{ "id": "846b0674-c653-4ef0-8658-c51d2264dd1c", "created_at": "2026-04-06T00:10:24.053126Z", "updated_at": "2026-04-10T03:37:04.474815Z", "deleted_at": null, "sha1_hash": "02005ecf4f88d7285fc70f0b0d4bb4cde89fa7c5", "title": "Gamaredon hackers start stealing data 30 minutes after a breach", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1520241, "plain_text": "Gamaredon hackers start stealing data 30 minutes after a breach\r\nBy Bill Toulas\r\nPublished: 2023-07-15 · Archived: 2026-04-05 18:52:50 UTC\r\nUkraine's Computer Emergency Response Team (CERT-UA) is warning that the Gamaredon hacking operates in rapid\r\nattacks, stealing data from breached systems in under an hour.\r\nGamaredon, aka Armageddon, UAC-0010, and Shuckworm, is a Russian, state-sponsored cyber-espionage hacking group\r\nwith cybersecurity researchers linking them to the FSB (Russian Federal Security Service) and having members who are\r\nformer SSU officers who defected to Russia in 2014.\r\nSince the start of the Russian invasion, the threat actors are believed to be responsible for thousands of attacks against the\r\ngovernment and other critical public and private organizations in Ukraine.\r\nhttps://www.bleepingcomputer.com/news/security/gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nThe accumulation of data from these attacks has enabled CERT-UA to outline the group's attacks, which it shares to help\r\ndefenders detect and stop network infiltration attempts.\r\nGamaredon attack traits\r\nGamaredon attacks commonly start with an email or message sent to targets via Telegram, WhatsApp, Signal, or other IM\r\napps.\r\nThe initial infection is achieved by tricking the victim into opening malicious attachments such as HTM, HTA, and LNK\r\nfiles disguised as Microsoft Word or Excel documents.\r\nOnce the victim launches the malicious attachments, PowerShell scripts and malware (usually 'GammaSteel') are\r\ndownloaded and executed on the victim's device.\r\nThe initial infection step also modifies Microsoft Office Word templates so that all documents created on the infected\r\ncomputer carry a malicious macro that can spread Gamaredon's malware to other systems.\r\nThe PowerShell script targets browser cookies containing session data to enable the hackers to take over online accounts\r\nprotected by two-factor authentication.\r\nRegarding GammaSteel's functionality, CERT-UA says it targets files with a specified list of extensions that are: .doc, .docx,\r\n.xls, .xlsx, .rtf, .odt, .txt, .jpg, .jpeg, .pdf, .ps1, .rar, .zip, .7z, .mdb.\r\nIf the attackers are interested in the documents found on a breached computer, they exfiltrate them within 30-50 minutes.\r\nAnother interesting aspect of Gamaredon infections is that the threat actors plant as many as 120 malicious infected files per\r\nweek on the compromised system to increase the likelihood of re-infection.\r\n\"If during the disinfection process, after cleaning the operating system registry, deleting files, scheduled tasks, etc., at least\r\none infected file or document is left on the computer (quite often users reinstall the OS and transfer \"necessary\" documents\r\nwithout checking), then the computer will likely be infected again.\" explains CERT-UA (machine translated).\r\nAny USB sticks inserted on the ports of an infected computer will also be automatically infected with Gamaredon's initial\r\ncompromise payloads, potentially furthering the breach to isolated networks.\r\nFinally, the hackers change the IP addresses of intermediate victim command and control servers three to six times daily,\r\nmaking it harder for defenders to block or trace their activities.\r\nAt this time, CERT-UA says the best way to limit the effectiveness of Gamaredon attacks is to block or restrict the\r\nunauthorized execution of mshta.exe, wscript.exe, cscript.exe, and powershell.exe.\r\nhttps://www.bleepingcomputer.com/news/security/gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach/\r\nhttps://www.bleepingcomputer.com/news/security/gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.bleepingcomputer.com/news/security/gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach/" ], "report_names": [ "gamaredon-hackers-start-stealing-data-30-minutes-after-a-breach" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434224, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/02005ecf4f88d7285fc70f0b0d4bb4cde89fa7c5.pdf", "text": "https://archive.orkl.eu/02005ecf4f88d7285fc70f0b0d4bb4cde89fa7c5.txt", "img": "https://archive.orkl.eu/02005ecf4f88d7285fc70f0b0d4bb4cde89fa7c5.jpg" } }