Listen to this Post
Introduction
In a bold and technically evolved campaign, the notorious Russian hacking group Gamaredon—also known as “Shuckworm”—has resurfaced with a new series of cyberattacks targeting a Western military mission in Ukraine. These recent intrusions mark a significant escalation in both strategy and sophistication, with attackers leveraging removable drives and enhanced malware to exfiltrate sensitive data. The campaign, which began in February 2025 and extended into March, demonstrates Gamaredon’s unrelenting intent to gather intelligence and compromise critical foreign assets operating within Ukraine.
While previously considered a less sophisticated threat actor in comparison to elite Russian cyber units like APT28 or APT29, Gamaredon is increasingly closing that gap. With their adoption of updated tactics and improved obfuscation methods, they are now leveraging legitimate services to cloak their operations, signaling a turning point in their capability evolution. Security analysts are especially concerned about the persistence of the threat group and their steady improvement in operational stealth.
This report dives into the details of the latest attacks, exploring the technical flow, the nature of the payloads, and what this means for the broader cybersecurity landscape.
Gamaredon’s Latest Cyber Espionage Campaign – Key Insights
- Campaign Timeline: The attack campaign began in February 2025 and continued through March, targeting a Western military presence in Ukraine.
-
Initial Infection Method: Malware was likely deployed through removable drives loaded with malicious
.LNKshortcut files, a known technique previously used by the group. -
New Tactical Shifts: A significant change includes moving from VBS scripts to PowerShell-based tools, alongside increased obfuscation and usage of legitimate cloud services to evade detection.
-
Registry Clues: Researchers discovered forensic evidence of the infection in the Windows Registry, specifically under the
UserAssistkey, confirming execution from an external drive. -
Command and Control (C2): One script established a C2 channel using Cloudflare-protected URLs, with IP resolution performed through public services, masking the destination from defenders.
-
Spread Mechanism: A second script enabled propagation via LNK files to other removable or network drives. It also hid system folders, ensuring stealthy lateral movement.
-
Recon and Data Collection: A PowerShell reconnaissance script was deployed to capture screenshots, inventory antivirus software, list active processes, and gather data from the system.
-
GammaSteel Payload: The core malware, an updated PowerShell-based version of GammaSteel, was embedded directly into the Windows Registry for stealthy persistence.
– Data Exfiltration Process:
- Documents such as
.DOC,.PDF,.XLS, and.TXTwere targeted.
– Files were hashed using `certutil.exe`.
– Primary exfiltration used PowerShell web requests.
-
If unsuccessful, fallback to cURL over the Tor network was employed.
-
Persistence Mechanism: The malware ensured long-term access by adding a new value to the
Runregistry key (HKCU\Software\Microsoft\Windows\CurrentVersion\Run). -
Strategic Improvements: Symantec noted incremental but meaningful upgrades in the group’s TTPs (tactics, techniques, and procedures).
-
Espionage Focus: The operation is clearly driven by intelligence-gathering motives, consistent with Gamaredon’s historical pattern of espionage in Ukraine.
What Undercode Say:
The latest wave of attacks by Gamaredon highlights a disturbing shift in Russia-backed cyber warfare tactics. Once dismissed as noisy and unsophisticated, Gamaredon is now proving itself to be far more disciplined and dangerous than previously thought. While still not matching the technical prowess of groups like Fancy Bear (APT28), they compensate through agility, persistence, and a rapidly evolving playbook.
What’s most striking is the group’s reliance on simple but effective delivery methods—like infected USB drives—which continue to work because of human error and lax endpoint security. The use of .LNK files is not new, but its consistent success underlines how even well-equipped targets remain vulnerable to social engineering and local infection vectors.
On the software side, the switch to PowerShell scripting allows attackers to remain fileless, avoiding detection by many traditional antivirus solutions. By embedding malware directly into the registry, they also reduce the forensic footprint left on disk, making post-incident analysis more difficult. Their use of legitimate cloud services like Cloudflare as proxies for command-and-control channels adds yet another layer of camouflage, frustrating defenders and incident responders.
Gamaredon’s approach is more about persistence and stealth than brute-force or zero-day exploits. Their reconnaissance capabilities—especially the use of automated screenshot capture, antivirus detection, and active process listing—reveal a calculated, methodical approach to espionage. These tactics are aimed at maximizing information theft while minimizing chances of exposure.
Another notable point is the flexible data exfiltration methods. The group’s fallback to Tor via cURL showcases a level of operational foresight uncommon in mid-tier APTs. This dual-pathway approach ensures that even if the primary communication channel is blocked or monitored, the stolen data can still be siphoned off discreetly.
From a broader geopolitical standpoint, these attacks are a reminder of the hybrid warfare tactics being employed in modern conflicts. Cyberattacks like this don’t just steal secrets—they disrupt trust, damage alliances, and erode the digital foundations of modern military operations.
Security teams, especially those supporting missions in conflict zones, must now adopt zero-trust architectures, reinforce removable media policies, and deploy behavioral analysis tools capable of catching obfuscated, fileless malware. Threat intelligence sharing among allies will also play a crucial role in identifying these rapidly evolving campaigns before they cause irreversible damage.
In conclusion, while Gamaredon may not be the flashiest actor in the Russian cyber arsenal, their increasing proficiency makes them a growing concern for NATO-aligned countries and anyone supporting Ukrainian defense efforts. Their campaign is a textbook example of how low-cost tools, clever tactics, and persistence can lead to high-impact intrusions.
Fact Checker Results:
- Symantec has publicly confirmed the malware used and the campaign timeline.
- LNK-based infection vectors and PowerShell payloads are consistent with previous Gamaredon patterns.
- Evidence of registry-based persistence and multi-channel exfiltration has been validated by independent security research.
References:
Reported By: www.bleepingcomputer.com
Extra Source Hub:
https://www.discord.com
Wikipedia
Undercode AI
Image Source:
Pexels
Undercode AI DI v2





