Russian APT ‘Gamaredon’ Escalates Phishing Attacks Targeting Ukrainian Government

In the ongoing cyber warfare landscape, the Russian-affiliated Advanced Persistent Threat (APT) group known as Gamaredon has intensified its spear-phishing campaigns against Ukrainian government institutions. After briefly shifting focus to NATO countries, recent research reveals that Gamaredon has now recommitted to targeting Ukraine with more sophisticated techniques and new malware toolsets. This resurgence underscores the persistent cyber threats faced by Ukraine amidst geopolitical tensions and highlights the evolving tactics of state-sponsored threat actors.

Gamaredon’s Latest Activities

Gamaredon, also known as Primitive Bear, has been active since at least 2013, operating as an arm of Russia’s Federal Security Service (FSB) from Crimea. The group is primarily engaged in cyberespionage and has historically been known for relatively unsophisticated and noisy operations. However, new research published by ESET’s Zoltán Rusnák reveals a marked improvement in the group’s stealth and technical capabilities in 2024.

The core of Gamaredon’s operations remains spear-phishing, employing carefully crafted emails designed to trick government employees into opening malicious attachments. These emails often masquerade as legal subpoenas or other urgent notifications, attempting to lure victims into opening compressed archive files or HTML smuggling-based attachments. Once opened, these attachments trigger a multi-stage infection process using files like HTA and LNK that download and execute malware loaders such as PteroSand. The payloads delivered vary but include advanced backdoors, downloaders, and exfiltration tools.

Alongside spear-phishing, Gamaredon has refined its use of weaponized USB and network drives for lateral movement. After compromising a system, the group deploys tools that automatically copy themselves onto shared drives with malicious shortcut files, hoping to spread infection within government networks. This tactic demonstrates an increased focus on persistence and stealth.

ESET’s white paper details six new tools in

Furthermore, Gamaredon employs advanced obfuscation and anti-blocking measures to evade network defenses, including storing resolved C2 addresses in temporary files and using third-party resolvers to hide communication channels. Despite the relative simplicity of spear-phishing as an initial access vector, the group continues to rely heavily on this method due to its proven effectiveness.

What Undercode Say:

Gamaredon’s resurgence is a stark reminder of how state-sponsored cyber groups can evolve and adapt over time without abandoning tried-and-true tactics. While spear-phishing remains a baseline method, the sophistication of malware payloads and the infrastructure supporting them has noticeably increased. The use of Cloudflare subdomains for C2 channels is particularly notable, signaling a trend where threat actors exploit legitimate cloud services to blend in with normal traffic, complicating detection and mitigation.

The persistence of Gamaredon’s attacks despite years of exposure suggests that Ukraine’s defenses against social engineering and phishing may still be vulnerable. This underscores a broader challenge faced by organizations under constant geopolitical attack: how to strengthen human and technical defenses against increasingly tailored and persistent campaigns. Gamaredon’s integration of stealthy persistence methods — such as Excel add-ins and Windows Management Instrumentation (WMI) event subscriptions — highlights their shift toward reducing their operational footprint and avoiding detection.

Moreover, the collaboration between Gamaredon and other groups like InvisiMole shows how threat actors can combine resources and expertise to amplify their capabilities. The weaponization of network drives and USB devices for lateral movement also indicates a strategic focus on internal network compromise, aiming to spread quietly and maximize data exfiltration opportunities.

The choice to remain with spear-phishing despite its relative simplicity indicates a calculated cost-benefit analysis by Gamaredon: investing heavily in complex malware delivery and persistence while maintaining an accessible attack vector. This is likely because spear-phishing exploits the weakest link in cybersecurity — human error — which remains difficult to fully eliminate even with advanced technical defenses.

Finally, the use of Telegram channels for propaganda alongside espionage activities underscores the multi-dimensional nature of modern cyber campaigns, blending intelligence gathering with psychological operations.

Fact Checker Results:

✅ Gamaredon is confirmed to be a Russian state-affiliated threat actor operating since 2013.
✅ The group’s use of spear-phishing with malicious attachments is well-documented and ongoing.
✅ The use of Cloudflare subdomains to hide C2 infrastructure aligns with recent trends in cyber threat operations.

📊 Prediction:

Given Gamaredon’s demonstrated ability to refine its tools and infrastructure while retaining effective spear-phishing campaigns, it is likely that Ukrainian government entities will continue to face persistent cyber espionage and disruption attempts. We can expect further evolution in their malware’s stealth features and the possible expansion of attacks to other government-linked sectors or allies. Defensive strategies will need to emphasize user training to combat phishing, enhanced network segmentation to limit lateral movement, and advanced detection methods capable of identifying covert cloud-based C2 communications. Without these measures, Gamaredon’s cyber incursions will remain a significant threat vector in the ongoing conflict.