{ "id": "3401eb3e-c69f-4317-aecd-9d880e45f1cc", "created_at": "2026-04-06T00:15:24.562369Z", "updated_at": "2026-04-10T13:13:06.288853Z", "deleted_at": null, "sha1_hash": "058b757094b61fc018b5b6fd3c8956346ca8e63b", "title": "Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security Targeting - SentinelLabs", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 8103310, "plain_text": "Pro-Russian CyberSpy Gamaredon Intensifies Ukrainian Security\r\nTargeting - SentinelLabs\r\nBy Vitali Kremez\r\nPublished: 2020-02-05 · Archived: 2026-04-05 21:31:07 UTC\r\nThe Fifth Domain: Pro-Russian CyberSpy APT Gamaredon Wages Silent War with Ukranian Military \u0026\r\nLaw Enforcement\r\nExecutive Summary\r\nPro-Russian Gamaredon APT group has evolved over the last few months, introducing new components to\r\nboost its offensive power against the Ukrainian government.\r\nGamaredon group has ramped up the scale of its operations, attacking a larger number of victims, and\r\nadapting its tools and social engineering implementation to specific targets.\r\nGamaredon activities serve as a testing ground for the Russian military to observe the potential of cyber\r\nwarfare in a contemporary violent conflict or in a state-wide political confrontation.\r\nBy performing efficient cyber espionage actions against institutions like the Hetman Petro Sahaidachnyi\r\nNational Ground Forces Academy, Gamaredon increases the military preparedness of the Donbas militias\r\nand local paramilitary groups.\r\nGamaredon illustrates how the fifth cyber domain enables militants to continue fighting even when all\r\nother domains are denied by the strategic or political framework. Cyberwarfare is a solid substitution when\r\nother offensive measures are too costly or dangerous.\r\nThe “Fifth” Domain\r\nhttps://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nPage 1 of 11\n\nIn the 21st century, cyber became an integral warfare domain joining those of the traditional land, air, sea, and\r\nspace. Cyber attacks are currently listed among the top offensive tools of a potential adversary along with such\r\nclassic instruments as submarines or special operations (SpecOps) teams. The recent discussion of the Islamic\r\nRepublic of Iran to retaliate digitally for the US takedown of General Soleimani concludes that kinetic and cyber\r\noffense currently exists within the same framework and one could be a substitute for another. \r\nThis ability to efficiently integrate cyber offense measures into the actual battlefield of a traditional or asymmetric\r\nwarfare model has been for years tested in the long-term military conflict unfolding in Eastern Ukraine since\r\n2014. This confrontation revealed many characterful traits that may become intrinsic features of 21st-century\r\nwarfare. Massive digital attacks on physical infrastructure, the alleged use of cyberattacks against field hardware\r\nincluding artillery and, of course, military reconnaissance via cyber espionage. The later tactics were employed by\r\nthe Gamaredon group, a spyware collective that has been specifically targeting Ukrainian military and security\r\ninstitutions in order to compromise and survey the country’s national security (NatSec) resilience and military\r\npower. \r\nGamaredon evolutionary dynamics are as notable as its operations since 2013. Through the last few months, the\r\ngroup has introduced new components that constitute its offensive power. The scale of operations, the number of\r\nvictims, the adaptiveness of tools, the persistence which the tools are applied and the accuracy with which they are\r\nhttps://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nPage 2 of 11\n\ntailored for a specific goal, the quality of intelligence collection, and the level of human intelligence (HUMINT)\r\nsocial engineering implementation – all of these fundamental aspects of a cyber warfare operation have continued\r\nto be improved by Gamaredon.\r\nTherefore, due to this important role the group plays in the current cyber threat ecosystem, and due to our\r\nenhanced visibility into its approach to modern security espionage, we are offering a deep-dive into Gamaredon. \r\nPolitical Tensions: Russian Interest in Ukraine\r\nOn January 25, 2020, the Ukrainian Security Service (similar to the US FBI) officially stated that in 2019 it\r\nprevented 482 cyberattacks against Critical Infrastructure and prohibited entry into the country of 278 individuals\r\ninvolved in “propaganda of separatism.”\r\nGamaredon is exclusively targeting the Ukrainian NatSec institutions, which turns it into a full-fledged participant\r\nof the ongoing political and military tension taking place in the region.\r\nThe conventional large-scale military clashes between the Ukrainian Armed Forces and the Eastern Ukraine\r\nmilitias mostly ended in 2015. For the last five years, the situation has resembled traditional post-soviet “frozen\r\nconflicts” in which the opposing sides neither wage full-fledged warfare nor agree to de-escalate the situation\r\nbeyond the warzone life. Being deterred from active offense with traditional armed forces, the sides are actively\r\nusing alternative means. In this context, the Russian intelligence and the pro-Russian groups active in the region\r\nare naturally shifting to cyber attacks. Groups like Gamaredon become a persistent tool to continue fighting\r\nwithout applying kinetic powers, which would naturally damage any de-escalation process.\r\nhttps://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nPage 3 of 11\n\nIndeed, the intensification of Gamaredon seems to be contextual to the political and security dynamics in the\r\nregion, namely, the slow but steady de-escalation and curtailment of the use of kinetic strikes. In December 2019,\r\nwhen we observed an increase in Gamaredon activities, the Normandy group responsible for conflict resolution in\r\nDonbas met in Paris to advance the long-term peace talks. The subjects discussed suggest that the Minsk Efforts (a\r\nframework to resolve the conflict) are advancing towards the peacebuilding stage from the initial peacemaking.\r\nDDR (Disarmament, Demobilization, and Reintegration) initiatives, resettling of refugees, the establishment of\r\njoint armed forces and police groups, exchange of POWs and withdrawal of heavy-armed vehicles from Donbas –\r\nthe format of such discussions suggest that applying traditional kinetic powers to win the Eastern Ukrainian\r\nbattlefield is not an option for either side. \r\nThis means that the military and paramilitary groups within both opposing armies now need to keep fighting\r\nwithout actually fighting. The Kremlin has recently achieved an unprecedented rapprochement with the French\r\nPresident Emmanuel Macron, a key player in the Normandy group, and any outbreak of violence on the\r\nUkrainian-Militia separation line may have fatal consequences for this new partnership. This overall strategic\r\nframework makes Gamaredon well-positioned for the conflict. By performing their attacks, Gamaredon\r\nsimultaneously achieves several goals which traditional military can not achieve while locked in the defensive\r\nmodality implemented by the Minsk Accords. \r\n“Clergy bless graduating cadets, identified by carrying rifles, prior to their commissioning at the Hetman Petro\r\nSahaidachny National Army Academy in Lviv, Ukraine, on Aug. 26. The Hetman Petro Sahaidachny National\r\nArmy Academy was founded in 1899 and has continually produced military officers for no fewer than four\r\ndifferent governments. (Photo by Staff Sgt. Eric McDonough, 45th Infantry Brigade Combat Team) (Photo Credit:\r\nStaff Sgt. Eric McDonough)”\r\nFirst, by performing efficient cyber espionage actions against institutions such as the Hetman Petro Sahaidachnyi\r\nNational Ground Forces Academy both in Lviv and Starychy, Gamaredon increases the military preparedness of\r\nthe Donbas militias and local paramilitary groups. In the case of a doomsday scenario in which the two sides clash\r\nhttps://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nPage 4 of 11\n\non the battlefield again, the intelligence about hardware, tactical methods, gear, and personnel gathered by\r\nGamaredon will serve as an edge for the separatists.\r\nSecond, by accomplishing successful attacks against the Ukrainian military, Gamaredon may obtain crucial\r\ninformation about strategic plans or internal issues. This information can be integrated into the information\r\nwarfare and political campaigns initiated by the Russian intelligence forces against Ukraine.\r\nMost importantly, Gamaredon activities are a testing ground for the Russian military to observe the potential of\r\nutilizing cyber warfare in a contemporary violent conflict or in a state-wide political confrontation. Several\r\nmonths ago, in November 2019, Secretary of the NSDC security council of Ukraine (similar to the US National\r\nSecurity Council) Aleksey Danilov stated that the country has become a testing ground for Russian cyber attacks.\r\nIt is very likely that Gamaredon is operating in a larger security framework of the Russian military, civilian, and\r\nintelligence agencies that meticulously analyze the group’s experience in order to implement it in future conflicts.\r\nGamaredon Victimology: Along Ukrainian Separation Line\r\nBased on SentinelLabs visibility into the APT Gamaredon victims telemetry, the group affected a large disposition\r\nof victims across the Ukrainian separatist line with more than five thousand unique Ukrainian entities affected for\r\nthe recent months.\r\nThe map of Gamaredon infections indicates attacks all across Ukraine, specifically the concentration of hits along\r\nthe Separation Line where Ukrainian troops are being deployed.\r\nGamaredon Technical Enhancement\r\nPackaged as self-extracting zip-archive (.SFX), the Gamaredon malware implant components contain a batch\r\nscript, a binary processor .NET component, and Macro payloads. \r\nhttps://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nPage 5 of 11\n\nIn one of the alerts, CERT-UA previously alerted on the Gamaredon Pterodo infections as follows, targeting\r\nUkrainian state authorities:\r\n“CERT-UA together with the Foreign Intelligence Service of Ukraine found new modifications of Pterodo-type\r\nmalware on computers of state authorities of Ukraine, which is likely to be the preparatory stage for a cyber\r\nattack. This virus collects system data, regularly sends it to command-control servers and expects further\r\ncommands.”\r\nSome of their previous social engineering campaigns relied on intricate understanding of geopolitical and military\r\nstatus in Ukraine using as lures intercepting intelligence related to the military pro-Russian operation in Ukraine.\r\nGamaredon recent targeting reveals the newer .NET framework interop integrator “Microsoft.Vbe.Interop” with\r\nthe subsequent Microsoft Office Excel and Word Macro stager. The developer path found as follows:  \r\nC:UsersOpolossourcereposLoderAppLoderAppobjDebugAversome.pdb\r\nNotably, the group behind the malware utilizes a system of server-side forwarders to process traffic from\r\ncompromised victim machines oftentimes relying on dynamic DNS providers.\r\nhttps://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nPage 6 of 11\n\nThe newer tool included the updated execution via obfuscated .NET application of Excel and Word macros with\r\nthe hardcoded CLSID GUID, as in the example below:\r\nMicrosoft.Office.Interop.Word.Application application3 = (Microsoft.Office.Interop.Word.Application)A\r\napplication3.Visible = false;\r\nOne of the notable features of the malware Interop component is its usage of the fake Microsoft digital certificate\r\nbelonging to Microsoft Time-Stamp Service.\r\nThe macro execution security registry to allow macro execution and disabling visual basic for applications (VBA)\r\nwarnings is as follows:\r\nCreateObject(\"WScript.Shell\").RegWrite \"HKEY_CURRENT_USERSoftwareMicrosoftOffice\" \u0026 Application.Versi\r\n\"ExcelSecurity\" \u0026 \"AccessVBOM\", 1, \"REG_DWORD\"\r\nCreateObject(\"WScript.Shell\").RegWrite \"HKEY_CURRENT_USERSoftwareMicrosoftOffice\" \u0026 Application.Versi\r\nhttps://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nPage 7 of 11\n\n\"ExcelSecurity\" \u0026 \"VBAWarnings\", 1, \"REG_DWORD\"\r\nThe startup “StartExePath” execution is setup as “IndexExel.exe” in %APPDATA% with the StartUpPath as\r\n“IndexOffice.vbs”. The malware executable sets up as a task as “schtasks /Create /SC MINUTE /MO 12 /F /tn\r\nWord.Downdloads /tr” to run every 12 minutes while the VBS macro is every 15 minutes.\r\nThe infected bot identity is created via hexified system drive number posting with the computer name.\r\nThe malware writes the response and encodes the using “Encode” and “GetKey” functions as follows as text\r\nstream.\r\nhttps://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nPage 8 of 11\n\nConclusion \u0026 Outlook\r\nThe Gamaredon group recently introduced a new toolset including usage of macro payload execution via the\r\nspecific processor leveraging “scripting” persistence with less reliance on the traditional binary malware approach.\r\nThe group’s main characteristic remains its technical determination and persistent targeting of Ukrainian NatSec\r\nentities relying primarily on targeted lures.\r\nAs for the security and military aspects of cyberattacks, Gamaredon is an illustrative example of how the cyber, as\r\nthe fifth warfare domain, enables militants to continue fighting even when all other domains are denied by the\r\nstrategic or political framework. It serves as a solid substitution when kinetic strikes are too costly or dangerous.\r\nFrom a military perspective, Gamaredon offers a cost-efficiency balance in which attempts to advance on the\r\nhttps://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nPage 9 of 11\n\nbattlefield do not immediately lead to escalation and retaliation. It is a sophisticated way to opt-out of the\r\ntraditional zero-sum game of any military operation by achieving offensive advantage without losing a political\r\nstance in a peace process. Considering the fact that contemporary conflicts tend to slide towards the Donbas-like\r\n“frozen” stage, groups like Gamaredon will likely become an inherent component of modern confrontation.\r\nIndicators of Compromise (IOCs)\r\nWe provide the relevant research indicators of compromise (IOCs), available in MISP JSON and CSV format, on\r\nour GitHub page.\r\nFirst-Layer Domain: masseffect[.]space\r\nProxy-Layer IP: 141[.]8[.]195[.]60\r\nProxy-Layer IP:188[.]225[.]25[.]50\r\nSHA-256: c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f\r\nSHA-256: 76ea98e1861c1264b340cf3748c3ec74473b04d042cd6bfda9ce51d086cb5a1a\r\nSHA-256: e2cb06e0a5c14b4c5f58d0e56a1dc10b6a1007cf56c77ae6cb07946c3dfe82d8\r\nSHA-256: 39c6884526e7b7f2ed6e47b630010508bb5957385eccf248c961cbd5bcb802c6\r\nIOCs on GitHub\r\nAttack Pattern\r\nSpearphishing Link - T1192\r\nSpearphishing Attachment - T1193\r\nCommand-Line Interface - T1059\r\nScheduled Task - T1053\r\nScripting - T1064\r\nUser Execution - T1204\r\nXSL Script Processing - T1220\r\nWindows Management Instrumentation - T1047\r\nHidden Files and Directories - T1158\r\nLocal Job Scheduling - T1168\r\nRegistry Run Keys / Startup Folder - T1060\r\nStartup Items - T1165\r\nShortcut Modification - T1023\r\nNew Service - T1050\r\nMasquerading - T1036\r\nAccount Manipulation - T1098\r\nFile and Directory Discovery - T1083\r\nNetwork Share Discovery - T1135\r\nNetwork Service Scanning - T1046\r\nRemote File Copy - T1105\r\nReplication Through Removable Media - T1091\r\nAutomated Collection - T1119\r\nData from Local System - T1005\r\nData from Network Shared Drive - T1039\r\nhttps://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nPage 10 of 11\n\nData from Removable Media - T1025\r\nCustom Command and Control Protocol - T1094\r\nMulti-hop Proxy - T1188\r\nExfiltration Over Command and Control Channel - T1041\r\nAutomated Exfiltration - T1020\r\nSource: https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nhttps://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/\r\nPage 11 of 11\n\n https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/ \n\"ExcelSecurity\" \u0026 \"VBAWarnings\", 1, \"REG_DWORD\" \nThe startup “StartExePath” execution is setup as “IndexExel.exe” in %APPDATA% with the StartUpPath as\n“IndexOffice.vbs”. The malware executable sets up as a task as “schtasks /Create /SC MINUTE /MO 12 /F /tn\nWord.Downdloads /tr” to run every 12 minutes while the VBS macro is every 15 minutes. \nThe infected bot identity is created via hexified system drive number posting with the computer name.\nThe malware writes the response and encodes the using “Encode” and “GetKey” functions as follows as text\nstream. \n Page 8 of 11", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "origins": [ "web" ], "references": [ "https://labs.sentinelone.com/pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting/" ], "report_names": [ "pro-russian-cyberspy-gamaredon-intensifies-ukrainian-security-targeting" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434524, "ts_updated_at": 1775826786, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/058b757094b61fc018b5b6fd3c8956346ca8e63b.pdf", "text": "https://archive.orkl.eu/058b757094b61fc018b5b6fd3c8956346ca8e63b.txt", "img": "https://archive.orkl.eu/058b757094b61fc018b5b6fd3c8956346ca8e63b.jpg" } }