{ "id": "54816dd2-e4dd-4fe1-a5a6-831525e601a6", "created_at": "2026-04-06T00:11:55.432529Z", "updated_at": "2026-04-10T13:11:22.97566Z", "deleted_at": null, "sha1_hash": "3fe8f7a06c34c9171fe13352fdc807d04bff7775", "title": "Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 478964, "plain_text": "Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting\r\nUkraine\r\nBy Unit 42\r\nPublished: 2022-02-03 · Archived: 2026-04-05 14:49:54 UTC\r\nExecutive Summary\r\nSince November, geopolitical tensions between Russia and Ukraine have escalated dramatically. It is estimated that Russia\r\nhas now amassed over 100,000 troops on Ukraine's eastern border, leading some to speculate that an invasion may come\r\nnext. On Jan. 14, 2022, this conflict spilled over into the cyber domain as the Ukrainian government was targeted with\r\ndestructive malware (WhisperGate) and a separate vulnerability in OctoberCMS was exploited to deface several Ukrainian\r\ngovernment websites. While attribution of those events is ongoing and there is no known link to Gamaredon (aka Primitive\r\nBear), one of the most active existing advanced persistent threats targeting Ukraine, we anticipate we will see additional\r\nmalicious cyber activities over the coming weeks as the conflict evolves. We have also observed recent activity from\r\nGamaredon. In light of this, this blog provides an update on the Gamaredon group.\r\nSince 2013, just prior to Russia’s annexation of the Crimean peninsula, the Gamaredon group has primarily focused its cyber\r\ncampaigns against Ukrainian government officials and organizations. In 2017, Unit 42 published its first research\r\ndocumenting Gamaredon’s evolving toolkit and naming the group, and over the years, several researchers have noted that\r\nthe operations and targeting activities of this group align with Russian interests. This link was recently substantiated on Nov.\r\n4, 2021, when the Security Service of Ukraine (SSU) publicly attributed the leadership of the group to five Russian Federal\r\nSecurity Service (FSB) officers assigned to posts in Crimea. Concurrently, the SSU also released an updated technical report\r\ndocumenting the tools and tradecraft employed by this group.\r\nGiven the current geopolitical situation and the specific target focus of this APT group, Unit 42 continues to actively\r\nmonitor for indicators of their operations. In doing so, we have mapped out three large clusters of their infrastructure used to\r\nsupport different phishing and malware purposes. These clusters link to over 700 malicious domains, 215 IP addresses and\r\nover 100 samples of malware.\r\nMonitoring these clusters, we observed an attempt to compromise a Western government entity in Ukraine on Jan. 19, 2022.\r\nThe sections below offer an overview of our findings in order to aid targeted entities in Ukraine as well as cybersecurity\r\norganizations in defending against this threat group.\r\nUpdate Feb. 16: When we originally published this report, we noted, “While we have mapped out three large clusters of\r\ncurrently active Gamaredon infrastructure, we believe there is more that remains undiscovered.” We have since discovered\r\nhundreds more Gamaredon-related domains, including known related-clusters, and also new clusters. We have updated our\r\nIndicators of Compromise (IoCs) to include these additional domains and cluster observations.\r\nUpdate June 22: As noted in February, Unit 42 continues to monitor and research Gamaredon infrastructure and malware.\r\nToday we are sharing another update to our Gamaredon IoCs, listing infrastructure that we have observed since the previous\r\nupdate.\r\nFull visualization of the techniques observed, relevant courses of action and IoCs related to this Gamaredon report can be\r\nfound in the Unit 42 ATOM viewer.\r\nPalo Alto Networks customers receive protections against the types of threats discussed in this blog by products including\r\nCortex XDR and the WildFire, AutoFocus, Advanced URL Filtering and DNS Security subscription services for the Next-Generation Firewall.\r\nGamaredon Downloader Infrastructure (Cluster 1)\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 1 of 14\n\nGamaredon actors pursue an interesting approach when it comes to building and maintaining their infrastructure. Most\r\nactors choose to discard domains after their use in a cyber campaign in order to distance themselves from any possible\r\nattribution. However, Gamaredon’s approach is unique in that they appear to recycle their domains by consistently rotating\r\nthem across new infrastructure. A prime example can be seen in the domain libre4[.]space. Evidence of its use in a\r\nGamaredon campaign was flagged by a researcher as far back as 2019. Since then, Cisco Talos and Threatbook have also\r\nfirmly attributed the domain to Gamaredon. Yet despite public attribution, the domain continues to resolve to new internet\r\nprotocol (IP) addresses daily.\r\nFigure 1. libre4[.]space recent IP resolutions as of Jan. 27, 2022.\r\nPivoting to the first IP on the list (\r\n194.58.100[.]17\r\n) reveals a cluster of domains rotated and parked on the IP on the exact same day.\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 2 of 14\n\nFigure 2. Domains associated with 194.58.100[.]17 on Jan. 27, 2022.\r\nThorough pivoting through all of the domains and IP addresses results in the identification of almost 700 domains. These are\r\ndomains that are already publicly attributed to Gamaredon due to use in previous cyber campaigns, mixed with new domains\r\nthat have not yet been used. Drawing a delineation between the two then becomes an exercise in tracking the most recent\r\ninfrastructure.\r\nFocusing on the IP addresses linked to these domains over the last 60 days results in the identification of 136 unique IP\r\naddresses; interestingly, 131 of these IP addresses are hosted within the autonomous system (AS) 197695 physically located\r\nin Russia and operated by the same entity used as the registrar for these domains, reg[.]ru. The total number of IPs translates\r\nto the introduction of roughly two new IP addresses every day into Gamaredon’s malicious infrastructure pool. Monitoring\r\nthis pool, it appears that the actors are activating new domains, using them for a few days, and then adding the domains to a\r\npool of domains that are rotated across various IP infrastructure. This shell game approach affords a degree of obfuscation to\r\nattempt to hide from cybersecurity researchers.\r\nFor researchers, it becomes difficult to correlate specific payloads to domains and to the IP address that the domain resolved\r\nto on the precise day of a phishing campaign. Furthermore, Gamaredon’s technique provides the actors with a degree of\r\ncontrol over who can access malicious files hosted on their infrastructure, as a web page’s uniform resource locator (URL)\r\nfile path embedded in a downloader only works for a finite period of time. Once the domains are rotated to a new IP address,\r\nrequests for the URL file paths will result in a “404” file not found error for anyone attempting to study the malware.\r\nCluster 1 History\r\nWhile focusing on current downloader infrastructure, we were able to trace the longevity of this cluster back to an origin in\r\n2018. Certain “marker” domains, such as the aforementioned libre4[.]space, are still active today and also traced back to\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 3 of 14\n\nMarch 2019 with apparently consistent ownership. On the same date range in March 2019, a cluster of domains was\r\nobserved on 185.158.114[.]107 with thematically linked naming – several of which are still active in this cluster today.\r\nFigure 3. Domain cluster on 185.158.114[.]107 in March 2019.\r\nFurther pivoting back in time and across domains finds an apparent initial domain for this cluster of infrastructure,\r\nbitsadmin[.]space\r\non\r\n195.88.209[.]136\r\n, in December 2018.\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 4 of 14\n\nFigure 4. Initial domain bitsadmin[.]space, December 2018.\r\nWe see it clustered here with some dynamic domain name system (DNS) domains. Dynamic DNS domains were observed in\r\nthis cluster on later IP addresses as well, though this technique appears to have fallen out of favor, at least in this context,\r\nsince there are none in this cluster currently active.\r\nInitial Downloaders\r\nSearching for samples connecting to Gamaredon infrastructure across public and private malware repositories resulted in the\r\nidentification of 17 samples over the past three months. The majority of these files were either shared by entities in Ukraine\r\nor contained Ukrainian filenames.\r\nFilename Translation\r\nМаксим.docx Maksim.docx\r\nПІДОЗРА РЯЗАНЦЕВА.docx RAZANTSEV IS SUSPICIOUS.docx\r\nпротокол допиту.docx interrogation protocol.docx\r\nТЕЛЕГРАММА.docx TELEGRAM.docx\r\n2_Пам’ятка_про_процесуальні_права_та_обов’язки_потерпілого.docx\r\n2_Memorial_about_processal_rights_and_obligations_o\r\nVictim.docx\r\n2_Porjadok_do_nakazu_111_vid_13.04.2017.docx 2_Procedure_to_order_111_from_13.04.2017.docx\r\nвисновок тимошечкин.docx conclusion Timoshechkin.docx\r\nЗвіт на ДМС за червень 2021 (Автосохраненный).doc Report on the LCA for June 2021 (Autosaved) .doc\r\nвисновок Кличко.docx Klitschko's conclusion.docx\r\nОбвинувальний акт ГЕРМАН та ін.docx Indictment GERMAN et al.docx\r\nсупровід 1-СЛ 10 місяців.doc support 1-SL 10 months.doc\r\nTable 1. Recently observed downloader filenames.\r\nAn analysis of these files found that they all leveraged a remote template injection technique that allows the documents to\r\npull down the malicious code once they are opened. This allows the attacker to have control over what content is sent back\r\nto the victim in an otherwise benign document. Recent examples of the remote template “dot” file URLs these documents\r\nuse include the following:\r\nhttp://bigger96.allow.endanger.hokoldar[.]ru/[Redacted]/globe/endanger/lovers.cam\r\nhttp://classroom14.nay.sour.reapart[.]ru/[Redacted]/bid/sour/glitter.kdp\r\nhttp://priest.elitoras[.]ru/[Redacted]/pretend/pretend/principal.dot\r\nhttp://although.coferto[.]ru/[Redacted]/amazing.dot\r\nhttp://source68.alternate.vadilops[.]ru/[Redacted]/clamp/interdependent.cbl\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 5 of 14\n\nMany of the files hosted on the Gamaredon infrastructure are labeled with abstract extensions such as .cam, .cdl, .kdp and\r\nothers. We believe this is an intentional effort by the actor to reduce exposure and detection of these files by antivirus and\r\nURL scanning services.\r\nTaking a deeper look at the top two, hokoldar[.]ru and reapart[.]ru, provides unique insights into two recent phishing\r\ncampaigns. Beginning with the first domain, passive DNS data shows that the domain first resolved to an IP address that\r\nwas shared with other Gamaredon domains on Jan. 4. Figure 2 above shows that hokoldar[.]ru continued to share an IP\r\naddress with libre4[.]space on Jan. 27, once again associating it with the Gamaredon infrastructure pool. In that short\r\nwindow, on Jan. 19, we observed a targeted phishing attempt against a Western government entity operating in Ukraine. \r\nIn this attempt, rather than emailing the downloader directly to their target, the actors instead leveraged a job search and\r\nemployment service within Ukraine. In doing so, the actors searched for an active job posting, uploaded their downloader as\r\na resume and submitted it through the job search platform to a Western government entity. Given the steps and precision\r\ndelivery involved in this campaign, it appears this may have been a specific, deliberate attempt by Gamaredon to\r\ncompromise this Western government organization.\r\nExpanding beyond this recent case, we also discovered public evidence of a Gamaredon campaign targeting the State\r\nMigration Service of Ukraine. On Dec. 1, an email was sent from yana_gurina@ukr[.]net to 6524@dmsu[.]gov.ua. The\r\nsubject of the email was “NOVEMBER REPORT” and attached to the email was a file called “Report on the LCA for June\r\n2021(Autosaved).doc.” When opened, this Word document calls out to reapart[.]ru. From there, it downloads and then\r\nexecutes a malicious remote Word Document Template file named glitter.kdp.\r\nFigure 5. Email sent to 6524@dmsu[.]gov.ua.\r\nCERT Estonia (CERT-EE), a department within the Cyber Security Branch of the Estonian Information System Authority,\r\nrecently\r\npublished an article\r\non Gamaredon which covers the content returned from these remote template files. To summarize their findings on this\r\naspect, the remote template retrieves a VBS script to execute which establishes a persistent command and control (C2)\r\ncheck-in and will retrieve the next payload once the Gamaredon group is ready for the next phase. In CERT-EE’s case, after\r\nsix hours the infrastructure came back to life again and downloaded a SelF-eXtracting (SFX) archive.\r\nSSL Pivot to Additional Infrastructure and Samples\r\nWhile conducting historical research on the infrastructure in cluster 1, we discovered a self-signed certificate associated with\r\ncluster 1 IP address 92.242.62[.]96:\r\nSerial: 373890427866944398020500009522040110750114845760\r\nSHA1: 62478d7653e3f5ce79effaf7e69c9cf3c28edf0c\r\nIssued: 2021-01-27\r\nExpires: 2031-01-25\r\nCommon name: ip45-159-200-109.crelcom[.]ru\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 6 of 14\n\nAlthough the IP Address WHOIS record for Crelcom LLC is registered to an address in Moscow, the technical admin listed\r\nfor the netblock containing the IP address is registered to an address in Simferopol, Crimea. We further trace the apparent\r\norigins of Crelcom back to Simferopol, Crimea, as well.\r\nThis certificate relates to 79 IP addresses:\r\nThe common-name IP address - no Gamaredon domains\r\nOne IP address links to cluster 1 above (92.242.62[.]96)\r\n76 IP addresses link to another distinct collection of domains – “cluster 2”\r\n1 IP address led us to another distinct cluster, “cluster 3” (194.67.116[.]67)\r\nWe find almost no overlap of IP addresses between these separate clusters.\r\nFile Stealer (Cluster 2)\r\nOf the 76 IP addresses we associate with cluster 2, 70 of them have confirmed links to C2 domains associated with a variant\r\nof Gamaredon’s file stealer tool. Within the last three months, we have identified 23 samples of this malware, twelve of\r\nwhich appear to have been shared by entities in Ukraine. The C2 domains in those samples include:\r\nDomain First Seen\r\njolotras[.]ru 12/16/2021\r\nmoolin[.]ru 10/11/2021\r\nnaniga[.]ru 9/2/2021\r\nnonimak[.]ru 9/2/2021\r\nbokuwai[.]ru 9/2/2021\r\nkrashand[.]ru 6/17/2021\r\ngorigan[.]ru 5/25/2021\r\nTable 3. Recent file stealer C2 domains.\r\nAs you can see, some of these domains were established months ago, yet despite their age, they continue to enjoy benign\r\nreputations. For example, only five out of 93 vendors consider the domain krashand[.]ru to be malicious on VirusTotal.\r\nFigure 7. VirusTotal results for krashand[.]ru from Jan. 27, 2022.\r\nReviewing passive DNS (pDNS) logs for these domains quickly reveals a long list of subdomains associated with each.\r\nSome of the subdomains follow a standardized pattern. For example, several of the domains use the first few letters of the\r\nalphabet (\r\na\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 7 of 14\n\n,\r\nb\r\n,\r\nc\r\n) in a repeating combination. Conversely,\r\njolotras[.]ru\r\nand\r\nmoolin[.]ru\r\nuse randomized alphanumeric characters. We believe that these subdomains are dynamically generated by the file stealer\r\nwhen it first establishes a connection with its C2 server. As such, counting the number of subdomains associated with a\r\nparticular C2 domain provides a rough gauge of the number of entities that have attempted to connect to the server.\r\nHowever, it is important to also note that the number of pDNS entries can also be skewed by researchers and cybersecurity\r\nproducts that may be evaluating the malicious samples associated with a particular C2 domain.\r\nSubdomains\r\n637753576301692900[.]jolotras.ru\r\n637753623005957947[.]jolotras[.]ru\r\n637755024217842817.jolotras[.]ru\r\na.nonimak[.]ru\r\naaaa.nonimak[.]ru\r\naaaaa.nonimak[.]ru\r\naaaaaa.nonimak[.]ru\r\n0enhzs.moolin[.]ru\r\n0ivrlzyk.moolin[.]ru\r\n0nxfri.moolin[.]ru\r\nTable 4. Subdomain naming for file stealer infrastructure.\r\nIn mapping these domains to their corresponding C2 infrastructure, we discovered that the domains overlap in terms of the\r\nIP addresses they point to. This allowed us to identify the following active infrastructure:\r\nIP Address First Seen\r\n194.58.92[.]102 1/14/2022\r\n37.140.199[.]20 1/10/2022\r\n194.67.109[.]164 12/16/2021\r\n89.108.98[.]125 12/26/2021\r\n185.46.10[.]143 12/15/2021\r\n89.108.64[.]88 10/29/2021\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 8 of 14\n\nTable 5. Recent file stealer IP infrastructure.\r\nOf note, all of the file stealer infrastructure appears to be hosted within AS197695, the same AS highlighted earlier.\r\nHistorically, we have seen the C2 domains point to various autonomous systems (AS) globally. However, as of early\r\nNovember, it appears that the actors have consolidated all of their file stealer infrastructure within Russian ASs –\r\npredominantly this single AS.\r\nIn mapping the patterns involved in the use of this infrastructure, we found that the domains are rotated across IP addresses\r\nin a manner similar to the downloader infrastructure discussed previously. A malicious domain may point to one of the C2\r\nserver IP addresses today while pointing to a different address tomorrow. This adds a degree of complexity and obfuscation\r\nthat makes it challenging for network defenders to identify and remove the malware from infected networks. The discovery\r\nof a C2 domain in network logs thus requires defenders to search through their network traffic for the full collection of IP\r\naddresses that the malicious domain has resolved to over time. As an example, moolin[.]ru has pointed to 11 IP addresses\r\nsince early October, rotating to a new IP every few days.\r\nIP Address Country AS First Seen Last Seen\r\n194.67.109[.]164 RU 197695 2021-12-28 2022-01-27\r\n185.46.10[.]143 RU 197695 2021-12-16 2021-12-26\r\n212.109.199[.]204 RU 29182 2021-12-15 2021-12-15\r\n80.78.241[.]253 RU 197695 2021-11-19 2021-12-14\r\n89.108.78[.]82 RU 197695 2021-11-16 2021-11-18\r\n194.180.174[.]46 MD 39798 2021-11-15 2021-11-15\r\n70.34.198[.]226 SE 20473 2021-10-14 2021-10-30\r\n104.238.189[.]186 FR 20473 2021-10-13 2021-10-14\r\n95.179.221[.]147 FR 20473 2021-10-13 2021-10-13\r\n176.118.165[.]76 RU 43830 2021-10-12 2021-10-13\r\nTable 6. Recent file stealer IP infrastructure\r\nShifting focus to the malware itself, file stealer samples connect to their C2 infrastructure in a unique manner. Rather than\r\nconnecting directly to a C2 domain, the malware performs a DNS lookup to convert the domain to an IP address. Once\r\ncomplete, it establishes an HTTPS connection directly to the IP address. For example:\r\nC2 Domain: moolin[.]ru\r\nC2 IP Address: 194.67.109[.]164\r\nC2 Comms: https://194.67.109[.]164/zB6OZj6F0zYfSQ\r\nThis technique of creating distance between the domain and the physical C2 infrastructure seems to be an attempt to bypass\r\nURL filtering:\r\n1. The domain itself is only used in an initial DNS request to resolve the C2 server IP address – no actual connection is\r\nattempted using the domain name.\r\n2. Identification and blocking of a domain doesn’t impact existing compromises as the malware will continue to\r\ncommunicate directly with the C2 server using the IP address – even if the domain is subsequently deleted or rotated\r\nto a new IP – as long as the malware continues to run.\r\nOne recent file stealer sample we analyzed (SHA256:\r\nf211e0eb49990edbb5de2bcf2f573ea6a0b6f3549e772fd16bf7cc214d924824) was found to be a .NET binary that had been\r\nobfuscated to make analysis more difficult. The first thing that jumps out when reviewing these files are their sizes. This\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 9 of 14\n\nparticular file clocks in at over 136 MB in size, but we observed files going all the way up to 200 MB and beyond. It is\r\npossible that this is an attempt to circumvent automated sandbox analysis, which usually avoids scanning such large files. It\r\nmay also simply be a byproduct of the obfuscation tools being used. Whatever the reason for the large file size, it comes at a\r\nprice to the attacker, as executables of this size stick out upon review. Transmitting a file this large to a victim becomes a\r\nmuch more challenging task.\r\nThe obfuscation within this sample is relatively simple and mainly relies upon defining arrays and concatenating strings of\r\nsingle characters in high volume over hundreds of lines to try to hide the construction of the actual string within the noise.\r\nFigure 8. Building the string “IconsCache.db” in the “text” variable.\r\nIt begins by checking for the existence of the Mutex Global\\lCHBaUZcohRgQcOfdIFaf, which, if present, implies the\r\nmalware is already running and will cause the file stealer to exit. Next, it will create the folder\r\nC:\\Users\\%USER%\\AppData\\Local\\TEMP\\ModeAuto\\icons, wherein screenshots that are taken every minute will be stored\r\nand then transmitted to the C2 server with the name format YYYY-MM-DD-HH-MM.jpg.\r\nTo identify the IP address of the C2 server, the file stealer will generate a random string of alphanumeric characters between\r\neight and 23 characters long, such as 9lGo990cNmjxzWrDykSJbV.jolotras[.]ru.\r\nAs mentioned previously, once the file stealer retrieves the IP address for this domain, it will no longer use the domain\r\nname. Instead, all communications will be direct with the IP address.\r\nDuring execution, it will search all fixed and network drives attached to the computer for the following extensions:\r\n.doc\r\n.docx\r\n.xls\r\n.rtf\r\n.odt\r\n.txt\r\n.jpg\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 10 of 14\n\n.pdf\r\n.ps1\r\nWhen it has a list of files on the system, it begins to create a string for each that contains the path of the file, the size of the\r\nfile and the last time the file was written to, similar to the example below:\r\nC:\\cygwin\\usr\\share\\doc\\bzip2\\manual.pdf2569055/21/2011 3:17:02 PM\r\nThe file stealer takes this string and generates an MD5 hash of it, resulting in the following output for this example:\r\nFB-17-F1-34-F4-22-9B-B4-49-0F-6E-3E-45-E3-C9-FA\r\nNext, it removes the hyphens from the hash and converts all uppercase letters to lowercase. These MD5 hashes are then\r\nsaved into the file C:\\Users\\%USER%\\AppData\\Local\\IconsCache.db. The naming of this file is another attempt to hide in\r\nplain sight next to the legitimate IconCache.db.\r\nFigure 9. IconsCache.db contents.\r\nThe malware uses this database to track unique files.\r\nThe malware will then generate a URL path with alphanumeric characters for its C2 communication, using the DNS-IP\r\ntechnique illustrated previously with the moolin[.]ru domain example:\r\nhttps://194.67.109[.]164/zB6OZj6F0zYfSQ\r\nBelow is the full list of domains currently resolving to cluster 2 IP addresses:\r\nDomain Registered\r\njolotras[.]ru 12/16/2021\r\nmoolin[.]ru 10/11/2021\r\nbokuwai[.]ru 9/2/2021\r\nnaniga[.]ru 9/2/2021\r\nnonimak[.]ru 9/2/2021\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 11 of 14\n\nbilargo[.]ru 7/23/2021\r\nkrashand[.]ru 6/17/2021\r\nfirtabo[.]ru 5/28/2021\r\ngorigan[.]ru 5/25/2021\r\nfirasto[.]ru 5/21/2021\r\nmyces[.]ru 2/24/2021\r\nteroba[.]ru 2/24/2021\r\nbacilluse[.]ru 2/15/2021\r\ncirculas[.]ru 2/15/2021\r\nmegatos[.]ru 2/15/2021\r\nphymateus[.]ru 2/15/2021\r\ncerambycidae[.]ru 1/22/2021\r\ncoleopteras[.]ru 1/22/2021\r\ndanainae[.]ru 1/22/2021\r\nTable 7. All cluster 2 domains.\r\nPteranodon (Cluster 3)\r\nThe single remaining IP address related to the SSL certificate was not related to either cluster 1 or cluster 2, and instead led\r\nus to a third, distinct cluster of domains.\r\nThis final cluster appears to serve as the C2 infrastructure for a custom remote administration tool called Pteranodon.\r\nGamaredon has used, maintained and updated development of this code for years. Its code contains anti-detection functions\r\nspecifically designed to identify sandbox environments in order to thwart antivirus detection attempts. It is capable of\r\ndownloading and executing files, capturing screenshots and executing arbitrary commands on compromised systems.\r\nOver the last three months, we have identified 33 samples of Pteranodon. These samples are commonly named\r\n7ZSfxMod_x86.exe. Pivoting across this cluster, we identified the following C2 infrastructure:\r\nDomain Registered\r\ntakak[.]ru 9/18/2021\r\nrimien[.]ru 9/18/2021\r\nmaizuko[.]ru 9/2/2021\r\niruto[.]ru 9/2/2021\r\ngloritapa[.]ru 8/5/2021\r\ngortisir[.]ru 8/5/2021\r\ngortomalo[.]ru 8/5/2021\r\nlangosta[.]ru 6/25/2021\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 12 of 14\n\nmalgaloda[.]ru 6/8/2021\r\nTable 8. Cluster 3 domains.\r\nWe again observe domain reputation aging, as seen in cluster 2.\r\nAn interesting naming pattern is seen in cluster 3 – also seen in some cluster 1 host and subdomain names. We see these\r\nactors using English words, seemingly grouped by the first two or three letters. For example:\r\ndeep-rooted.gloritapa[.]ru\r\ndeep-sinking.gloritapa[.]ru\r\ndeepwaterman.gloritapa[.]ru\r\ndeepnesses.gloritapa[.]ru\r\ndeep-lunged.gloritapa[.]ru\r\ndeerfood.gortomalo[.]ru\r\ndeerbrook.gortomalo[.]ru\r\ndespite.gortisir[.]ru\r\ndes.gortisir[.]ru\r\ndesire.gortisir[.]ru\r\nThis pattern differs from those of cluster 2, but has been observed on some cluster 1 (dropper) domains, for example:\r\nalley81.salts.kolorato[.]ru\r\nallied.striman[.]ru\r\nallowance.hazari[.]ru\r\nallowance.telefar[.]ru\r\nally.midiatr[.]ru\r\nallocate54.previously.bilorotka[.]ru\r\nalluded6.perfect.bilorotka[.]ru\r\nalready67.perfection.zanulor[.]ru\r\nalready8.perfection.zanulor[.]ru\r\nThis pattern is even carried into HTTP POSTs, files and directories created by associated samples:\r\nExample 1:\r\nSHA256: 74cb6c1c644972298471bff286c310e48f6b35c88b5908dbddfa163c85debdee\r\ndeerflys.gortomalo[.]ru\r\nC:\\Windows\\System32\\schtasks.exe /CREATE /sc minute /mo 11 /tn \"deepmost\" /tr \"wscript.exe \"C:\\Users\\Public\\\\deep-naked\\deepmost.fly\" counteract /create //b /criminal //e:VBScript /cracker counteract \" /F\r\nPOST /index.eef/deep-water613\r\nExample 2:\r\nSHA256: ffb6d57d789d418ff1beb56111cc167276402a0059872236fa4d46bdfe1c0a13\r\ndeer-neck.gortomalo[.]ru\r\n\"C:\\Windows\\System32\\schtasks.exe\" /CREATE /sc minute /mo 13 /tn \"deep-worn\" /tr \"wscript.exe\r\n\"C:\\Users\\Public\\\\deerberry\\deep-worn.tmp\" crumb /cupboard //b /cripple //e:VBScript /curse crumb \" /F\r\nPOST /cache.jar/deerkill523\r\nBecause we only see this with some domains, this may be a technique employed by a small group of actors or teams. It\r\nsuggests a possible link between the cluster 3 samples and those from cluster 1 employing a similar naming system. In\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 13 of 14\n\ncontrast, we do not observe cluster 2’s large-number or random-string naming technique employed in any cluster 1 domains.\r\nConclusion\r\nGamaredon has been targeting Ukrainian victims for almost a decade. As international tensions surrounding Ukraine remain\r\nunresolved, Gamaredon’s operations are likely to continue to focus on Russian interests in the region. This blog serves to\r\nhighlight the importance of research into adversary infrastructure and malware, as well as community collaboration, in order\r\nto detect and defend against nation-state cyberthreats. While we have mapped out three large clusters of currently active\r\nGamaredon infrastructure, we believe there is more that remains undiscovered. Unit 42 remains vigilant in monitoring the\r\nevolving situation in Ukraine and continues to actively hunt for indicators to put protections in place to defend our\r\ncustomers anywhere in the world. We encourage all organizations to leverage this research to hunt for and defend against\r\nthis threat.\r\nProtections and Mitigations\r\nThe best defense against this evolving threat group is a security posture that favors prevention. We recommend that\r\norganizations implement the following:\r\nSearch network and endpoint logs for any evidence of the indicators of compromise associated with this threat group.\r\nEnsure cybersecurity solutions are effectively blocking against the active infrastructure IoCs identified above.\r\nImplement a DNS security solution in order to detect and mitigate DNS requests for known C2 infrastructure.\r\nApply additional scrutiny to all network traffic communicating with AS 197695 (Reg[.]ru).\r\nIf you think you may have been compromised or have an urgent matter, get in touch with the Unit 42 Incident\r\nResponse team or call North America Toll-Free: 866.486.4842 (866.4.UNIT42), EMEA: +31.20.299.3130, APAC:\r\n+65.6983.8730, or Japan: +81.50.1790.0200.\r\nFor Palo Alto Networks customers, our products and services provide the following coverage associated with this campaign:\r\nCortex XDR protects endpoints from the malware techniques described in this blog.\r\nWildFire cloud-based threat analysis service accurately identifies the malware described in this blog as malicious.\r\nAdvanced URL Filtering and DNS Security identify all phishing and malware domains associated with this group as\r\nmalicious.\r\nUsers of AutoFocus contextual threat intelligence service can view malware associated with these attacks using the\r\nGamaredon Group tag.\r\nPalo Alto Networks has shared these findings, including file samples and indicators of compromise, with our fellow Cyber\r\nThreat Alliance members. CTA members use this intelligence to rapidly deploy protections to their customers and to\r\nsystematically disrupt malicious cyber actors. Learn more about the Cyber Threat Alliance.\r\nSource: https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nhttps://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021\r\nPage 14 of 14", "extraction_quality": 1, "language": "EN", "sources": [ "MISPGALAXY", "Malpedia" ], "origins": [ "web" ], "references": [ "https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021" ], "report_names": [ "gamaredon-primitive-bear-ukraine-update-2021" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434315, "ts_updated_at": 1775826682, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/3fe8f7a06c34c9171fe13352fdc807d04bff7775.pdf", "text": "https://archive.orkl.eu/3fe8f7a06c34c9171fe13352fdc807d04bff7775.txt", "img": "https://archive.orkl.eu/3fe8f7a06c34c9171fe13352fdc807d04bff7775.jpg" } }