{ "id": "55cea86d-ced4-41e6-8f8b-80a281e534c4", "created_at": "2026-04-06T00:13:04.40291Z", "updated_at": "2026-04-10T13:12:19.298847Z", "deleted_at": null, "sha1_hash": "0bc0b74957b1994a572dfdfc00213a5f17b53ebc", "title": "Love and hate under war: The GamaCopy organization, which imitates the Russian Gamaredon, uses…", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1454279, "plain_text": "Love and hate under war: The GamaCopy organization, which\r\nimitates the Russian Gamaredon, uses…\r\nBy Knownsec 404 team\r\nPublished: 2025-01-21 · Archived: 2026-04-05 12:50:31 UTC\r\nLove and hate under war: The GamaCopy organization, which imitates the\r\nRussian Gamaredon, uses military — related bait to launch attacks on Russia\r\nAuthor:Knownsec 404 Advanced Threat Intelligence team\r\nDate: January 21, 2025\r\n中文版:https://paper.seebug.org/3269\r\nRecently, our team discovered attack samples targeting Russian-speaking targets during threat hunting. In\r\naddition, another related sample was also identified. Both samples follow the same operation process and use the\r\nsame bait theme.\r\nThrough the analysis and association of the samples, the following characteristics are presented in this sample:\r\n1. Initiate attacks by using content related to military facilities as bait.\r\n2. Use the 7z self — extracting program (SFX) to release and load subsequent payloads.\r\n3. Use the open — source tool UltraVNC for subsequent attack behaviors.\r\n4. The TTP (Tactics, Techniques, and Procedures) of this organization imitates that of the Gamaredon\r\norganization which conducts attacks against Ukraine.\r\nIn the context of the ongoing Russia-Ukraine conflict, the attackers used the content related to military facilities as\r\nbait to launch attacks using open source tools, which undoubtedly wanted to hide themselves through the “fog of\r\nwar”. By tracing the source of the sample, we have associated it with Core Werewolf, a group that has launched\r\nmultiple attacks against Russia. As is well known, there is another interesting pair of APT attacks that love-hate\r\nrelationship in the South Asian region, namely sidewinder and sidecopy. The discovered attack activity this time\r\nmimics the Gamaredon organization that attacks Ukraine, so it can be named GamaCopy.\r\nAt the same time, our team also noticed that multiple historical samples of the same type were attributed to the\r\nGamaredon organization by other security vendors. Obviously, this is a successful false flag operation by the\r\norganization that has deceived some vendors who have not conducted in-depth analysis. This article analyzes this\r\nquestion in detail as follows:\r\n1. Sample analysis\r\nhttps://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa?source=rss-f1efd6b74751------2\r\nPage 1 of 7\n\nThe attacker provided information about the condition and location of Russian armed forces facilities, among\r\nwhich the bait document in Sample 1 as follows:\r\nPress enter or click to view image in full size\r\nThe bait document in Sample 2 is as follows:\r\nPress enter or click to view image in full size\r\nTaking Sample 1 as an example, when opened in the # mode of 7z, you can see the SFX related files contained\r\nwithin it:\r\nFile 2 is the SFX self-extracting installation script, which contains numerous character comments and includes\r\nreal running statements. Its main function is to run 2128869258671564.cmd (copied from 2128869258671564).\r\nPress enter or click to view image in full size\r\nhttps://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa?source=rss-f1efd6b74751------2\r\nPage 2 of 7\n\n2128869258671564.cmd is a bat script that uses setlocal enabledelayedexpansion to set local as a delay extension\r\n(used to obfuscate subsequent script content and increase static analysis difficulty)\r\nThe script content before obfuscation is as follows:\r\nPress enter or click to view image in full size\r\nAfter obfuscating the variables, the script is as follows:\r\nhttps://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa?source=rss-f1efd6b74751------2\r\nPage 3 of 7\n\nPress enter or click to view image in full size\r\nThe main functions of the script include:\r\n1. Copy Ki58j08O58F68M58q2. PQ87G87O97o67r27Y9 to svod. pdf and run it.\r\n2. Copy yC61y51v51g71p61U4. Eb21h11U11Z31P71F8 to OneDrivers. exe.\r\n3. Copy lC32A32W52T12R02u1.uZ94Y64M14m54z84J3 to UltraVNC.ini.\r\n4. End the OneDrivers. exe process that is already running on the host and rerun OneDrivers. exe.\r\nIn fact, the “OneDrivers. exe” mentioned earlier is the main executable of the open-source remote desktop tool\r\nUltraVNC. Attackers rename it as a common process name in the system and connect it to a specified command\r\nserver for the purpose of disguising themselves. This helps reduce the vigilance of victims to a certain extent.\r\n2. Attribution Analysis\r\nhttps://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa?source=rss-f1efd6b74751------2\r\nPage 4 of 7\n\nBased on the information obtained from APT organizations, the attack sample may belong to two APT\r\norganizations: Gamaredon or GamaCopy.\r\nGet Knownsec 404 team’s stories in your inbox\r\nJoin Medium for free to get updates from this writer.\r\nRemember me for faster sign in\r\nGamaredon, also known as Shuckworm, Armageddon, and Primitive Bear, has been targeting Ukraine’s military,\r\nnon-governmental organizations, judiciary, law enforcement agencies, and non-profit organizations since 2013.\r\nGamaCopy was first discovered in June 2023 and has launched multiple cyberattacks against Russia’s defense and\r\ncritical infrastructure sectors by mimicking Gamaredo’s TTPs. It is believed that the organization has been active\r\nsince at least August 2021.\r\nGamaredo has repeatedly utilized 7z-SFX documents and UltraVNC in previous attack activities. After analysis,\r\nwe found that the entire attack chain of Gamaredo using UltraVNC has significant differences from the sample\r\ndiscovered this time. Gamaredo often releases and loads the final UltraVNC through macros, and uses VBS scripts\r\nmultiple times in the attack chain. For example, in early 2022, foreign security vendors exposed a Gamaredon\r\nattack on Ukraine, which downloaded subsequent payloads through VBS scripts from multiple planned tasks,\r\nincluding an example of installing UltraVNC using 7z-SFX[1]. At the same time, we found that Gamaredo used\r\nport 5612 more frequently when using UltraVNC, rather than port 443 used in this sample.\r\nSo, does this attack sample belong to the GamaCopy organization? From the initial exposure of BI.ZONE [2], the\r\nstructure and code of this sample show considerable overlap with GamaCopy’s tactics. For example, using 7z-SFX documentation to install and execute UltraVNC, using port 443 to connect to the server, and using a large\r\nnumber of delay extension variables to increase code complexity.\r\nPress enter or click to view image in full size\r\nIn addition, we noticed that the bait documents in this sample are military facilities and deployment related. In the\r\ncontext of the current Russia-Ukraine conflict, such documents are sensitive and interesting from the perspective\r\nhttps://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa?source=rss-f1efd6b74751------2\r\nPage 5 of 7\n\nof defense and attack. However, after we analyzed the proportion of languages used in the past bait documents of\r\nthe two organizations, we found that Gamaredon has predominantly used Ukrainian-language bait, while\r\nGamaCopy mainly used Russian-language bait on the contrary.\r\nFor example, sample bait targeting personnel related to defense policy at the Russian Ministry of Foreign Affairs:\r\nPress enter or click to view image in full size\r\nAn attack using internal orders of one of Russia’s largest joint-stock companies as bait:\r\nPress enter or click to view image in full size\r\n3. Summary\r\nBased on the above analysis, from the perspectives of code similarity, language usage in bait documents, and port\r\nassets, it is more inclined to attribute the attack samples discovered in this case to the GamaCopy organization.\r\nhttps://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa?source=rss-f1efd6b74751------2\r\nPage 6 of 7\n\nSince its exposure, this organization has frequently mimicked the TTPs used by the Gararedon organization and\r\ncleverly used open-source tools as a shield to achieve its own goals while confusing the public.\r\n4. IOC\r\nHash:\r\n- c9ffc90487ddcb4bb0540ea4e2a1ce040740371bb0f3ad70e36824d486058349\r\n- a9799ed289b967be92f920616015e58ae6e27defaa48f377d3cd701d0915fe53\r\n- afcbaae700e1779d3e0abe52bf0f085945fc9b6935f7105706b1ab4a823f565f\r\n- 2da473d1f510d0ddbae074a6c13953863c25be479acedc899c5529ec55bd2a65\r\n- 2b2da38b62916c448235038f09c51f226d96087df531b9a508e272b9e87c909d\r\n- f583523bba0a3c27e08ebb4404d74924b99537b01af5f35f43c44416f600079e\r\nC2:\r\n- nefteparkstroy.ru[:]443\r\n- fmsru.ru[:]443\r\nSource: https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon\r\n-uses-560ba5e633fa?source=rss-f1efd6b74751------2\r\nhttps://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa?source=rss-f1efd6b74751------2\r\nPage 7 of 7", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa?source=rss-f1efd6b74751------2" ], "report_names": [ "love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa?source=rss-f1efd6b74751------2" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "187a0668-a968-4cf0-8bfd-4bc97c02f6dc", "created_at": "2022-10-27T08:27:12.955905Z", "updated_at": "2026-04-10T02:00:05.376527Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "SideCopy" ], "source_name": "MITRE:SideCopy", "tools": [ "AuTo Stealer", "Action RAT" ], "source_id": "MITRE", "reports": null }, { "id": "d0c0a5ea-3066-42a5-846c-b13527f64a3e", "created_at": "2023-01-06T13:46:39.080551Z", "updated_at": "2026-04-10T02:00:03.206572Z", "deleted_at": null, "main_name": "RAZOR TIGER", "aliases": [ "APT-C-17", "T-APT-04", "SideWinder" ], "source_name": "MISPGALAXY:RAZOR TIGER", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "d18b9735-1af7-433c-a582-a01886bc5e3f", "created_at": "2024-10-25T02:02:07.582653Z", "updated_at": "2026-04-10T02:00:04.569471Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "ETDA:Awaken Likho", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "a4f0e383-f447-4cd6-80e3-ffc073ed4e00", "created_at": "2023-01-06T13:46:39.30167Z", "updated_at": "2026-04-10T02:00:03.280161Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [], "source_name": "MISPGALAXY:SideCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "f9871bb8-2d6a-498e-9798-ca42d008ba26", "created_at": "2025-03-07T02:00:03.808806Z", "updated_at": "2026-04-10T02:00:03.836261Z", "deleted_at": null, "main_name": "GamaCopy", "aliases": [], "source_name": "MISPGALAXY:GamaCopy", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "b584b10a-7d54-4d05-9e21-b223563df7b8", "created_at": "2022-10-25T16:07:24.181589Z", "updated_at": "2026-04-10T02:00:04.892659Z", "deleted_at": null, "main_name": "SideCopy", "aliases": [ "G1008", "Mocking Draco", "TAG-140", "UNC2269", "White Dev 55" ], "source_name": "ETDA:SideCopy", "tools": [ "ActionRAT", "AllaKore", "Allakore RAT", "AresRAT", "Bladabindi", "CetaRAT", "DetaRAT", "EpicenterRAT", "Jorik", "Lilith", "Lilith RAT", "MargulasRAT", "ReverseRAT", "njRAT" ], "source_id": "ETDA", "reports": null }, { "id": "6b9fc913-06c6-4432-8c58-86a3ac614564", "created_at": "2022-10-25T16:07:24.185236Z", "updated_at": "2026-04-10T02:00:04.893541Z", "deleted_at": null, "main_name": "SideWinder", "aliases": [ "APT-C-17", "APT-Q-39", "BabyElephant", "G0121", "GroupA21", "HN2", "Hardcore Nationalist", "Rattlesnake", "Razor Tiger", "SideWinder", "T-APT-04" ], "source_name": "ETDA:SideWinder", "tools": [ "BroStealer", "Capriccio RAT", "callCam" ], "source_id": "ETDA", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "90074ca4-8a4a-42dc-a395-25db4f44c1a4", "created_at": "2024-10-08T02:00:04.462582Z", "updated_at": "2026-04-10T02:00:03.722048Z", "deleted_at": null, "main_name": "Awaken Likho", "aliases": [ "Core Werewolf" ], "source_name": "MISPGALAXY:Awaken Likho", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null }, { "id": "173f1641-36e3-4bce-9834-c5372468b4f7", "created_at": "2022-10-25T15:50:23.349637Z", "updated_at": "2026-04-10T02:00:05.3486Z", "deleted_at": null, "main_name": "Sidewinder", "aliases": [ "Sidewinder", "T-APT-04" ], "source_name": "MITRE:Sidewinder", "tools": [ "Koadic" ], "source_id": "MITRE", "reports": null } ], "ts_created_at": 1775434384, "ts_updated_at": 1775826739, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/0bc0b74957b1994a572dfdfc00213a5f17b53ebc.pdf", "text": "https://archive.orkl.eu/0bc0b74957b1994a572dfdfc00213a5f17b53ebc.txt", "img": "https://archive.orkl.eu/0bc0b74957b1994a572dfdfc00213a5f17b53ebc.jpg" } }