{ "id": "6beeb9a4-13cd-467a-b6ec-e0f31e9c0aba", "created_at": "2026-04-06T00:11:08.880201Z", "updated_at": "2026-04-10T03:37:04.339892Z", "deleted_at": null, "sha1_hash": "a4cfdd5ef6eaee5466755fec8f50a7e8aa22b81b", "title": "Russian 'Gamaredon' hackers use 8 new malware payloads in attacks", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 813498, "plain_text": "Russian 'Gamaredon' hackers use 8 new malware payloads in attacks\r\nBy Bill Toulas\r\nPublished: 2022-01-31 · Archived: 2026-04-05 13:22:32 UTC\r\nThe Russia-linked hackers known as 'Gamaredon' (aka Armageddon or Shuckworm) were spotted deploying eight custom\r\nbinaries in cyber-espionage operations against Ukrainian entities.\r\nThis hacking group is believed to be operated directly by the Russian FSB (Federal Security Service) and has\r\nbeen responsible for thousands of attacks in Ukraine since 2013.\r\nResearchers at Symantec's Threat Hunter team, a part of Broadcom Software, have analyzed eight malware samples used by\r\nGamaredon against Ukrainian targets in recent attacks, which could provide essential information for defenders to protect\r\nagainst the ongoing wave attacks.\r\nhttps://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/\r\nPage 1 of 4\n\n0:00\r\nhttps://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/\r\nPage 2 of 4\n\nVisit Advertiser websiteGO TO PAGE\r\nFiles used in recent Gamaredon attacks\r\nAccording to Symantec's report, the monitored attacks began in July with the dissemination of spear-phishing emails that\r\ncarried macro-laced Word documents.\r\nThese files launched a VBS file that dropped \"Pteranodon,\" a well-documented backdoor that Gamaredon has been\r\ndeveloping and improving for almost seven years now.\r\nHowever, while recent attacks are still conducted using phishing emails, these attacks now drop eight different payloads, as\r\ndescribed below.\r\nAll eight files sampled by Symantec's analysts from recent Gamaredon attacks are 7-zip self-extracting binaries that\r\nminimize user-interaction requirements.\r\ndescend.exe – Executes to drop a VBS file on “%USERPROFILE%\\Downloads\\deerbrook.ppt” and\r\n“%PUBLIC%\\Pictures\\deerbrook.ppt”, and creates a scheduled task on the compromised system. The VBS contacts\r\nthe C2 and fetches the payload.\r\ndeep-sunken.exe – The downloaded payload which executes to drop four more files on the compromised computer:\r\nbaby.cmd, baby.dat, basement.exe (wget binary), vb_baby.vbs. A new scheduled task is created and the C2 is\r\ncontacted again for the next payload.\r\nz4z05jn4.egf.exe – Next-stage payload which is similar to the previous one but features different C2, drops files in\r\ndifferent folders, and uses different filenames.\r\ndefiant.exe – Executes to drop VBS files onto “%TEMP%\\\\deep-versed.nls” and “%PUBLIC\\Pictures\\deep-versed.nls”, and then create a scheduled task for their execution.\r\ndeep-green.exe – UltraVNC remote administration tool that connects to a repeater.\r\ndeep-green.exe – Process Explorer binary for Microsoft Windows.\r\ndeep-green.exe – Same as defiant.exe but with different hard-coded C2 and filenames.\r\ndeep-green.exe – Drops VBS in “%PUBLIC%\\Music\\” and creates a scheduled task that searchers for removable\r\ndrives on the infected system.\r\nOther indicators of compromise include C2 URLs and IPs allocated by the AS9123 TimeWeb Ltd., and they all use a unique\r\nURI structure as shown below:\r\nhttp + IP + /.php?=, OR\r\nhttp + IP + /.php?=,-\r\nAlso, the most common directories that host malicious files are:\r\ncsidl_profile\\links\r\ncsidl_profile\\searches\r\nCSIDL_PROFILE\\appdata\\local\\temp\\\r\nCSIDL_PROFILE\\\r\nThe Symantec report also concludes that many of the dropped files have unknown parent process hashes which weren’t\r\nanalyzed, so parts of the Gamaredon operation remain unclear.\r\nFile hashes for the new malware payloads discovered by Symantec can be found in their report.\r\nhttps://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/\r\nPage 3 of 4\n\nAutomated Pentesting Covers Only 1 of 6 Surfaces.\r\nAutomated pentesting proves the path exists. BAS proves whether your controls stop it. Most teams run one without the\r\nother.\r\nThis whitepaper maps six validation surfaces, shows where coverage ends, and provides practitioners with three diagnostic\r\nquestions for any tool evaluation.\r\nSource: https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/\r\nhttps://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/\r\nPage 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "references": [ "https://www.bleepingcomputer.com/news/security/russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks/" ], "report_names": [ "russian-gamaredon-hackers-use-8-new-malware-payloads-in-attacks" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434268, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/a4cfdd5ef6eaee5466755fec8f50a7e8aa22b81b.pdf", "text": "https://archive.orkl.eu/a4cfdd5ef6eaee5466755fec8f50a7e8aa22b81b.txt", "img": "https://archive.orkl.eu/a4cfdd5ef6eaee5466755fec8f50a7e8aa22b81b.jpg" } }