Ethical Hacking News
Russian hackers have been targeting a military mission of a Western country in Ukraine using an updated version of the GammaSteel info-stealing malware. The campaign, which began in February 2025 and continued until March, involved the deployment of malicious .LNK files via removable drives to gain initial access to infected systems. Gamaredon's tactics have undergone a significant shift, with the group now making extensive use of legitimate services for evasion and employing PowerShell-based tools.
Russian hackers backed by the state have been targeting a military mission in Ukraine using updated GammaSteel malware. Gamaredon's tactics have shifted from VBS scripts to PowerShell-based tools for evasion and stealth. The malware uses legitimate services to avoid detection, including Cloudflare-protected URLs. Gamaredon employed an obfuscated script to create C2 communications and spread the infection via LNK files. The malware gathered information about installed antivirus tools, files, and running processes using a reconnaissance PowerShell script. Gamaredon's efforts have improved their tactics, techniques, and procedures, posing significant risks to Western networks. Western nations must remain vigilant and implement robust security measures to counter these threats.
Russian hackers, backed by the state, have been targeting a military mission of a Western country in Ukraine, employing an updated version of the GammaSteel info-stealing malware. The campaign, which began in February 2025 and continued until March, involved the deployment of malicious .LNK files via removable drives to gain initial access to infected systems.
According to Symantec threat researchers, Gamaredon's tactics have undergone a significant shift. The group has transitioned from using VBS scripts to PowerShell-based tools, demonstrating an increased emphasis on evasion and stealth. Furthermore, the malware now makes extensive use of legitimate services to avoid detection, including Cloudflare-protected URLs.
The infection vector used by Gamaredon in this campaign involved the creation of a heavily obfuscated script that created two files. The first file handled command and control (C2) communications, utilizing legitimate services to resolve server addresses, while the second file facilitated the spreading mechanism to infect other removable and network drives using LNK files.
The malware also employed a reconnaissance PowerShell script capable of capturing screenshots of infected devices and gathering information about installed antivirus tools, files, and running processes. The final payload used in the observed attacks was a PowerShell-based version of GammaSteel, stored in the Windows Registry.
Symantec notes that Gamaredon's efforts have resulted in significant improvements to their tactics, techniques, and procedures (TTPs). These incremental yet meaningful enhancements elevate the risks posed by the group to Western networks. Notably, Gamaredon has shown an unwavering tenacity despite limited sophistication compared to other Russian state actors.
In recent months, Gamaredon's campaign has garnered attention due to its sophisticated nature and the threat it poses to Western military missions in Ukraine. The use of malicious drives, PowerShell-based tools, and legitimate services for evasion underscores the group's efforts to increase operational stealth and effectiveness.
The Gamaredon campaign reflects a broader trend among Russian state-backed hackers, who have demonstrated an ability to adapt their tactics and improve their techniques over time. As such, it is essential for Western nations to remain vigilant and implement robust security measures to counter these threats.
In conclusion, the recent Gamaredon campaign highlights the evolving nature of cyber attacks launched by Russian state-backed hackers. By employing sophisticated tools and techniques, these groups continue to pose a significant threat to Western networks. It is imperative that governments, organizations, and individuals take proactive steps to enhance their cybersecurity posture in response to this ongoing threat.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-Hackers-Deploy-Sophisticated-Malicious-Drive-to-Compromise-Western-Military-Mission-ehn.shtml
https://www.bleepingcomputer.com/news/security/russian-hackers-attack-western-military-mission-using-malicious-drive/
https://thehackernews.com/2025/04/gamaredon-uses-infected-removable.html
https://www.trendmicro.com/vinfo/us/security/news/cybercrime-and-digital-threats/tracking-detecting-and-thwarting-powershell-based-malware-and-attacks
https://allthings.how/how-to-use-powershell-to-scan-windows-for-virus-and-malware/
Published: Thu Apr 10 09:53:17 2025 by llama3.2 3B Q4_K_M
