Gamaredon Expanded Ukraine Espionage With New PowerShell Tools and Cloud-Hidden C2
Russia-aligned Gamaredon significantly upgraded its cyberespionage operations against Ukrainian government and military organizations during 2025, according to ESET. The group ran 35 spear-phishing campaigns, introduced six new PowerShell-based tools, revived the VBScript weaponizer PteroSetup, and exploited CVE-2025-8088 in WinRAR to establish persistence through malicious HTA downloaders placed in Startup folders. ESET said Gamaredon also expanded lateral movement and USB-based propagation, with the newly documented PteroPaste able to copy a malicious downloader to connected USB drives while disguising it as a Word document shortcut.
The group increasingly concealed command-and-control and data theft behind legitimate services, using Cloudflare Workers, Microsoft dev tunnels, Loophole, DDNS providers, messaging and blogging platforms, paste sites, and cloud storage to mask malicious traffic and stage payloads. Newer malware variants retrieved encrypted C2 data from dead-drop locations such as Telegram, Dropbox, GoFile, and Mastodon, while upgraded stealers including PteroPSDoor and PteroVDoor exfiltrated stolen files to S3-compatible storage such as Wasabi, Tebi, and Intercolo. ESET also observed Gamaredon collaborating with Turla in early 2025, providing initial access that supported deployment of the Kazuar framework.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
10 events from the most recent confirmed update back to the earliest known activity.
Gurucul published Gamaredon IOCs and detection queries
Gurucul's threat research report released a detailed IOC set for Gamaredon's 2025 activity, including domains, URLs, three IP addresses, and 22 SHA-1 hashes. The report also provided Gurucul TDIR detection queries to help identify related malicious activity.
Intercolo became Gamaredon's primary exfiltration destination by December 2025
By December 2025, Intercolo had become the primary S3-compatible destination for Gamaredon's stolen-data exfiltration. This marked the latest observed shift in the group's cloud-based exfiltration infrastructure.
Gamaredon upgraded stealers to exfiltrate data to S3-compatible storage
During 2025, Gamaredon updated malware including PteroPSDoor and PteroVDoor to exfiltrate stolen files to S3-compatible cloud storage providers. Reported destinations shifted from Wasabi to Tebi and later to Intercolo as the group blended malicious traffic with legitimate cloud usage.
Gamaredon shifted to larger spear-phishing activity in second half of 2025
In the second half of 2025, Gamaredon escalated its operations with at least 35 spear-phishing campaigns. Reporting says these upgrades enabled larger attacks focused exclusively on Ukrainian governmental and military institutions.
Gamaredon documented new PteroPaste USB-capable malware
ESET documented PteroPaste as a new and more complex Gamaredon tool that combines downloader, USB weaponization, and runner functions. It can copy a malicious downloader to connected USB drives disguised as a Word document shortcut and use Dropbox in its workflow.
Gamaredon increased abuse of legitimate services for C2 concealment
A major trend during 2025 was Gamaredon's expanded use of legitimate third-party services to hide command-and-control infrastructure and stage payloads. Reported services included Cloudflare Workers, Microsoft dev tunnels, Loophole, DDNS, messaging platforms, blogging sites, paste services, and cloud storage.
Gamaredon began exploiting CVE-2025-8088 in WinRAR
In 2025, Gamaredon started exploiting CVE-2025-8088 in WinRAR to gain persistence, including use of malicious HTA downloaders placed in Startup folders. The vulnerability became part of the group's infection and persistence chain.
Gamaredon revived PteroSetup and expanded lateral movement in 2025
In 2025, Gamaredon revived its older VBScript weaponizer PteroSetup and expanded lateral-movement capabilities with multiple weaponizers. These changes formed part of a broader refresh of the group's tooling.
Gamaredon introduced six new PowerShell tools in first half of 2025
During the first half of 2025, Gamaredon developed six new PowerShell-based tools and expanded its malware toolkit. The additions supported the group's continued cyberespionage operations against Ukrainian government and military targets.
Gamaredon collaborated with Turla in early 2025
ESET observed Gamaredon working with the Russian APT Turla in early 2025, with reporting indicating Gamaredon provided initial access to support deployment of Turla's Kazuar framework. This was cited as evidence of coordination among Russia-aligned threat actors.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
5 references tracked. Mallory keeps watching after this page renders.
Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse
thehackernews.com
Open sourceGamaredon in 2025: Leveraging Tunnels, Workers, Dead Drops, and New Alliances | Community Portal | Gurucul
community.gurucul.com
Open sourceRussia's Gamaredon Adapts Tactics to Target Ukraine
govinfosecurity.com
Open sourceRussian APT 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses
darkreading.com
Open sourceGamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances
welivesecurity.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Gamaredon Ran Large-Scale Espionage Campaigns Using Crimeware-Style Delivery
Cisco Talos reported that the **Gamaredon** threat group conducted at least four campaigns from 2020 onward, combining nation-state espionage objectives with high-volume, crimeware-like delivery methods. The operations used **template injection**, trojanized installers, self-extracting archives, spam, and scripts including **VBS**, **VBA**, and batch files to gain initial access and profile victims before selectively deploying second-stage payloads. Talos said the group operated more than **600 first-stage C2 domains** and over **330 IP addresses across 16 countries**, with infrastructure heavily concentrated in Russia. The campaigns showed a strong focus on **Ukrainian targets**, including Russian-language lures themed around Ukrainian government entities, while also reaching organizations outside Ukraine such as a major African bank, U.S. educational institutions, and European telecommunications and hosting providers. Talos highlighted examples including a trojanized **Zoom** installer, an unusually large **68 MB VBS** file likely designed to evade sandbox analysis, and a long-running operation that excluded more than **1,700 IP addresses in 43 countries** from infection. Researchers assessed Gamaredon as a prolific, noisy, likely second-tier APT focused on espionage and information collection rather than direct monetization.
Jun 29, 2026
Gamaredon Exploits WinRAR Flaw to Deploy Modular Gamma Malware in Ukraine
Researchers attributed a January 2026 cyberespionage campaign against Ukrainian government, military, and critical infrastructure organizations to the Russia-linked Gamaredon group, which used booby-trapped spearphishing attachments and malicious RAR archives exploiting WinRAR path traversal flaw **`CVE-2025-8088`** for initial access. The infection chain dropped an HTA payload dubbed **GammaPhish**, which launched via `mshta.exe` and fetched follow-on VBScript components including **GammaLoad**, **GammaWorm**, and **GammaSteel**. Sekoia said the operation marks a shift from Gamaredon’s older Pteranodon tooling to a fragmented, modular ecosystem in which multiple stages can independently act as backdoors and retrieve arbitrary remote code. The malware emphasized stealth, persistence, and resilient command-and-control. **GammaWorm** established persistence through scheduled tasks and RunOnce registry keys, hid modules in **NTFS Alternate Data Streams**, and spread through USB devices and network shares using malicious LNK shortcuts, including into air-gapped environments. Command-and-control discovery relied on dead-drop resolvers hosted on **Telegram**, **Telegra.ph**, **graph.org**, **Teletype**, **Cloudflare Workers**, and operator infrastructure, while **GammaSteel** staged dozens of DPAPI-encrypted modules in the registry and exfiltrated selected files to **AWS S3** or other S3-compatible storage with fallback to attacker-controlled servers. Because fresh payloads can be fetched at multiple stages, researchers warned that confirmed compromises may require full system wiping.
Jun 29, 2026
Gamaredon Assisted Turla Intrusions Against Ukrainian Government and Military Targets
Researchers presented evidence that **Gamaredon** directly supported **Turla** operations against high-value Ukrainian organizations, including military and government entities, during incidents observed from February through June 2025. According to the findings, Gamaredon used its own tooling—such as **PteroGraphin** and **PteroOdd**—to deploy Turla’s **Kazuar** backdoor on victim systems, indicating a coordinated intrusion workflow rather than parallel activity by separate actors. The investigation also found at least one case in which Gamaredon helped restore Turla’s access after the latter had apparently lost its foothold, reinforcing the assessment of active operational collaboration between the two Russian state-aligned espionage groups. The reported division of labor had Gamaredon handling spearphishing, rapid access, and persistence, while Turla leveraged the more advanced **Kazuar v2** and **v3** implants to conduct sustained espionage inside contested Ukrainian networks.
Jun 29, 2026