{ "id": "7b2a90f3-2a47-4263-ac88-06a98196d548", "created_at": "2026-04-06T00:09:21.479195Z", "updated_at": "2026-04-10T03:37:04.276293Z", "deleted_at": null, "sha1_hash": "9c4ee1ea2884433b93af9407ad691c4f7a98b256", "title": "ESET Research: Russia’s Gamaredon APT group unleashed spearphishing campaigns against Ukraine with an evolved toolset", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 52530, "plain_text": "ESET Research: Russia’s Gamaredon APT group unleashed\r\nspearphishing campaigns against Ukraine with an evolved toolset\r\nArchived: 2026-04-05 21:57:29 UTC\r\nIn 2024, Gamaredon refocused exclusively on targeting Ukrainian governmental institutions.\r\nThe group significantly increased the scale and frequency of spearphishing campaigns, employing new\r\ndelivery methods.\r\nGamaredon introduced six new malware tools, leveraging PowerShell and VBScript, designed primarily\r\nfor stealth, persistence, and lateral movement.\r\nGamaredon operators managed to hide almost their entire C\u0026C infrastructure behind Cloudflare tunnels.\r\nGamaredon increasingly relied on third-party services (Telegram, Telegraph, Cloudflare, Dropbox) to\r\nprotect its C\u0026C infrastructure.\r\nBRATISLAVA — July 2, 2025 — ESET Research has released a white paper about Gamaredon’s updated\r\ncyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed across\r\nthe previous year. Gamaredon, attributed by the Security Service of Ukraine (SSU) to the 18th Center of\r\nInformation Security of Russia’s Federal Security Service (FSB), has targeted Ukrainian governmental institutions\r\nsince at least 2013. In 2024, Gamaredon exclusively attacked Ukrainian institutions. ESET’s latest research shows\r\nthat the group remains highly active, consistently targeting Ukraine, but has notably adapted its tactics and tools.\r\nThe group’s objective is cyberespionage aligned with Russian geopolitical interests. Last year, the group\r\nsignificantly increased the scale and frequency of spearphishing campaigns, employing new delivery methods, and\r\none attack payload was used solely to spread Russian propaganda.\r\nGamaredon’s spearphishing activities significantly intensified during the second half of 2024. Campaigns\r\ntypically lasted one to five consecutive days, with emails containing malicious archives (RAR, ZIP, 7z) or\r\nXHTML files employing HTML smuggling techniques. These files delivered malicious HTA or LNK files that\r\nexecuted embedded VBScript downloaders, such as PteroSand. In October 2024, ESET observed a rare case\r\nwhere spearphishing emails included malicious hyperlinks instead of attachments – a deviation from Gamaredon’s\r\nusual tactics. Furthermore, Gamaredon introduced another novel technique: using malicious LNK files to execute\r\nPowerShell commands directly from Cloudflare-generated domains, bypassing some traditional detection\r\nmechanisms.\r\nGamaredon’s toolset underwent several notable updates. While fewer new tools were introduced, substantial\r\nresources went into updating and improving existing tools. New tools were designed primarily for stealth,\r\npersistence, and lateral movement. Existing tools received major upgrades, including enhanced obfuscation,\r\nimproved stealth tactics, and sophisticated methods for lateral movement and data exfiltration.\r\n“A particularly intriguing finding was the discovery in July 2024 of a unique ad hoc VBScript payload, delivered\r\nby Gamaredon downloaders. This payload had no espionage functionality; rather, its sole purpose was to\r\nautomatically open a Telegram propaganda channel named Guardians of Odessa, which spreads pro-Russian\r\nmessaging targeting the Odessa region,” says ESET researcher Zoltán Rusnák, who tracks Gamaredon’s activities.\r\nhttps://www.eset.com/us/about/newsroom/research/eset-research-russias-gamaredon-apt-group-unleashed-spearphishing-campaigns-against-ukraine-with-an-evolved-toolset/\r\nPage 1 of 2\n\nAdditionally, throughout 2024, Gamaredon showed persistent dedication to evading network-based defenses. The\r\ngroup continued, albeit at a reduced scale, to leverage fast-flux DNS techniques, frequently rotating IP addresses\r\nbehind its domains. Gamaredon increasingly relied on third-party services such as Telegram, Telegraph, Codeberg,\r\nDropbox, and Cloudflare tunnels to obfuscate and dynamically distribute its C\u0026C infrastructure.\r\n“Despite observable capacity limitations and abandoning older tools, Gamaredon remains a significant threat actor\r\ndue to its continuous innovation, aggressive spearphishing campaigns, and persistent efforts to evade detections.\r\nAs long as the Russia's war against Ukraine continues, we anticipate that Gamaredon will persist in evolving its\r\ntactics and intensify its cyberespionage operations against Ukrainian institutions,” concludes Rusnák.\r\nFor a more detailed analysis and technical breakdown of Gamaredon’s toolset, check out the latest ESET Research\r\nwhite paper, “Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved\r\ntoolset,” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky,\r\nand Mastodon for the latest news from ESET Research.\r\nUnique Gamaredon spearphishing samples seen per month\r\nAbout ESET\r\nESET® provides cutting-edge digital security to prevent attacks before they happen. By combining the power of\r\nAI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown —\r\nsecuring businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud or mobile protection, our\r\nAI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes\r\nrobust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense\r\nand strong local support, we keep users safe and businesses running without interruption. The ever-evolving\r\ndigital landscape demands a progressive approach to security: ESET is committed to world-class research and\r\npowerful threat intelligence, backed by R\u0026D centers and a strong global partner network. For more information,\r\nvisit www.eset.com or follow our social media, podcasts and blogs.\r\nSource: https://www.eset.com/us/about/newsroom/research/eset-research-russias-gamaredon-apt-group-unleashed-spearphishing-campaigns-ag\r\nainst-ukraine-with-an-evolved-toolset/\r\nhttps://www.eset.com/us/about/newsroom/research/eset-research-russias-gamaredon-apt-group-unleashed-spearphishing-campaigns-against-ukraine-with-an-evolved-toolset/\r\nPage 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.eset.com/us/about/newsroom/research/eset-research-russias-gamaredon-apt-group-unleashed-spearphishing-campaigns-against-ukraine-with-an-evolved-toolset/" ], "report_names": [ "eset-research-russias-gamaredon-apt-group-unleashed-spearphishing-campaigns-against-ukraine-with-an-evolved-toolset" ], "threat_actors": [ { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434161, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/9c4ee1ea2884433b93af9407ad691c4f7a98b256.pdf", "text": "https://archive.orkl.eu/9c4ee1ea2884433b93af9407ad691c4f7a98b256.txt", "img": "https://archive.orkl.eu/9c4ee1ea2884433b93af9407ad691c4f7a98b256.jpg" } }