Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

PteroLNK

PteroLNK is a Gamaredon weaponizer used for propagation and lateral movement by infecting removable USB drives and mapped network drives with malicious Windows LNK files. When a victim opens one of the malicious shortcut files, it triggers retrieval and execution of downloader malware, including VBScript-based payload chains associated with Gamaredon. ESET reported that the VBScript version of PteroLNK was enhanced in early 2024 to weaponize mapped network drives in addition to USB drives, expanding its spread within compromised environments. During the second half of 2024, it received updates that improved obfuscation, complicated LNK creation, and used registry-based techniques to hide files and file extensions. The tool has been associated with Gamaredon’s broader spear-phishing and post-compromise activity targeting Ukrainian governmental, military, law-enforcement, and defense-related entities. ESET also observed PteroLNK deployed on Ukrainian machines in early 2025 in incidents where Gamaredon activity overlapped with Turla operations involving the Kazuar backdoor.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Gamaredon Group

Gamaredon's attacks are known to rely on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting USB drives and network drives with malicious LNK files that, when opened by an unsuspecting user, trigger the retrieval of downloader malware.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

20 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1091Replication Through Removable MediaEvidence1

...facilitate lateral movement by infecting USB drives and network drives with malicious LNK files

Execution

4 techniques
T1053Scheduled Task/JobEvidence1

“establishing persistence through scheduled tasks… The downloader payload is scheduled to execute every 3 minutes, while the LNK dropper script runs every 9 minutes.”

T1059.005Visual BasicEvidence2

These files delivered malicious HTA or LNK files that executed embedded VBScript downloaders such as PteroSand.

T1059.007JavaScriptEvidence1

“the shortcuts contains a javascript command which leverages wscript.exe… javascript:eval('w=new ActiveXObject("WScript.Shell"); … wscript.exe //e:vbScript ~.drv')”

T1204.002Malicious FileEvidence1

...infecting USB drives and network drives with malicious LNK files that, when opened by an unsuspecting user, trigger the retrieval of downloader malware.

Persistence

4 techniques
T1053Scheduled Task/JobEvidence1

“establishing persistence through scheduled tasks… The downloader payload is scheduled to execute every 3 minutes, while the LNK dropper script runs every 9 minutes.”

T1112Modify RegistryEvidence1

“concealing its activities by modifying Windows Explorer settings to hide files… modifies the registry in order to hide hidden files and folders, extensions and protected OS files.”

T1547.001Registry Run Keys / Startup FolderEvidence1

“parameters such as… persistence mechanisms (registry keys and scheduled tasks)… The Windows registry is leveraged to persistently store and retrieve the C2 addresses… HKEY_CURRENT_USER\Console\WindowsUpdates… WindowsResponby… WindowsDetect”

T1547.009Shortcut ModificationEvidence1

Gamaredon introduced another novel technique: using malicious LNK files to execute PowerShell commands directly from Cloudflare-generated domains

Privilege Escalation

3 techniques
T1053Scheduled Task/JobEvidence1

“establishing persistence through scheduled tasks… The downloader payload is scheduled to execute every 3 minutes, while the LNK dropper script runs every 9 minutes.”

T1547.001Registry Run Keys / Startup FolderEvidence1

“parameters such as… persistence mechanisms (registry keys and scheduled tasks)… The Windows registry is leveraged to persistently store and retrieve the C2 addresses… HKEY_CURRENT_USER\Console\WindowsUpdates… WindowsResponby… WindowsDetect”

T1547.009Shortcut ModificationEvidence1

Gamaredon introduced another novel technique: using malicious LNK files to execute PowerShell commands directly from Cloudflare-generated domains

Stealth

5 techniques
T1027Obfuscated Files or InformationEvidence2

Throughout the second half of 2024, it received multiple incremental updates, including improved obfuscation

T1036MasqueradingEvidence1

“replacing existing files and folders with deceptive shortcuts… creates a malicious shortcut that mimics the original file… chooses… military-themed decoy filenames in Ukrainian”

T1218.005MshtaEvidence1

“Shortcuts are configured to execute the main PteroLNK VBScript malware… via mshta.exe.”

T1497Virtualization/Sandbox EvasionEvidence1

“conditional execution logic… presence of the “360 Total Security” antivirus… execution… shifted from scheduled tasks to an infinite loop… no actions… to conceal files either.”

T1564.001Hidden Files and DirectoriesEvidence1

registry-based techniques to hide files and file extensions from victims.

Defense Impairment

1 technique
T1112Modify RegistryEvidence1

“concealing its activities by modifying Windows Explorer settings to hide files… modifies the registry in order to hide hidden files and folders, extensions and protected OS files.”

Discovery

3 techniques
T1016System Network Configuration DiscoveryEvidence1

“enumerates local and mapped drives… propagate through local and network drives”

T1083File and Directory DiscoveryEvidence1

“for each .pdf, .docx and .xlsx file in the root of the drive, it creates a malicious shortcut… repeats for subfolders up to three levels deep.”

T1497Virtualization/Sandbox EvasionEvidence1

“conditional execution logic… presence of the “360 Total Security” antivirus… execution… shifted from scheduled tasks to an infinite loop… no actions… to conceal files either.”

Lateral Movement

2 techniques
T1091Replication Through Removable MediaEvidence1

...facilitate lateral movement by infecting USB drives and network drives with malicious LNK files

T1570Lateral Tool TransferEvidence2

Gamaredon's attacks are known to rely on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting USB drives and network drives with malicious LNK files

Command and Control

4 techniques
T1071.001Web ProtocolsEvidence1

“sends… HTTP GET request… using its custom User-Agent… DDR at telegra.ph… teletype.in… trycloudflare.com tunnel…”

T1090.002External ProxyEvidence1

“Cloudflare quick tunnel address… hosted on trycloudflare.com… adopted by threat actors… traverse network detection by blending with legitimate traffic.”

T1105Ingress Tool TransferEvidence1

“This payload serves as a downloader… designed to retrieve and deploy additional malware… processes server responses expected to contain Base64-encoded VBScript payloads.”

T1568Dynamic ResolutionEvidence1

“Gamaredon uses Telegraph and Teletype articles as Dead Drop Resolver (DDR)… DDR response is parsed… to extract an updated C2 address… pivot between fallback mechanisms.”

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
the hacker newsNews
Jun 29, 2026
Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse

A Gamaredon weaponizer used for lateral movement by infecting USB and network drives with malicious LNK files that retrieve downloader malware when opened.

Read more
eset welivesecurity blogNews
Jun 25, 2026
Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances

A previously known Gamaredon tool referenced as having important updates in 2025, but its functionality is not described in this content.

Read more
securityaffairsNews
Sep 21, 2025
ESET uncovers Gamaredon–Turla collaboration in Ukraine cyberattacks

Gamaredon tool used to propagate/execute malicious LNK files (including via removable drives) to facilitate initial access and infection in targeted environments.

Read more
the record mediaNews
Sep 19, 2025
Russian spy groups Turla, Gamaredon join forces to hack Ukraine, researchers say

Custom Gamaredon tool used in compromises of Ukrainian machines; specific functionality not described in the provided content.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping20

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.