{ "id": "7af40f4b-944e-4a88-bd89-8279badcf4a0", "created_at": "2026-04-06T00:16:00.643236Z", "updated_at": "2026-04-10T13:12:13.985777Z", "deleted_at": null, "sha1_hash": "11457a6b5c67a73785fab13ccf226f329629c958", "title": "Gamaredon APT Group Use Covid-19 Lure in Campaigns", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 85590, "plain_text": "Gamaredon APT Group Use Covid-19 Lure in Campaigns\r\nBy Kakara Hiroyuki, Erina Maruyama ( words)\r\nPublished: 2020-04-17 · Archived: 2026-04-05 22:37:12 UTC\r\nGamaredon is an advanced persistent threat (APT) group that has been active since 2013. Their campaigns are generally\r\nknown for targeting Ukrainian government institutions. From late 2019 to February of this year, researchers published\r\nseveral reports on Gamaredon, tracking the group’s activities.\r\nIn March, we came across an email with a malware attachment that used the Gamaredon group’s tactics. Some of the emails\r\nused the coronavirus pandemic as a topic to lure victims into opening emails and attachments. These campaigns targeted\r\nvictims in European countries and others.\r\nA brief history of Gamaredon\r\nIn 2015, researchers from LookingGlass published the first reportopen on a new tab on Gamaredon. According to that\r\nreport, the early campaigns used Microsoft Word documents that, when inspected, showed that its most recent user went by\r\nthe name of Armagedon (a misspelled “Armageddon”), which became the basis of the group’s namesake.\r\nThe report also described Gamaredon’s political beginnings, particularly its ties to the Ukrainian revolution in 2014. Before\r\nthe revolution they had targeted Ukrainian government officials, opposition party members, and journalists. They moved on\r\nto Ukrainian government institutions after the revolution. In 2018, CERT-UA publishedopen on a new tab an advisory\r\nagainst the malware Pterodo, which the group allegedly used.\r\nThe group remained active, with several Gamaredon-related activities reported in February 2020. In March, they were\r\namong the threat groupsopen on a new tab that were identified taking advantage of the coronavirus pandemic to trick targets.\r\nGamaredon and Covid-19-related cover emails\r\nopen on a new tab\r\nFigure 1. The infection chain of the Gamaredon campaign\r\nThe case we found arrived through a targeted email that contained a document file (in docx format). Opening document\r\nstarts a template injection technique for loading the document template from the internet. The downloaded document\r\ntemplate contains the malicious macro codes, which executes a VBScript (VBS). We found a mechanism for decrypting,\r\nexecuting, and downloading an additional payload from the C\u0026C server. During the time of the analysis however, the C\u0026C\r\nserver was not accessible, which made us unable to get additional payloads.\r\nThe attacks we found all arrived through targeted emails (MITRE ATT\u0026CK framework ID T1193open on a new tab). One\r\nof them even had the subject “Coronavirus (2019-nCoV).” The use of socially relevant topics is a common practice for\r\nattackers who wish to make their emails and documents more tempting to open. The email that used the coronavirus-related\r\nsubject came with an attached document file. Opening this file (MITRE ATT\u0026CK framework ID T1204open on a new tab)\r\nexecutes the template injection method (MITRE ATT\u0026CK framework ID T1221open on a new tab).\r\nopen on a new tab\r\nFigure 2. Code for downloading the document template with the malicious macro\r\nThe downloaded document template (in dot format) could differ slightly depending on each download. However, its Exif\r\ninfo or metadata remains consistent and shares the following details:\r\nIdentification: Word 8.0\r\nLanguage code: Russian\r\nSystem: Windows\r\nAuthor: АДМИН (“Administrator” in Russian)\r\nCode page: Windows Cyrillic\r\nopen on a new tab\r\nFigure 3. A sample of malicious macro in the downloaded template document\r\nAs mentioned, the template contains malicious macro (MITRE ATT\u0026CK framework ID T1064open on a new tab), which\r\nexports VBS (MITRE ATT\u0026CK framework ID T1064open on a new tab) to execute itself. More specifically it drops\r\n“%USERPROFILE%\\Documents\\MediaPlayer\\PlayList.vbs,” which is hardcoded in the macro, and then executed in\r\n“wscript.exe //b %USERPROFILE%\\Documents\\MediaPlayer\\PlayList.vbs.”\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/\r\nPage 1 of 4\n\nopen on a new tab\r\nFigure 4. A content sample for VBS dropped by malicious macro\r\nPlayList.vbs contains the obfuscated codes (MITRE ATT\u0026CK framework ID T1140open on a new tab), which it executes\r\nafter decrypting the obfuscations. This particular behavior is a slight departure from previously reported attacks by\r\nGamaredon, which did not use this technique.\r\nopen on a new tab\r\nFigure 5. A sample of executed VBS\r\nFigure 5 shows a snippet of the VBS executed by the Execute function. The routines it follows are enumerated below.\r\n1. Register the RUN key in the registry below, so that the VBS file is executed every time the machine starts (MITRE\r\nATT\u0026CK framework ID T1060)\r\n2. Registry: HKEY_CURRENT_USER\\Software\\Microsoft\\Windows\\CurrentVersion\\RunOnce\\MediaPlayer\r\nwscript.exe //b %USERPROFILE%\\Documents\\MediaPlayer\\PlayList.vbs\r\n3. Connect with “hxxp:// kristom[.]hopto[.]org /{computer name}_{hexadecimal volume serious\r\nnumber}/help_05_03[.]php” (MITRE ATT\u0026CK framework IDs T1043open on a new tab, T1071open on a new tab,\r\nT1082open on a new tab)\r\n4. If the downloaded file size in the first step exceeds 10,485 bytes, then the file is saved as\r\n“%APPDATA%\\\\Microsoft\\Windows\\Cookies.txt” (MITRE ATT\u0026CK framework ID T1105open on a new tab)\r\n5. Use XOR for the file saved from the second step, where ASCII code converted from its own hexadecimal volume\r\nserial number is used as the key. The decrypted result is saved as “%APPDATA%\\\\Microsoft\\Windows\\Cookies.exe”\r\n(T1001open on a new tab)\r\n6. If the file size of “%APPDATA%\\\\Microsoft\\Windows\\Cookies.exe” exceeds 4,485 bytes, it is executed.\r\n7. Both “%APPDATA%\\\\Microsoft\\Windows\\Cookies.txt” and “%APPDATA%\\\\Microsoft\\Windows\\Cookies.exe” are\r\nthen deleted (MITRE ATT\u0026CK framework ID T1107open on a new tab)\r\nThe observed routines of this VBS closely follow the other reports published on Gamaredon, such as the one from\r\nSentinelOneopen on a new tab. However, the macro generated VBS was obfuscated in this case, likely as an additional\r\nevasive tactic.\r\nInterestingly, after decoding the VBS, we saw what appeared to be a programming mistake by the attacker. Lines 53 and 54\r\nin figure 6 are for closing those downloaded and decoded TXT and EXE files, which are variables defined right before the\r\nIF statement. If, however, these lines do not pass through this IF statement, an error would occur. It shows that this malware\r\nis not tested enough, and may still be under development.\r\nOur analysis found several URLs of the network destinations for both template injection and VBS. While resolving them to\r\nIP addresses to understand their attack bases, we also found that they were all linked to the following IP addresses.\r\nNetwork destination for template injection: 176[.]119[.]147[.]225\r\nNetwork destination for VBS: 176[.]57[.]215[.]115\r\nThese IP addresses are from Russian hosting companies. Most likely, the attackers rented Virtual Private Server (VPS) as\r\ntheir attack base. Their URL for VBS (shown below) likely includes the data when they conducted the attack.\r\nhxxp://{FQDN}/{computer name}_{hexadecimal volume serial number}/help_{day}_{month}[.]php\r\nConclusion\r\nGameradon is not the first group to take advantage of the Covid-19 topic. Some cybercriminals have taken to indirect means\r\nof profiting, such as by targeting communication platformsopen on a new tab that have increased in popularity after\r\norganizations shifted to work from home setups. In this case, they used Covid-19 as a cover for their relatively typical APT\r\nroutine. We recommend these countermeasures to prevent similar APT attacks in the future:\r\nCheck the email sender, subject, and body for anything suspicious before downloading and opening email\r\nattachments. Be especially wary of unsolicited emails, that come from unknown senders.\r\nCheck the file extension of the attached file and make sure it is the intended file format.\r\nAvoid activating macro for any attached Microsoft Office files, especially for emails that request macro activation\r\nusing an image of the body of the opened file or those that don’t show anything.\r\nWatch out for spoofed domains embedded in emails before opening them. Subtle changes to a popular URL can be\r\none indicator of malicious content.\r\nIn addition to these actions, users can also implement a multi-layer approach and take advantage of these solutions.\r\nTrend Micro™ Smart Protection Suitesopen on a new tab and Worry-Free™ Business Securityopen on a new\r\ntab protects users and businesses from similar threats by detecting malicious files and spammed messages as well as\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/\r\nPage 2 of 4\n\nblocking all related malicious URLs. Trend Micro Deep Discovery™open on a new tab has an email inspection layer\r\nthat can protect enterprises by detecting malicious attachments and URLs.\r\nTrend Micro™ Hosted Email Securityopen on a new tabis a no-maintenance cloud solution that delivers continuously\r\nupdated protection to stop spam, malware, spear phishing, ransomware, and advanced targeted attacks before they\r\nreach the network. It protects Microsoft Exchange, Microsoft Office 365open on a new tab, Google Apps, and other\r\nhosted and on-premises email solutions.\r\nTrend Micro™ OfficeScan™open on a new tabwith XGen™open on a new tab endpoint security infuses high-fidelity machine learning with other detection technologies and global threat intelligence for comprehensive\r\nprotection against advanced malware.\r\nThe Trend MicroTMXDRopen on a new tab solution effectively protects connected emails, endpoints, servers, cloud\r\nworkloads, and networks. Trend Micro XDR uses powerful AI and expert security analytics to correlate data, as well\r\nas deliver fewer yet higher-fidelity alerts for early threat detection. In a single console, it provides a broader\r\nperspective of enterprise systems while at the same time giving a more focused and optimized set of alerts.\r\nIndicators of Compromise (IoCs)\r\nDOCX file\r\nSHA256 Detection Name\r\n0d90fe36866ee30eb5e4fd98583bc2fdb5b7da37e42692f390ac5f807a13f057 W97M_CVE20170199.ZYHC-A\r\n036c2088cb48215f21d4f7d751d750b859d57018c04f6cadd45c0c4fee23a9f8 Trojan.W97M.CVE20170199.PG\r\n19d03a25af5b71e859561ff8ccc0a073acb9c61b987bdb28395339f72baf46b4 Trojan.XML.PHISH.AE\r\n62cf22f840fffd8d8781e52b492b03b4efc835571b48823b07535d52b182e861 W97M_CVE20170199.ZKHC-A\r\n8310d39aa1cdd13ca82c769d61049310f8ddaea7cd2c3b940a8a3c248e5e7b06 Trojan.W97M.CVE20170199.PF\r\n84e0b1d94a43c87de55c000e3acae17f4493a57badda3b27146ad8ed0f90c93e Trojan.W97M.CVE20170199.PG\r\n85267e52016b6124e4e42f8b52e68475174c8a2bdf0bc0b501e058e2d388a819 Trojan.W97M.CVE20170199.PF\r\nb6a94f565d482906be7da4d801153eb4dab46d92f43be3e1d59ddd2c7f328109 Trojan.W97M.CVE20170199.PF\r\ncc775e3cf1a64effa55570715b73413c3ea3a6b47764a998b1272b5be059c25b Trojan.W97M.CVE20170199.PF\r\nDOT file\r\nSHA256 Detection Name TrendX\r\n00b761bce25594da4c760574d224589daf01086c5637042982767a13a2f61bea Mal_OLEMAL-4\r\nDownloader.VBA.TRX.XXVBA\r\n250b09f87fe506fbc6cedf9dbfcb594f7795ed0e02f982b5837334f09e8a184b Mal_OLEMAL-4\r\n4b3ae36b04d6aba70089cb2099e6bc1ba16d16ea24bbf09992f23260151b9faf Mal_OLEMAL-4\r\n946405e2f26e1cc0bd22bc7e12d403da939f02e9c4d8ddd012f049cf4bf1fda9 Mal_OLEMAL-4\r\n9cd5fa89d579a664c28da16064057096a5703773cef0a079f228f21a4b7fd5d2 Mal_OLEMAL-4\r\nc089ccd376c9a4d5e5bdd553181ab4821d2c26fefc299cce7a4f023a660484d5 Mal_OLEMAL-4\r\ne888b5e657b41d45ef0b2ed939e27ff9ea3a11c46946e31372cf26d92361c012 W97M_VBSDOWNLDR.ZKHC-A\r\nf577d2b97963b717981c01b535f257e03688ff4a918aa66352aa9cd31845b67d\r\nW97M_VBSDOWNLDR.ZYHC-A\r\nSHA256 Detection Name TrendX\r\n17161e0ab3907f637c2202a384de67fca49171c79b1b24db7c78a4680637e3d5 Trojan.X97M.CVE201711882.THCOCBO Downloader.VBA.TR\r\n29367502e16bf1e2b788705014d0142d8bcb7fcc6a47d56fb82d7e333454e923 TrojanSpy.Win32.FAREIT.UHBAZCLIZ N/A\r\n315e297ac510f3f2a60176f9c12fcf92681bbad758135767ba805cdea830b9ee Trojan.X97M.CVE201711882.THCOCBO Downloader.VBA.TR\r\n3e6166a6961bc7c23d316ea9bca87d8287a4044865c3e73064054e805ef5ca1a Backdoor.Win32.REMCOS.USMANEAGFG Troj.Win32.TRX.XX\r\n3f40d4a0d0fe1eea58fa1c71308431b5c2ce6e381cacc7291e501f4eed57bfd2 Trojan.MSIL.AGENTTESLA.THCOCBO N/A\r\nab533d6ca0c2be8860a0f7fbfc7820ffd595edc63e540ff4c5991808da6a257d Trojan.X97M.CVE201711882.THCOCBO N/A\r\nb78a3d21325d3db7470fbf1a6d254e23d349531fca4d7f458b33ca93c91e61cd Backdoor.Win32.REMCOS.USMANEAGFE Troj.Win32.TRX.XX\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/\r\nPage 3 of 4\n\nc9c0180eba2a712f1aba1303b90cbf12c1117451ce13b68715931abc437b10cd TrojanSpy.Win32.FAREIT.UHBAZCLIZ Troj.Win32.TRX.XX\r\nC\u0026C addresses\r\nBambinos[.]bounceme[.]net\r\nbbtt[.]site\r\nbbtt[.]space\r\nharpa[.]site\r\nharpa[.]space\r\nharpa[.]website\r\nhimym[.]site\r\nkristoffer[.]hopto[.]org\r\nkristom[.]hopto[.]org\r\nmiragena[.]site\r\nmiragena[.]xyz\r\npapir[.]hopto[.]org\r\nsabdja[.]3utilities[.]com\r\nsakira[.]3utilities[.]com\r\nseliconos[.]3utilities[.]com\r\nsolod[.]bounceme[.]net\r\nsonik[.]hopto[.]org\r\ntele[.]3utilities[.]com\r\nviolina[.]website\r\nvoyager[.]myftp[.]biz\r\nvoyaget[.]myftp[.]biz\r\nMitre ATT\u0026CK Framework\r\nopen on a new tab\r\nSource: https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/\r\nhttps://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "MITRE" ], "origins": [ "web" ], "references": [ "https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/" ], "report_names": [ "gamaredon-apt-group-use-covid-19-lure-in-campaigns" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434560, "ts_updated_at": 1775826733, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/11457a6b5c67a73785fab13ccf226f329629c958.pdf", "text": "https://archive.orkl.eu/11457a6b5c67a73785fab13ccf226f329629c958.txt", "img": "https://archive.orkl.eu/11457a6b5c67a73785fab13ccf226f329629c958.jpg" } }