{ "id": "c906b180-1085-4895-b867-79dd60719c10", "created_at": "2026-04-06T00:07:02.315675Z", "updated_at": "2026-04-10T03:37:04.480326Z", "deleted_at": null, "sha1_hash": "bb2cd110332f062bed06b69fb33ea945c2deb30e", "title": "Malicious Activity Aligning with Gamaredon TTPs Targets Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 3745122, "plain_text": "Malicious Activity Aligning with Gamaredon TTPs Targets\r\nUkraine\r\nBy Anomali Threat Research\r\nPublished: 2025-12-31 · Archived: 2026-04-05 20:04:02 UTC\r\nThe Anomali Threat Research (ATR) team has identified malicious activity that we believe is being conducted by\r\nthe Russia-sponsored Advanced Persistent Threat (APT) group Gamaredon (Primitive Bear).\r\nhttps://www.anomali.com/blog/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine#When:15:00:00Z\r\nPage 1 of 4\n\nOverview\r\nThe Anomali Threat Research (ATR) team has identified malicious activity that we believe is being conducted by\r\nthe Russia-sponsored Advanced Persistent Threat (APT) group Gamaredon (Primitive Bear). Some of the\r\ndocuments have been discussed by other researchers.[1] This Gamaredon campaign appears to have begun in mid-October 2019 and is ongoing as of November 25, 2019. Based on lure documents observed by ATR, we believe\r\nthat at least the following Ukrainian entities and individuals may be targeted:\r\nDiplomats\r\nGovernment officials and employees\r\nhttps://www.anomali.com/blog/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine#When:15:00:00Z\r\nPage 2 of 4\n\nJournalists\r\nLaw enforcement\r\nMilitary officials and personnel\r\nNon-Governmental Organization (NGO)\r\nThe Ministry of Foreign Affairs of Ukraine\r\nATR analysts have found Tactics, Techniques, and Procedures (TTPs) that align with known Gamaredon tactics, in\r\naddition to a new template-injection technique that has not previously been observed to be utilized by the group.\r\nThe object of this report is to highlight a new Gamaredon TTP and share IOCs to the security community for\r\nawareness and further analysis. Several lure documents will also be examined, as well as a technical analysis\r\nsection that showcases the functionalities of the template injection.\r\nGet the full report on Gamaredon (Primitive Bear) and read through our key findings here.\r\nEndnotes\r\n[1] Evgeny Ananin and Artern Semenchenko “The Gamaredon Group: A TTP Profile Analysis,” Fortinet Blog,\r\naccessed November 25, 2019, published August 21 2019, https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html; ZLAB-YOROI, “The Russian Shadow in Eastern Europe:\r\nUkrainian MOD Campaign,” YOROI Blog, accessed November 25, 2019, published April, 24, 2019\r\nhttps://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/; ZLAB-YOROI, “The Russian Shadow in Eastern Europe: A Month Later,” YORIO Blog, accessed November 25, 2019,\r\npublished June 4, 2019, https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-a-month-later/.\r\nIran’s IRGC Names Western Tech Giants as “Legitimate Targets”: What CISOs Must Do Now\r\nhttps://www.anomali.com/blog/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine#When:15:00:00Z\r\nPage 3 of 4\n\nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\r\nThe Iran Cyber Threat Machine Isn’t Slowing Down — Here’s What CISOs Need to Know Now\r\nSource: https://www.anomali.com/blog/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine#When:15:00:00Z\r\nhttps://www.anomali.com/blog/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine#When:15:00:00Z\r\nPage 4 of 4\n\n https://www.anomali.com/blog/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine#When:15:00:00Z \nWhen 766 Systems Fall in 24 Hours: The Threats Bearing Down on State Government Networks\nThe Iran Cyber Threat Machine Isn’t Slowing Down-Here’s What CISOs Need to Know Now\nSource: https://www.anomali.com/blog/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine#When:15:00:00Z \n Page 4 of 4", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://www.anomali.com/blog/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine#When:15:00:00Z" ], "report_names": [ "malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine#When:15:00:00Z" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434022, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/bb2cd110332f062bed06b69fb33ea945c2deb30e.pdf", "text": "https://archive.orkl.eu/bb2cd110332f062bed06b69fb33ea945c2deb30e.txt", "img": "https://archive.orkl.eu/bb2cd110332f062bed06b69fb33ea945c2deb30e.jpg" } }