Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

PteroSand

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-8088WinRAR Windows Path Traversal via NTFS Alternate Data StreamsExploited in the wild

Some of the attacks have also weaponized a now-patched flaw in WinRAR (CVE-2025-8088) as a way of placing the malicious HTA downloader into the victim's Windows Startup folder. | The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders that are responsible for dropping additional payloads, such as PteroSand.

via the hacker newsthehackernews.com
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Gamaredon Group

The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders that are responsible for dropping additional payloads, such as PteroSand.

via the hacker newsthehackernews.com
MITRE ATT&CK

Techniques & procedures

4 distinct techniques documented for this family, organized by ATT&CK tactic.

Initial Access

1 technique
T1566.001Spearphishing AttachmentEvidence3

ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets... The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders

Execution

1 technique
T1059.005Visual BasicEvidence2

PteroDum serves a similar purpose, but for VBScript payloads... Gamaredon also brought back PteroSetup, an older VBScript weaponizer

Stealth

1 technique
T1027.006HTML SmugglingEvidence1

Campaigns typically lasted one to five consecutive days, with emails containing malicious archives (RAR, ZIP, 7z) or XHTML files employing HTML smuggling techniques.

Command and Control

1 technique
T1105Ingress Tool TransferEvidence3

...trigger the retrieval of downloader malware... PteroEffigy for fetching the command-and-control (C2) server using the GoFile cloud storage service

ACTIVITY FEED

Recent activity

4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

4 SOURCESView more in app
the hacker newsNews
Jun 29, 2026
Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse

A payload used in Gamaredon spear-phishing chains, delivered by malicious HTA downloaders as part of post-compromise malware deployment.

Read more
eset welivesecurity blogNews
Jun 25, 2026
Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances

A VBScript downloader fetched by malicious HTA downloaders in spearphishing campaigns to retrieve additional payloads.

Read more
the hacker newsNews
Aug 6, 2025
CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures

VBScript downloader used in Gamaredon infection chains (delivered via HTA/LNK execution).

Read more
eset welivesecurity blogNews
Jul 2, 2025
Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

A VBScript downloader used in Gamaredon spearphishing chains, executed via malicious HTA or LNK files to fetch additional payloads.

Read more
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping4

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.