🇷🇺 RU2 malware familiesExploits CVEs in the wild

BlueAlpha

Also known asbluealpha

BlueAlpha is a Russian state-sponsored cyber threat group operating under the directive of the Russian Federal Security Service (FSB). The reporting states that BlueAlpha overlaps with the publicly reported groups Gamaredon, Shuckworm, Hive0051, and UNC530. It has been active since at least 2014 and continues to target Ukrainian organizations. The group is described as conducting relentless spearphishing campaigns to distribute custom malware. Since at least October 2023, it has delivered the custom VBScript malware GammaLoad, which enables data exfiltration, credential theft, and persistent access to compromised networks. BlueAlpha also uses GammaDrop as a dropper that writes GammaLoad to disk and establishes persistence; GammaLoad can beacon to command-and-control infrastructure and execute additional malware. The content highlights BlueAlpha’s evolving delivery and evasion tradecraft. It uses HTML smuggling with embedded JavaScript, including modified deobfuscation methods such as the onerror HTML event, to bypass email defenses. It has also leveraged Cloudflare Tunnels, specifically TryCloudflare subdomains, to conceal GammaDrop staging infrastructure and evade traditional network detection. The reporting further notes use of DNS fast-fluxing to complicate tracking and disruption of command-and-control communications, as well as obfuscation techniques including extensive junk code and random variable names. More broadly, the content places BlueAlpha among Russian state-sponsored groups demonstrating Russia’s ability to scale cyber operations, and separately notes that Russia-linked BlueAlpha has leveraged Cloudflare to evade detection.

Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial

OPERATIONAL PROFILE

Targeting

Who, where, and (when attributed) which flag flies behind the operation. Pulled from open-source reporting and Mallory's analyst review.

Where they're from

Attributed origin per open-source reporting.

MITRE ATT&CK

Tradecraft

28 distinct techniques observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

12 of 15 tactics45 techniques×N= number of intelligence reports citing this technique

MITRE ATT&CK

TA0001

Initial Access

2 techniques

T1091

Replication Through Removable Media

T1566

Phishing

T1566.001×3

Spearphishing Attachment

TA0002

Execution

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1059

Command and Scripting Interpreter

T1059.005

Visual Basic

T1203×2

Exploitation for Client Execution

TA0003

Persistence

3 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1112

Modify Registry

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

TA0004

Privilege Escalation

2 techniques

T1053

Scheduled Task/Job

T1053.005

Scheduled Task

T1547

Boot or Logon Autostart Execution

T1547.001

Registry Run Keys / Startup Folder

T1547.009

Shortcut Modification

TA0005

Stealth

3 techniques

T1027×2

Obfuscated Files or Information

T1027.006×2

HTML Smuggling

T1218

System Binary Proxy Execution

T1218.005

Mshta

T1564

Hide Artifacts

T1564.001

Hidden Files and Directories

T1564.004

NTFS File Attributes

TA0112

Defense Impairment

1 technique

T1112

Modify Registry

TA0006

Credential Access

1 technique

T1555

Credentials from Password Stores

TA0007

Discovery

2 techniques

T1082

System Information Discovery

T1083

File and Directory Discovery

TA0008

Lateral Movement

2 techniques

T1091

Replication Through Removable Media

T1570

Lateral Tool Transfer

TA0009

Collection

3 techniques

T1025

Data from Removable Media

T1039

Data from Network Shared Drive

T1119

Automated Collection

TA0011

Command and Control

6 techniques

T1071

Application Layer Protocol

T1071.001

Web Protocols

T1090

Proxy

T1090.002

External Proxy

T1102

Web Service

T1105×2

Ingress Tool Transfer

T1568

Dynamic Resolution

T1568.001

Fast Flux DNS

T1573

Encrypted Channel

TA0010

Exfiltration

1 technique

T1567

Exfiltration Over Web Service

ARSENAL

Associated malware families

2 malware families attributed to this actor across reporting.

FamilyContextEvidenceLast seen

GammaDropGammaDrop: acts as a dropper, writing GammaLoad to disk and ensuring persistence1May 25, 2026

GammaLoadSince at least October 2023 BlueAlpha has delivered the custom VBScript malware GammaLoad, enabling data exfiltration, credential theft, and persistent access to compromised networks.1May 25, 2026

WEAPONIZED

Associated vulnerabilities

1 CVE this actor has used in observed campaigns. 1 of them exploited in the wild.

CVE-2025-8088WinRAR Windows Path Traversal via NTFS Alternate Data StreamsIn the wildEvidence1

“The initial access vector was a specially crafted RAR archive delivered via spear-phishing emails. This attack exploited a directory traversal vulnerability, CVE-2025-8088. The vulnerability’s technical principle lies in the fact that archivers allow files to contain Alternate Data Streams (ADS), which can be used to carry arbitrary malicious payloads.”

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app

recorded future blogNews

Feb 24, 2026

Preparing for Russia’s New Generation Warfare in Europe

Russia-linked cyber activity cluster referenced as part of a set of actors demonstrating scalable operations from access/intelligence collection toward potential disruption under changed strategic conditions.

recorded future blogNews

Feb 25, 2025

2024 Malicious Infrastructure Report

BlueAlpha is a Russian state-sponsored group using Cloudflare Tunnels to stage and deliver GammaDrop malware.

recorded future blogNews

Jan 9, 2025

Chinese State-Sponsored RedDelta Targeted Taiwan, Mongolia, and Southeast Asia with Adapted PlugX Infection Chain

State-sponsored group referenced as using Cloudflare to evade detection.

recorded future blogNews

Dec 5, 2024

BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure

State-sponsored cyber operations targeting Ukrainian organizations through relentless spearphishing campaigns to distribute custom malware, including GammaLoad and GammaDrop, for data exfiltration, credential theft, and persistent access.

What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.

Start free trial

Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping28

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal2

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs1

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.