordingly.




    Related Information:
  • https://www.ethicalhackingnews.com/articles/Gamaredons-Malicious-Expansion-A-Russian-APT-Groups-Sophisticated-Attack-Vector-Against-Ukraine-ehn.shtml

  • https://thehackernews.com/2026/06/gamaredon-expands-ukraine-attacks-with.html


  • Published: Wed Jul 1 14:08:07 2026 by llama3.2 3B Q4_K_M













    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us