{
	"id": "36945d17-d081-4992-ab80-76a4edc32260",
	"created_at": "2026-04-06T00:10:58.56842Z",
	"updated_at": "2026-04-10T03:37:04.468928Z",
	"deleted_at": null,
	"sha1_hash": "a93b1f07a78f22d5ccc9da92dc8db6d3c03e4334",
	"title": "Inside Gamaredon 2025: Zero-Click Espionage at Scale - Synaptic Security Blog",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 1074795,
	"plain_text": "Inside Gamaredon 2025: Zero-Click Espionage at Scale - Synaptic\r\nSecurity Blog\r\nBy robin\r\nPublished: 2025-11-22 · Archived: 2026-04-05 16:46:58 UTC\r\nby Robin Dost\r\nUPDATE 22.12.2025: Gamaredon updated it’s payload delivery infrastructure. You can find more information\r\nhere.\r\nUPDATE 08.01.2026: If you want to know how to defend against Gamaredon and similar Actors, check out this\r\narticle.\r\nI also started writing YARA Rules for Gamaredons current samples, if you are a valid security researcher and you\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 1 of 20\n\nneed them, send ma an email.\r\nIf you are a doing legit malware research interested in (deobfuscated) Samples from Gamaredon, you can write\r\nme an email aswell.\r\nIf you’re interested in how I efficiently track threat actors such as Gamaredon, feel free to check out my article on\r\na CTI platform I developed: https://blog.synapticsystems.de/following-gamaredons-infrastructure-rotations-using-kraken/\r\nCampaign Summary\r\nTimeframe: February – November 2025\r\n37 analyzed samples\r\nNew zero-click infection vector -\u003e CVE-2025-6218\r\nNew C2 architecture: DynDNS + Fast-Flux + Telegram + graph.org\r\nTwo-stage geo-fencing + header firewall\r\nPteranodon as the central Stage-2 loader\r\nServer-side registration required for deeper payload access\r\nAs the year slowly crawls toward its inevitable end (like certain Russian infrastructure), it’s a good moment to\r\ntake another detailed look at Gamaredon’s ongoing phishing campaign targeting Ukraine.\r\nI’ve previously published a high-level overview of this campaign, you can check that article out if you want the\r\n“lite” version.\r\nToday, however, we’re digging deeper: how to untangle the FSB’s infrastructure for this operation and how we\r\nmanaged to extract additional payloads directly from their servers with varying degrees of cooperation from\r\nMicrosoft’s RAR parser.\r\nA quick thank-you goes out to my brother Ramon, who assisted especially in retrieving additional payloads from\r\nGamaredon’s backend. Family bonding through state-sponsored malware analysis, truly heartwarming.\r\nDataset Overview\r\nFor this analysis, I organized all samples into a structured table divided into Stage-1 and Stage-2 to Stage-X\r\nartifacts.\r\nStage-1 samples are the actual phishing attachments delivered to victims (HTA, LNK, RAR archives).\r\nStage-2 to Stage-X samples represent everything the Gamaredon infrastructure subsequently downloads\r\nonce the initial loader executes or the vulnerability is triggered.\r\nEach entry contains:\r\nFilename: original name taken from the email attachment or payload\r\nHash: SHA-256 fingerprint for verification\r\nDropped Files: anything extracted or written by the sample (HTA/PS1 loaders, Pteranodon modules,\r\npersistence scripts, etc.)\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 2 of 20\n\nThis allows us to map the infection chain fully, from the very first email to the deeper payload ecosystem sitting\r\nbehind Gamaredon’s firewall-like C2 logic.\r\nIn total, we analyzed 37 samples for this write-up.\r\nStage 1 Samples (Click to open)\r\nStage 2-X Samples\r\nOperational Objective of the Campaign\r\nThe analyzed artifacts make the intention behind this operation painfully clear:\r\nthe campaign is aimed squarely at Ukrainian military, governmental, political, and administrative entities.\r\nBased on filenames, document themes, and sender infrastructure, Gamaredon’s operational goals can be\r\nsummarized as follows:\r\nMilitary intelligence collection (documents, internal communication, location data, organization charts)\r\nRapid exfiltration (Pteranodon immediately sends host-, user-, and system-metadata to the C2)\r\nLong-term espionage (stealers, wipers, tasking modules, USB spreaders)\r\nDisruption \u0026 anti-forensics (registry cleaning, MRU deletion, startup folder cleanup)\r\nTargeted propagation inside internal networks (USB/NAS/network spread)\r\nThis is not an opportunistic campaign. It is a structured, military-oriented espionage and sabotage operation\r\nconsistent with, and likely coordinated by Russian state intelligence.\r\nCampaign Timeline\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 3 of 20\n\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 4 of 20\n\nCampaign Description\r\nGamaredon continues to bombard Ukrainian organizations with phishing emails, using a rotating set of\r\nattachments and themes.\r\nThe filenames of the analyzed samples strongly indicate military and political targeting, and the underlying\r\ninfrastructure is built on large DynDNS farms and Fast-Flux C2 nodes an architecture that screams “FSB budget\r\noptimization,” if you will.\r\nUntil early November 2025, the group primarily distributed HTA and LNK attachments.\r\nThen they shifted strategy, adopting a new Windows vulnerability CVE-2025-6218, allowing infections without\r\nthe victim consciously executing anything.\r\nTheir new favorite delivery vector?\r\nRAR archives containing seemingly harmless documents.\r\nWhat happens?\r\nWhen a victim opens the RAR archive:\r\nthe vulnerability triggers immediately\r\na hidden HTA is extracted straight into the Windows Startup folder\r\nreboot -\u003e automatic execution -\u003e connection to Gamaredon’s C2\r\nfurther payloads are downloaded and initial reconnaissance begins\r\nA classic example of Microsoft doing Microsoft things.\r\nInfection Chain (CVE-2025-6218 \u0026 CVE-2025-8088)\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 5 of 20\n\nThe multi-stage infection chain used in this campaign is simple, elegant, and annoyingly effective.\r\nA key component is the server-side access control logic, which tightly restricts who is allowed to receive further\r\npayloads, ensuring that analysts outside the target region receive nothing but empty responses and existential\r\nfrustration.\r\n1. Initial Access: Web-based Loaders\r\nEntry points include:\r\nHTA attachments\r\nLNK droppers\r\nRAR archives containing HTA or LNK files\r\nAnd increasingly:\r\nRAR archives exploiting CVE-2025-6218 and CVE-2025-8088\r\nCVE-2025-6218\r\nVulnerability allowing automatic file extraction into privileged directories\r\nHTA placed into Startup without user execution\r\nCVE-2025-8088\r\nMSHTML execution bypass, circumventing Windows 11 hardening\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 6 of 20\n\nAll these delivery formats share one purpose:\r\ndownload and launch Pteranodon, the central stage-2 loader.\r\n2. Pteranodon Loader\r\nOnce the initial dropper executes, it fetches Pteranodon via HTTP(S).\r\nThis is where Gamaredon’s C2 firewall kicks in.\r\nPersistence Mechanisms\r\nPteranodon uses multiple persistence vectors depending on available permissions:\r\nRegistry Run keys ( HKCU and occasionally HKLM )\r\nScheduled tasks (5 – 30 minute intervals)\r\nHTA files in the Startup folder\r\nHidden script copies inside %APPDATA% , %LOCALAPPDATA% , and %PROGRAMDATA%\r\nThese ensure the loader survives multiple reboots and can continuously request new tasks and modules.\r\nCommunication Structure\r\nGamaredon’s C2 traffic is distinctive:\r\nXOR + Base64 layering\r\nPseudo-JSON structures (loose key/value pairs)\r\nRegular tasking requests (download payload, run wiper, USB spread, resend systeminfo)\r\nOperator fingerprints (recurring variable names and patterns)\r\nPteranodon is intentionally simple, lightweight, and extremely flexible, the malware equivalent of a Russian Lada:\r\nIt may look primitive, but you’ll be surprised how long it keeps going.\r\n3. Access Control Logic (C2 Firewall)\r\nGamaredon uses a multi-layered filtering system that serves as both OPSEC and anti-analysis defense.\r\nPurpose of the Access Control Logic\r\nThe C2:\r\nonly responds fully to Ukrainian IP ranges\r\nverifies browser headers\r\nrequires system registration before delivering deeper payloads\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 7 of 20\n\nThis effectively locks out researchers, sandboxes, cloud instances, and… pretty much everyone except the\r\nintended victims.\r\nStages\r\nStage 1: IP Validation\r\nNon-Ukrainian IP -\u003e HTTP 200 with empty body\r\nUkrainian IP -\u003e proceed\r\nStage 2: Header Validation\r\nMust supply correct:\r\nIdentifier/Token\r\nUser-Agent\r\nAccept-Language\r\nInvalid -\u003e serve a 0-byte file\r\nValid -\u003e proceed\r\nStage 3: Registration \u0026 Tasking\r\nFull payload access only after system registration:\r\nhostname\r\nusername\r\nlocal IP\r\nenvironment\r\ntoken\r\nThen the C2 provides:\r\nUSB/network spread modules\r\nWipers\r\nPersistence modules\r\nStealers\r\nAdditional droppers\r\nThe basic access control logic looks like this:\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 8 of 20\n\n4. Campaign Characteristics\r\nStrict Ukraine-only geo-fencing\r\nStrong anti-analysis (empty responses instead of errors)\r\nHigh variation of initial access files\r\nConsistent use of Pteranodon\r\nIncreased abuse of RAR + CVE-2025-6218\r\nMultiple drops per day\r\nAnalysis\r\nThis article focuses more on mapping the infrastructure than on deep reverse-engineering.\r\nIf you want in-depth Stage-1 payload analysis, check my previous article.\r\nOnce the malicious attachment is executed, it contacts a remote Gamaredon domain and retrieves Pteranodon.\r\nKey observations from sandboxing\r\nMost sandbox environments receive empty responses, expected due to the C2 filtering\r\nSimulating headers alone is insufficient\r\nRegular Ukrainian proxies also fail\r\nRotating Ukrainian residential proxies do work\r\nHowever, deeper stages require successful registration, which makes automated extraction time-consuming\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 9 of 20\n\nAfter bypassing the filters, we obtained obfuscated HTAs containing Base64-encoded VBS Code.\r\nThese loaders then fetch:\r\nPteranodon\r\nwiper modules\r\nauxiliary droppers\r\netc.\r\nAll files are provided in the sample table for further analysis.\r\nTelegram \u0026 graph.org C2 Distribution\r\nGamaredon uses:\r\nTelegram channels for rotating C2 IPs and cryptographic material\r\ngraph.org pages for rotating payload URLs\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 10 of 20\n\nBoth platforms are:\r\nideal for operations requiring frequent updates\r\nhighly resilient\r\nhard to take down\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 11 of 20\n\nhttps://graph.org/vryivzphxwc-11-11\r\nIf you are a doing legit malware research interested in tracking, feel free to write me an email.\r\nFast-Flux Infrastructure (194.67.71.0/24)\r\nOne IP stood out: 194.67.71.75, belonging to REG.RU, a well-known high-abuse Russian hosting provider.\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 12 of 20\n\nFindings:\r\n200+ IPs in the subnet engaged in coordinated port-scanning against Ukrainian targets (April 2025)\r\n44,157 PassiveDNS entries for the 256 hosts\r\n39,903 unique domains\r\nTypical Fast-Flux characteristics:\r\nextremely short TTL\r\nrapid IP rotation\r\neach IP hosting dozens of unrelated domains\r\nlow-quality disposable domain patterns\r\nconsistent abusive behavior\r\nThis subnet is:\r\nclearly Russian-controlled\r\nused for offensive operations\r\nstructurally similar to GRU-affiliated infrastructure\r\nhighly likely to be connected directly or indirectly to the FSB\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 13 of 20\n\nI built a graph on VirusTotal to visualize the malware distribution by the subnet:\r\nNOTE: By clicking ‘Load content’, you consent to data being transmitted to a third-party provider in the\r\nUnited States. Please note that US data protection standards differ from those in the EU.\r\nChanges in the 2025 Gamaredon Campaign\r\nCompared to 2021 – 2024, the 2025 operation shows significant evolution:\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 14 of 20\n\n1. Zero-Click via CVE-2025-6218\r\nRAR-based exploit allows silent execution with no user interaction.\r\n2. RAR-First Delivery\r\nRAR replaced HTA/LNK as the primary attachment format.\r\n3. More complex access control\r\nGeo-fencing, header checks, registration tokens, and multi-stage filtering.\r\n4. Decentralized C2\r\nHeavy reliance on Telegram + graph.org.\r\n5. Expanded Stage-1 variations\r\nHTA, LNK, RAR+LNK, RAR+HTA, RAR exploiting CVE-2025-6218.\r\n6. Stronger persistence \u0026 propagation\r\nBetter registry/task persistence and more aggressive lateral movement.\r\nSummary\r\nThe 2025 Gamaredon campaign is no longer just “phishing with extra steps”\r\nIt has evolved into a modular, highly dynamic, multi-infrastructure malware ecosystem, powered by:\r\nZero-click exploits\r\nGeo-fenced C2 delivery\r\nFast-Flux DNS\r\nTelegram distribution\r\ngraph.org rotation\r\nPersistent Pteranodon loaders\r\n…all wrapped in a design philosophy best described as:\r\n“If it works, ship it, if it breaks, wrap it in Base64 and ship it anyway.”\r\nMITRE ATT\u0026CK Mapping\r\nThe current Gamaredon campaign maps to a wide range of relevant MITRE ATT\u0026CK techniques.\r\nBelow is a consolidated overview of the most important tactics and techniques observed during the various stages\r\nof the operation: (Click To Open)\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 15 of 20\n\nHigh-Level Indicators for Threat Hunters\r\nThis section summarizes the most important behavioral indicators that SOCs, threat hunters, and CERT teams\r\ncan use to detect Gamaredon activity early.\r\nThese are high-level detection patterns rather than sample-specific IOCs\r\nIOCs\r\nIn our Analysis we could find the following IOCs used in this campaign:\r\nIOC-Type IOC-Value\r\nDynDNS Payload Delivery\r\nServer\r\nacess-pdf.webhop.me\r\ncreates.webhop.me\r\ndigitall.webhop.me\r\ndears.serveirc.com\r\ndilopendos.serveirc.com\r\ndowncraft.serveirc.com\r\nfixer.serveirc.com\r\nfixfactors.serveirc.com\r\nkia-court.serveirc.com\r\npolitical-news.serveirc.com\r\nreaders.serveirc.com\r\nserversftp.serveirc.com\r\nssu-procuror.redirectme.net\r\nyeard.serveirc.com\r\npapilonos.hopto.org\r\ndiskpart.myddns.me\r\nselodovo.myddns.me\r\ndocument-downloads.ddns.net\r\nsystems-debug.ddns.net\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 16 of 20\n\ndocument-prok.freedynamicdns.org\r\ndownloads-document.freedynamicdns.org\r\nwrite-document.freedynamicdns.org\r\nprocurature.freedynamicdns.org\r\nprint-documents.freedynamicdns.net\r\ngoogle-pdf.redirectme.net\r\nhosting-redirect.sytes.net\r\ntillthesunrise.sytes.net\r\nopen-files.systes.net\r\nopen-pdf.serveftp.com\r\npasive-host.gotdns.ch\r\nCloudflare\r\napp-334825a6-4a2b-48bc-be92-\r\ne0582d656006.cleverapps.io\r\nlibraries-thus-yale-collaborative.trycloudflare.com\r\nvacations-mic-games-scale.trycloudflare.com\r\nincidence-polished-expires-denver.trycloudflare.com\r\nstreams-metallic-regulatory-armor.trycloudflare.com\r\ndivine-water-36e7.5ekz2z6pjk.workers.dev\r\nlong-king-02b7.5ekz2z6pjk.workers.dev\r\nquietunion.48clhonm1m.workers.dev\r\ndivine-water-5123.svush66274.workers.dev\r\nblackvoice.lydef24298.workers.dev\r\nvaporblue.ddnsking.com\r\nDomains rqzbuwewuvnbbaucfhjl.supabase.co\r\nFor.estaca.ru\r\nexorcise.me\r\nandonceagain.online\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 17 of 20\n\ngihs.andonceagain.ru\r\nandonceagain.ru\r\nantresolle.ru\r\nIP Adresses 5.181.2.158\r\n5.181.2.161\r\n95.163.236.162\r\n185.168.208.228\r\n194.58.66.5\r\n194.58.66.132\r\n194.58.66.192\r\n194.67.71.75\r\n194.87.240.141\r\n194.87.230.166\r\n194.87.240.215\r\n194.87.240.217\r\n185.39.204.82\r\n45.141.234.234\r\n5.8.18.46\r\n103.224.182.251\r\n144.172.84.70\r\n45.32.220.217\r\n65.38.120.43\r\n64.7.199.177\r\n172.104.206.42\r\n107.189.18.173\r\n107.189.23.61\r\nTelegram URLs https://www.telegram.me/s/natural_blood\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 18 of 20\n\nhttps://www.telegram.me/s/oberfarir\r\nhttps://telegram.me/s/teotori\r\nURLs /gss_11.11.2025/kidneyfih/broadlyrQZ.pdf\r\n/gpd_07.11.2025r/disputeqG1/concealedn2N.pdf\r\n/moss_10.11.2025/futureHtG/accountc7z.pdf\r\n/SUU_11.11.2025/dicontentedOhr/scoundrelit1.pdf\r\n/SVrr_12.11.2025/crookoxQ/learningB4J.pdf\r\n/mmoUU_13.11.2025/evolutionKPm/armourV2P.pdf\r\n/sss_10.11.2025/dialGsd/horribleNQx.pdf\r\n/ss_07.11.2025/flashlightsK8Q/pondjsQ.pdf\r\n/motherrDJ/ssu/flowerbedD6M/dressmakerpvv.pdf\r\n/sprdvth/tailor.ps1\r\n/regretxso/GP4/investigationer4/exhibtionLD6.pdf\r\n/OD/sensationaSL/AprilcWs.jpeg\r\n/SS/atomN2s/arwardU26.jpeg\r\n/OD/remisshKY/consentedjtP.jpeg\r\n/OD/quitzU2/comparativelyNWU.jpeg\r\n/Gost/pitchedcbY/intenseLKt.jpeg\r\n/GPuUkr/satALU/eventfulpNq.pdf\r\n/prosperousd92/allowingclO\r\n/prosperousd92/allowingclO\r\nDocuments додаток.doc\r\nдск.doc\r\nдоповідна запискa.doc\r\nсупровід катування.doc\r\nлист до.doc\r\nубд.doc\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 19 of 20\n\nнаказ наряд.doc\r\nГУР МОУ.doc\r\nзгвалтування.doc\r\nсупровод.doc\r\nобезголовлення військовополоненого.jpeg\r\nобезголовлення українського військовополоненого.jpeg\r\nзгвалтування військових.jpeg\r\nфото секс.jpeg\r\nSource: https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nhttps://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/\r\nPage 20 of 20",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"Malpedia"
	],
	"references": [
		"https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/"
	],
	"report_names": [
		"inside-gamaredon-2025-zero-click-espionage-at-scale"
	],
	"threat_actors": [
		{
			"id": "236a8303-bf12-4787-b6d0-549b44271a19",
			"created_at": "2024-06-04T02:03:07.966137Z",
			"updated_at": "2026-04-10T02:00:03.706923Z",
			"deleted_at": null,
			"main_name": "IRON TILDEN",
			"aliases": [
				"ACTINIUM ",
				"Aqua Blizzard ",
				"Armageddon",
				"Blue Otso ",
				"BlueAlpha ",
				"Dancing Salome ",
				"Gamaredon",
				"Gamaredon Group",
				"Hive0051 ",
				"Primitive Bear ",
				"Shuckworm ",
				"Trident Ursa ",
				"UAC-0010 ",
				"UNC530 ",
				"WinterFlounder "
			],
			"source_name": "Secureworks:IRON TILDEN",
			"tools": [
				"Pterodo"
			],
			"source_id": "Secureworks",
			"reports": null
		}
	],
	"ts_created_at": 1775434258,
	"ts_updated_at": 1775792224,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/a93b1f07a78f22d5ccc9da92dc8db6d3c03e4334.pdf",
		"text": "https://archive.orkl.eu/a93b1f07a78f22d5ccc9da92dc8db6d3c03e4334.txt",
		"img": "https://archive.orkl.eu/a93b1f07a78f22d5ccc9da92dc8db6d3c03e4334.jpg"
	}
}