Gamaredon Ran Large-Scale Espionage Campaigns Using Crimeware-Style Delivery
Cisco Talos reported that the Gamaredon threat group conducted at least four campaigns from 2020 onward, combining nation-state espionage objectives with high-volume, crimeware-like delivery methods. The operations used template injection, trojanized installers, self-extracting archives, spam, and scripts including VBS, VBA, and batch files to gain initial access and profile victims before selectively deploying second-stage payloads. Talos said the group operated more than 600 first-stage C2 domains and over 330 IP addresses across 16 countries, with infrastructure heavily concentrated in Russia.
The campaigns showed a strong focus on Ukrainian targets, including Russian-language lures themed around Ukrainian government entities, while also reaching organizations outside Ukraine such as a major African bank, U.S. educational institutions, and European telecommunications and hosting providers. Talos highlighted examples including a trojanized Zoom installer, an unusually large 68 MB VBS file likely designed to evade sandbox analysis, and a long-running operation that excluded more than 1,700 IP addresses in 43 countries from infection. Researchers assessed Gamaredon as a prolific, noisy, likely second-tier APT focused on espionage and information collection rather than direct monetization.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
3 events from the most recent confirmed update back to the earliest known activity.
Talos publishes comprehensive report on Gamaredon activity
Cisco Talos published a report summarizing its findings on Gamaredon, including selective second-stage payload delivery based on reconnaissance and a campaign that excluded more than 1,700 IP addresses in 43 countries from infection. The report assessed Gamaredon as a likely second-tier APT focused on espionage and information collection rather than direct monetization.
Gamaredon infrastructure and targeting details are documented
Talos reported that Gamaredon operated more than 600 first-stage C2 domains and over 330 IP addresses across 16 countries, with infrastructure heavily concentrated in Russia. The campaigns showed strong interest in Ukrainian targets while also affecting a major African bank, U.S. educational institutions, and European telecommunications and hosting providers.
Talos observes four Gamaredon campaigns active from 2020 onward
Cisco Talos analyzed four Gamaredon campaigns that were active from 2020 onward, describing the group as a noisy, prolific APT using crimeware-like tactics at scale. Observed techniques included template injection, trojanized installers, self-extracting archives, spam, VBS, VBA, and batch scripts.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
1 reference tracked. Mallory keeps watching after this page renders.
See the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Gamaredon Expanded Ukraine Espionage With New PowerShell Tools and Cloud-Hidden C2
Russia-aligned **Gamaredon** significantly upgraded its cyberespionage operations against Ukrainian government and military organizations during 2025, according to ESET. The group ran **35 spear-phishing campaigns**, introduced **six new PowerShell-based tools**, revived the VBScript weaponizer **PteroSetup**, and exploited **`CVE-2025-8088`** in WinRAR to establish persistence through malicious HTA downloaders placed in Startup folders. ESET said Gamaredon also expanded lateral movement and USB-based propagation, with the newly documented **PteroPaste** able to copy a malicious downloader to connected USB drives while disguising it as a Word document shortcut. The group increasingly concealed command-and-control and data theft behind legitimate services, using **Cloudflare Workers**, **Microsoft dev tunnels**, **Loophole**, DDNS providers, messaging and blogging platforms, paste sites, and cloud storage to mask malicious traffic and stage payloads. Newer malware variants retrieved encrypted C2 data from dead-drop locations such as **Telegram**, **Dropbox**, **GoFile**, and **Mastodon**, while upgraded stealers including **PteroPSDoor** and **PteroVDoor** exfiltrated stolen files to S3-compatible storage such as **Wasabi**, **Tebi**, and **Intercolo**. ESET also observed Gamaredon collaborating with **Turla** in early 2025, providing initial access that supported deployment of the **Kazuar** framework.
Jun 29, 2026
Gamaredon Exploits WinRAR Flaw to Deploy Modular Gamma Malware in Ukraine
Researchers attributed a January 2026 cyberespionage campaign against Ukrainian government, military, and critical infrastructure organizations to the Russia-linked Gamaredon group, which used booby-trapped spearphishing attachments and malicious RAR archives exploiting WinRAR path traversal flaw **`CVE-2025-8088`** for initial access. The infection chain dropped an HTA payload dubbed **GammaPhish**, which launched via `mshta.exe` and fetched follow-on VBScript components including **GammaLoad**, **GammaWorm**, and **GammaSteel**. Sekoia said the operation marks a shift from Gamaredon’s older Pteranodon tooling to a fragmented, modular ecosystem in which multiple stages can independently act as backdoors and retrieve arbitrary remote code. The malware emphasized stealth, persistence, and resilient command-and-control. **GammaWorm** established persistence through scheduled tasks and RunOnce registry keys, hid modules in **NTFS Alternate Data Streams**, and spread through USB devices and network shares using malicious LNK shortcuts, including into air-gapped environments. Command-and-control discovery relied on dead-drop resolvers hosted on **Telegram**, **Telegra.ph**, **graph.org**, **Teletype**, **Cloudflare Workers**, and operator infrastructure, while **GammaSteel** staged dozens of DPAPI-encrypted modules in the registry and exfiltrated selected files to **AWS S3** or other S3-compatible storage with fallback to attacker-controlled servers. Because fresh payloads can be fetched at multiple stages, researchers warned that confirmed compromises may require full system wiping.
Jun 29, 2026
Multiple APT and malware campaigns abusing phishing, cloud services, and signed binaries
Reporting across multiple research teams described a surge of distinct, ongoing intrusion campaigns rather than a single unified incident. **Check Point** reported on **Silver Dragon**, a Chinese-aligned activity cluster assessed as operating under the broader **APT41** umbrella, targeting organizations in **Southeast Asia and Europe** (notably government) via exploitation of public-facing servers and phishing, then deploying **Cobalt Strike**, **DNS tunneling**, and a new Google Drive–based backdoor (**GearDoor**) alongside custom tools (**SSHcmd** and **SliverScreen**) for remote access and screen capture. **Microsoft** detailed separate February 2026 phishing campaigns by an unknown actor that used meeting/invoice-style lures and **EV code-signed** malware (certificate issued to **TrustConnect Software PTY LTD**) masquerading as common workplace apps (e.g., `msteams.exe`, `adobereader.exe`, `zoomworkspace.clientsetup.exe`) to install legitimate **RMM** tooling (**ScreenConnect**, **Tactical RMM**, **Mesh Agent**) for persistent access and lateral movement. Other reporting highlighted additional, unrelated campaigns and tradecraft: **ClearSky** described a Russian-aligned operation targeting **Ukraine** using a phishing-delivered ZIP/HTA chain that drops a .NET loader (**BadPaw**) and backdoor (**MeowMeow**) with **.NET Reactor** obfuscation, parameter-gated execution, and sandbox/tooling checks (with low-confidence linkage to **APT28**). **Cofense**-reported activity (via SC Media) showed phishing that weaponizes **Windows File Explorer + WebDAV** using URL/LNK shortcuts to pull payloads (notably **AsyncRAT**, **XWorm**, **DcRAT**) and infrastructure including **Cloudflare Tunnel** domains hosting WebDAV servers. **Cisco Talos**-reported **Dohdoor** activity (UAT-10027) targeted US **education and healthcare**, using PowerShell→batch→DLL sideloading via legitimate executables (e.g., `Fondue.exe`, `mblctr.exe`, `ScreenClippingHost.exe`) and **DNS-over-HTTPS** to Cloudflare for C2 discovery and tunneling. Separately, **Zscaler** reported **ScarCruft**’s *Ruby Jumper* campaign using **Zoho WorkDrive** for C2 and removable media components to reach air-gapped systems, while another Zscaler report analyzed **Dust Specter** targeting Iraqi government officials with password-protected RAR delivery and modular implants. **Qianxin XLab** assessed sanctioned infrastructure provider **Funnull** resurfacing to support scam/criminal supply chains and potential **MacCMS**-related supply-chain activity, and **F5 Labs** summarized **APT42**’s **TAMECAT** PowerShell backdoor focused on Edge/Chrome credential theft with C2 over Telegram/Discord/HTTPS and specific file/hash indicators. (A separate Help Net Security item on a Microsoft Defender onboarding tool is product/administrative news and not part of the threat-campaign reporting.)
Jun 29, 2026