{ "id": "77cf1328-ed49-4e8d-9ccf-2cfbf14640e1", "created_at": "2026-04-06T00:14:55.80511Z", "updated_at": "2026-04-10T03:37:04.102525Z", "deleted_at": null, "sha1_hash": "8b5fbe9ab67505ab5e8f81aaf49c57442d70b0b6", "title": "From Russia with a 71: Uncovering Gamaredon's fast flux infrastructure. New Apex domains and ASN/IP diversity patterns discovered", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 1291335, "plain_text": "From Russia with a 71: Uncovering Gamaredon's fast flux\r\ninfrastructure. New Apex domains and ASN/IP diversity patterns\r\ndiscovered\r\nBy Silent Push Threat Team\r\nPublished: 2023-09-07 · Archived: 2026-04-05 19:47:30 UTC\r\nUpdate May 1, 2025:\r\nA recent Joint Cybersecurity Advisory from the NSA, FBI, CISA, along with law enforcement in Australia,\r\nCanada, and New Zealand, warns that many enterprise organizations have defensive gaps when it comes to\r\ndetecting and mitigating Fast Flux techniques, such as those utilized by the Gamaredon Group. These gaps expose\r\nvulnerabilities that cybercriminals and nation-state actors can exploit to maintain stealthy, persistent access to\r\nsystems.\r\nGamaredon’s Fast Flux evasion techniques involve rapidly rotating IP addresses associated with domain names,\r\nmaking it difficult for law enforcement and security systems to block or trace the group’s malicious activity and\r\nultimately avoid detection. Silent Push’s proprietary infrastructure variance metrics are the perfect counter-measure, being purpose-built for tracking, mapping, and blocking Fast Flux networks as they are spun up. \r\nInterested to learn more? Our team has recently published a new technical report on Gamaredon, available\r\nexclusively to our enterprise subscribers, which provides live examples of how to utilize our platform’s advanced\r\ncapabilities to track and proactively block Gamaredon’s malicious infrastructure.\r\nKey Findings\r\nSilent Push explored the extent of the Gamaredon Group’s fast flux operation.\r\nWe discovered 300+ new Apex domain indicators of compromise (IOCs) from a single Gamaredon\r\ndomain.\r\nOur proprietary fingerprinting techniques exposed the deployment of new attacker infrastructure using\r\nwildcard A records.\r\nBackground\r\nGamaredon—also known as Primitive Bear, Actinium, or Shuckworm—is a Russian Advanced Persistent Threat\r\n(APT) group that has been active since at least 2013 and more recently in Ukraine, including reported attacks on\r\nWestern government entities:\r\nhttps://www.silentpush.com/blog/from-russia-with-a-71/\r\nPage 1 of 10\n\nSource: Talos, 2021\r\nGamaredon is a highly belligerent threat group that deviates from the standard hit-and-run tactics used by other\r\nAPT groups by propagating sustained attacks that are both heavily obfuscated and uniquely aggressive.\r\nGamaredon TTPs\r\nThe group uses spear phishing and social engineering to deliver malware hidden within MS Word documents, as\r\nreferenced below:\r\nhttps://www.silentpush.com/blog/from-russia-with-a-71/\r\nPage 2 of 10\n\nMalwareBazaar directory of Gamaredon MS Word malware\r\nUsing MS Word combats static analysis by hosting the payload on a template that is downloaded from an attacker-controlled server; once the document is opened and the user has met one or more conditions, such as geographic\r\nlocation, device type, or system specification, before delivery.\r\nA large number of Gamaredon subdomains used in spear phishing attacks were linked to the top-level\r\ndomain (TLD) “.ru,” registered via REGRU-RU, and contained the number “71.”\r\nGamaredon subdomains using the number 71\r\nhttps://www.silentpush.com/blog/from-russia-with-a-71/\r\nPage 3 of 10\n\nUse of fast fluxing\r\nGamaredon operates with an innumerable number of IP addresses and uses wildcard A records in place of\r\ndefinable subdomains to evade detection in a technique known as fast fluxing.\r\nA large group of IPs was associated with a single Fully Qualified Domain Name (FQDN) and rotated through an\r\nattack at an extremely high frequency via automated DNS resource record (RR) amendments in the zone file.\r\nAPT groups employ fast fluxing to circumvent traditional threat detection methods that rely on threat feeds\r\ncontaining full domain names, including subdomains.\r\nRather than relying on lists of isolated IOCs, organizations need to deploy countermeasures that track the\r\nunderlying infrastructure that accommodates an attack—Apex domains, ASNs, registrars, and authoritative\r\nnameservers—and extrapolate correlative datasets that allow security teams to identify patterns in attacker\r\nbehavior—such as ASN and IP diversity data or naming conventions.\r\nTo defend against fast-flux TTPs, organizations must identify and block Apex domains, regardless of the\r\nsubdomain. Let’s take a look at how we used Silent Push to do just that…\r\nDeep Dive: samiseto[.]ru\r\nEvery investigation begins with a series of observables. Several online sources reported recent attempts by\r\nGamaredon to inject malware, using an MS Word template, from the following domains:\r\nhttp://encyclopedia83.samiseto[.]ru/HOME-PC/registry/amiable/prick/sorry[.]83glf\r\nhttp://relation46.samiseto[.]ru/DESKTOP-UVHG99D/percy[.]46rra\r\nhttps://www.silentpush.com/blog/from-russia-with-a-71/\r\nPage 4 of 10\n\nTwitter post announcing malware hosted on samiseto[.]ru\r\nChecking VirusTotal confirmed that the domains had been flagged as malicious. This was mainly due to the\r\ndomains being reported on Twitter as post-breach intelligence:\r\nWe took one of the above domains, encyclopedia83.samiseto[.]ru (hosted on REGRU-RU), and analyzed it by\r\ncross-referencing WHOIS information, IP diversity data, and reverse lookups that laid bare a fresh list of domain\r\nhttps://www.silentpush.com/blog/from-russia-with-a-71/\r\nPage 5 of 10\n\nIOCs:\r\nEnriching encyclopedia83.samiseto[.]ru\r\nWe discovered 98 A records associated with *samiseto[.]ru, that were used in constant rotation:\r\nAn A record lookup for samiseto[.]ru\r\nFurther analysis revealed that IP addresses were used for no more than four days before being replaced with a\r\nfresh IP (along with new subdomains). This helped the threat actors evade detection and rendered most isolated\r\nIOCs obsolete upon discovery.\r\nhttps://www.silentpush.com/blog/from-russia-with-a-71/\r\nPage 6 of 10\n\nHigh IP diversity score\r\nTo extract actionable IOCs, we created a list of all IP addresses that a subdomain of samiseto[.]ru had ever pointed\r\nto. We then applied a reverse lookup to identify all domains associated with those IP addresses, before matching\r\nthe domains to threat activity using a series of key indicators.\r\nThe results returned a list of 375 Apex domains, which we used to populate our Gamaredon early detection\r\nfeed (available to Silent Push Enterprise customers).\r\nUse of wildcard records\r\nWe noticed that any string combination added before .samiseto[.]ru pointed to 5.44.42[.]154. After running a dig\r\ncommand, we were able to ascertain that attackers were using a wildcard A record to point to the domain\r\n5.44.42[.]154:\r\nWe ran a dig command\r\nDig command proving the use of wildcard A record\r\nIP diversity and ASN analysis\r\nhttps://www.silentpush.com/blog/from-russia-with-a-71/\r\nPage 7 of 10\n\nUsing IP diversity data, we established that samiseto[.]ru had pointed to 15 IP addresses within a 30-day period,\r\nall of them bar one being hosted on the Russian ASN GIR-AS, RU (207713), with the remainder hosted via\r\nKazakhstan on IT-GRAD, KZ (212819):\r\nIP/ASN diversity data for samiseto[.]ru\r\nWhile the majority of IPs over a 90-day period were traced back to GIR-AS RU, we discovered that\r\nDIGITALOCEAN US, the New York-based cloud services organization, was also used:\r\nhttps://www.silentpush.com/blog/from-russia-with-a-71/\r\nPage 8 of 10\n\nHistorical ASN data for samiseto[.]ru\r\nhttps://www.silentpush.com/blog/from-russia-with-a-71/\r\nPage 9 of 10\n\nUsing Silent Push to Combat Gamaredon’s Fast Flux Techniques\r\nOur threat analysts utilized IP/ANS diversity data and advanced DNS fingerprinting techniques to reveal the\r\nextent of Gamaredon’s fast flux infrastructure and populate an early detection feed with hundreds of unique\r\nmalicious Apex domains, using a single reported subdomain as the target IOC.\r\nSilent Push Enterprise users can ingest curated threat feeds containing IOCs related to the Gamaredon group’s fast\r\nflux infrastructure using the tags #russo, #gamaredon, and #apt.\r\nThe free Silent Push Community Edition also includes many of the lookups used in our research. Sign up here for\r\nyour complimentary account.\r\nEmail info@silentpush.com for further guidance on any of the countermeasures we’ve talked about in this\r\nblog article.\r\nExplore our Knowledge Base for in-depth articles on how to use Silent Push to defend against attacks.\r\nSample Indicators of Compromise List\r\nA sample list of IOCs associated with this threat for a public-facing blog. (A full list of IOCs is available with a\r\nSilent Push Enterprise subscription).\r\nquyenzo[.]ru\r\nulitron[.]ru\r\nbromumo[.]ru\r\nerinaceuso[.]ru\r\nayrympo[.]ru\r\ncaccabius[.]ru\r\nmadzhidgo[.]ru\r\namalsa[.]ru\r\ndedspac[.]ru\r\n141.98.233.109\r\n46.29.234.119\r\n141.98.233.103\r\nSource: https://www.silentpush.com/blog/from-russia-with-a-71/\r\nhttps://www.silentpush.com/blog/from-russia-with-a-71/\r\nPage 10 of 10", "extraction_quality": 1, "language": "EN", "sources": [ "MITRE" ], "references": [ "https://www.silentpush.com/blog/from-russia-with-a-71/" ], "report_names": [ "from-russia-with-a-71" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434495, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/8b5fbe9ab67505ab5e8f81aaf49c57442d70b0b6.pdf", "text": "https://archive.orkl.eu/8b5fbe9ab67505ab5e8f81aaf49c57442d70b0b6.txt", "img": "https://archive.orkl.eu/8b5fbe9ab67505ab5e8f81aaf49c57442d70b0b6.jpg" } }