the PteroLNK Malware Campaign: A Deep Dive into Gamaredon's Advanced Tactics

In recent months, researchers have uncovered a sophisticated malware campaign tied to the Gamaredon group, a hacking collective with known ties to Russia’s Federal Security Service (FSB). This campaign, which ran from late 2024 through March 2025, revolves around the deployment of the PteroLNK malware, a VBScript-based threat designed to infiltrate Ukrainian government, military, and critical infrastructure sectors. By leveraging military-themed lures and a highly adaptable, multi-stage delivery mechanism, Gamaredon has succeeded in creating a resilient and evasive cyber-attack ecosystem.

The PteroLNK malware represents a new evolution in their arsenal, employing advanced propagation techniques, dynamic payload delivery, and obfuscated scripting to maximize operational effectiveness. In this analysis, we will break down the technical details of the malware’s functionality, its complex infrastructure, and the strategic objectives behind the attack.

PteroLNK Malware: The Backbone of Gamaredon’s Latest Campaign

PteroLNK is a sophisticated and heavily obfuscated malware payload primarily written in VBScript. Its primary function is to deploy two secondary payloads—an LNK dropper and a downloader—that further enable malicious activities once the initial infection is complete.

How the Malware Operates

Once executed, the PteroLNK script ensures persistence by placing itself in multiple locations across the victim’s system. It modifies key Windows Explorer settings to hide its activities from the user and creates an invisible presence on the network. Importantly, the script is designed for flexibility, allowing the attackers to modify parameters like file names, paths, and persistence mechanisms, making it extremely adaptable and hard to detect.

The script deposits itself into folders like %PUBLIC%\NTUSER.DAT.TMContainer and %APPDATA%\~.drv, where it can remain undetected while it silently works to deploy additional malware. The malware is engineered to fetch updates every few minutes through a downloader component, which pulls in new malicious payloads as part of a multi-stage attack process.

In addition to its main payloads, the downloader stores and rotates command-and-control (C2) server addresses through Windows registry keys, which also contain custom User-Agent strings that uniquely identify infected hosts. These identifiers help the attackers track and manage their infections.

Cloud-based Command-and-Control Infrastructure

One of the campaign’s most interesting aspects is the use of Cloudflare quick tunnels, which the attackers employ as part of their C2 infrastructure. These tunnels blend seamlessly with legitimate traffic, helping to obscure malicious activity and complicating detection efforts. The malware uses several fallback mechanisms, including hardcoded Dead Drop Resolvers (DDRs) hosted on anonymous platforms like Telegraph and Teletype. This allows the malware to bypass disruptions in its communication channels, maintaining a persistent presence on the infected network.

Military Themes and Propagation Strategies

Gamaredon’s targeting strategy leverages military-themed decoy files written in Ukrainian, enhancing the social engineering element of the attack. Once inside, the malware propagates across shared storage environments, creating multiple malicious shortcuts in directories. These shortcuts execute the PteroLNK script on any infected system, increasing the malware’s ability to spread laterally within the targeted network.

This modular, multi-stage approach is highly effective at ensuring persistence, enabling Gamaredon to maintain control over infected systems and collect intelligence from key Ukrainian sectors.

What Undercode Says:

The technical sophistication of the PteroLNK malware campaign demonstrates a notable evolution in the threat landscape, particularly for politically motivated cyber-attacks. Gamaredon’s use of modular, customizable scripts that dynamically adapt to changing security environments sets it apart from many other threat actors, making their attacks difficult to predict and mitigate.

The reliance on Cloudflare quick tunnels for C2 communications is a strategic move that reflects an understanding of modern internet infrastructure and how to use it to the attackers’ advantage. By utilizing platforms that provide low-profile, high-availability access points, Gamaredon can keep its operations under the radar even when security forces actively try to shut them down.

Moreover, the campaign’s choice of military-themed lures and file names in Ukrainian is a deliberate and effective form of psychological warfare. It not only targets critical infrastructure but also seeks to exploit the emotional and geopolitical climate surrounding the conflict, adding an extra layer of complexity to defensive efforts.

This technical approach is not groundbreaking in terms of exploiting new vulnerabilities, but rather an evolution of Gamaredon’s ongoing tactics: leveraging redundancy, obfuscation, and rapid adaptability. The malware’s modularity and stealth techniques allow it to continue operating even under heavy scrutiny, and its ability to rotate C2 addresses and communication channels ensures that the threat remains a persistent one.

As we look to the future, it is clear that campaigns like these will continue to challenge security professionals. Gamaredon’s persistence and ability to adapt to evolving countermeasures point to a broader trend in cyber warfare—one where attackers are not only exploiting vulnerabilities but are actively shaping the attack landscape to ensure their long-term success.

Fact Checker Results:

The attribution to Gamaredon, backed by indicators such as unique file paths, custom User-Agent strings, and domain usage, is well-supported by existing threat intelligence databases.
The use of Cloudflare quick tunnels and hardcoded DDRs reflects Gamaredon’s known tactics for enhancing C2 resilience and evading detection.