{
	"id": "cc114bcf-abe0-4aed-8e68-d2ed57e70a23",
	"created_at": "2026-04-06T00:17:31.099189Z",
	"updated_at": "2026-04-10T03:37:04.396763Z",
	"deleted_at": null,
	"sha1_hash": "45323baad3160ea7dd8ccaee5af53476906f1574",
	"title": "Gamaredon APT Improves Toolset to Target Ukraine Government, Military",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 44143,
	"plain_text": "Gamaredon APT Improves Toolset to Target Ukraine Government,\r\nMilitary\r\nBy Tara Seals\r\nPublished: 2020-02-05 · Archived: 2026-04-05 23:37:35 UTC\r\nResearch have been tracking an uptick in Gamaredon cyberattacks on Ukrainian military and security institutions\r\nthat started in December.\r\nThe Gamaredon advanced persistent threat (APT) group has been supercharging its operations lately, improving\r\nits toolset and ramping up attacks on Ukrainian national security targets.\r\nVitali Kremez, head of SentinelLabs, said in research released on Wednesday that he has been tracking an uptick\r\nin Gamaredon cyberattacks on Ukrainian military and security institutions that started in December. He said that\r\nthese include digital attacks on physical infrastructure and field hardware, including artillery – along with more\r\nexpected cyber-espionage activity. One of the latter campaigns was a series of reconnaissance actions against the\r\nHetman Petro Sahaidachnyi National Ground Forces Academy, in the Ukraine; and, spyware implants were\r\nspotted in a range of Ukrainian governmental targets.\r\n“Based on SentinelLabs visibility into some of the affected victims, APT Gamaredon affected a large disposition\r\nof victim across Ukrainian separatist line with more than five thousand unique Ukrainian entities affected for the\r\npast months,” Kremez wrote.\r\nIn examining the campaign, SentinelLabs found that Gamaredon has improved its toolset. The latest malware\r\nimplant appears to be a modified version of the group’s proprietary Pterodo malware, discovered on computers of\r\nstate authorities of Ukraine performing system reconnaissance.\r\n“This virus collects system data, regularly sends it to command-control servers and expects further commands,”\r\nKremez wrote. “Packaged as self-extracting zip-archive (.SFX), the Gamaredon malware implant components\r\ncontain a batch script, a binary processor .NET component and macro payloads.”\r\nNotably, the implant boasts the addition of a .NET framework interop integrator known as Microsoft.Vbe.Interop.\r\n“The newer tool [carries out] updated execution via an obfuscated .NET application of Excel and Word macros,”\r\nwrote Kremez. He added that the macro payload execution approach uses a specific processor that leverages\r\nscripting persistence. “The macro execution security registry [allows] macro execution and disabling Visual Basic\r\nfor Applications (VBA) warnings,” he said. “[This] malware Interop component [also] uses fake Microsoft digital\r\ncertificates belonging to Microsoft Time-Stamp Service.”\r\nhttps://threatpost.com/gamaredon-apt-toolset-ukraine/152568/\r\nPage 1 of 2\n\nIn addition, the group is also now using a system of Nginx forwarders to process traffic from compromised victim\r\nmachines, oftentimes relying on dynamic DNS providers, according to the analysis.\r\nGamaredon, which Kremez said is linked to the Russian military, has ramped up its malware capabilities while\r\nexclusively targeting the Ukrainian national security institutions.\r\n“Gamaredon has introduced new tools into its arsenal that significantly up its offensive capabilities,” he noted.\r\n“Their operations have impacted more than five thousand unique Ukrainian entities in the past few months.” He\r\nadded, “This ability to efficiently integrate cyber-offense measures into the actual battlefield of a traditional or\r\nasymmetric warfare model has been for years tested in the long-term military conflict unfolding in Eastern\r\nUkraine since 2014.”\r\nSource: https://threatpost.com/gamaredon-apt-toolset-ukraine/152568/\r\nhttps://threatpost.com/gamaredon-apt-toolset-ukraine/152568/\r\nPage 2 of 2",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"ETDA"
	],
	"references": [
		"https://threatpost.com/gamaredon-apt-toolset-ukraine/152568/"
	],
	"report_names": [
		"152568"
	],
	"threat_actors": [
		{
			"id": "236a8303-bf12-4787-b6d0-549b44271a19",
			"created_at": "2024-06-04T02:03:07.966137Z",
			"updated_at": "2026-04-10T02:00:03.706923Z",
			"deleted_at": null,
			"main_name": "IRON TILDEN",
			"aliases": [
				"ACTINIUM ",
				"Aqua Blizzard ",
				"Armageddon",
				"Blue Otso ",
				"BlueAlpha ",
				"Dancing Salome ",
				"Gamaredon",
				"Gamaredon Group",
				"Hive0051 ",
				"Primitive Bear ",
				"Shuckworm ",
				"Trident Ursa ",
				"UAC-0010 ",
				"UNC530 ",
				"WinterFlounder "
			],
			"source_name": "Secureworks:IRON TILDEN",
			"tools": [
				"Pterodo"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434651,
	"ts_updated_at": 1775792224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/45323baad3160ea7dd8ccaee5af53476906f1574.pdf",
		"text": "https://archive.orkl.eu/45323baad3160ea7dd8ccaee5af53476906f1574.txt",
		"img": "https://archive.orkl.eu/45323baad3160ea7dd8ccaee5af53476906f1574.jpg"
	}
}