{ "id": "c5aad5a0-ddfd-4b49-8912-c643cbce8563", "created_at": "2026-04-06T00:17:22.344235Z", "updated_at": "2026-04-10T03:37:04.352015Z", "deleted_at": null, "sha1_hash": "f359aec53f9387c45e5f9ec93a803e4b2199f39c", "title": "An Inside Look at the Infrastructure Behind the Russian APT Gamaredon Group", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 45169, "plain_text": "An Inside Look at the Infrastructure Behind the Russian APT\r\nGamaredon Group\r\nArchived: 2026-04-05 15:41:41 UTC\r\nUpdate May 24, 2022: Read our new blog post about Gamaredon group infrastructure, malware variants and\r\ninfection tactics.\r\nRecently, fellow researcher Vitali Kremez took a look at some new binaries from the Gamaredon Group. This is a\r\nRussian state-sponsored group that has been active since about 2013. The malware specifically is the Pteranodon\r\nimplant, which provides a variety of functions such as remote command execution, downloading and executing\r\nother files, and collecting system data. It was the subject of a recent CERT UA blog post here (note: this site is in\r\nUkrainian).\r\nOf interest from Vitali’s research was the callout to torrent-stel[.]space. This marks a change from their historical\r\npattern of using dynamic DNS host names to registering their own domains. So, it was worth examining to what\r\nextent it is possible to map their current infrastructure. As of now, all the domains and IP addresses in this post are\r\nstill resolving. (Though the specific URL returns permission denied if you try to interact)\r\nTorrent-stel[.]space resolves to 185[.]248[.]100[.]121 which is also shared with splin-body[.]site and splin-body1[.]site. All three have been observed in similar infection chains and use spr_update.php as outbound web\r\nrequests. The domains were registered in December 2018 and January 2019.\r\nOf interesting note, one malware sample (hash:\r\ncbd0b2cb5c35a0c88494f10304213d494f3c220b6d5efb6c7cb8fb66f3267632) not only calls splin-body[.]site, it\r\ncalls splin-upd[.]site which resolves to 195[.]88[.]208[.]196. That, in turn, gives us a few more domains of similar\r\nnomenclature (with similar malware infection chains) including one pivot from when they switched from dynamic\r\nDNS to their own domains in junk TLDs:\r\ntorent-updates[.]ddns[[.]]net // this one is down probably because it was a typo, spies make mistakes too\r\ntorrent-updates[.]ddns[.]net\r\nsplin-upd[.]site\r\nsplin-upd1[.]site\r\ntorrent-supd[.]space\r\nwww[.]torrent-supd.space\r\nAll except the typo domain are still up. Now, enough artifacts have been accumulated to find patterns of new\r\ndomain registrations to find new domains as they are registered assuming they make no wholesale changes.\r\nAs an aside, we’ve been experimenting developing a machine learning classifier for domain names. Most of these\r\nefforts are whether domains are domain generation algorithms or not, this model uses resolution features of a\r\ndomain to predict maliciousness. (As opposed to being benign or compromised) The model predicted these were\r\nmalicious with a confidence of 88%.\r\nhttps://blog.threatstop.com/russian-apt-gamaredon-group\r\nPage 1 of 2\n\nThreatSTOP Customers are automatically protected against the threat described in this blog.\r\nReady to try ThreatSTOP in your network? Want an expert-led demo to see how it works?\r\nSource: https://blog.threatstop.com/russian-apt-gamaredon-group\r\nhttps://blog.threatstop.com/russian-apt-gamaredon-group\r\nPage 2 of 2\n\n https://blog.threatstop.com/russian-apt-gamaredon-group \nThreatSTOP Customers are automatically protected against the threat described in this blog.\nReady to try ThreatSTOP in your network? Want an expert-led demo to see how it works?\nSource: https://blog.threatstop.com/russian-apt-gamaredon-group \n Page 2 of 2", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA", "Malpedia" ], "references": [ "https://blog.threatstop.com/russian-apt-gamaredon-group" ], "report_names": [ "russian-apt-gamaredon-group" ], "threat_actors": [ { "id": "81bd7107-6b2d-45c9-9eea-1843d4b9b308", "created_at": "2022-10-25T15:50:23.320841Z", "updated_at": "2026-04-10T02:00:05.356444Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Gamaredon Group", "IRON TILDEN", "Primitive Bear", "ACTINIUM", "Armageddon", "Shuckworm", "DEV-0157", "Aqua Blizzard" ], "source_name": "MITRE:Gamaredon Group", "tools": [ "QuietSieve", "Pteranodon", "Remcos", "PowerPunch" ], "source_id": "MITRE", "reports": null }, { "id": "d5156b55-5d7d-4fb2-836f-861d2e868147", "created_at": "2023-01-06T13:46:38.557326Z", "updated_at": "2026-04-10T02:00:03.023048Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "ACTINIUM", "DEV-0157", "Blue Otso", "G0047", "IRON TILDEN", "PRIMITIVE BEAR", "Shuckworm", "UAC-0010", "BlueAlpha", "Trident Ursa", "Winterflounder", "Aqua Blizzard", "Actinium" ], "source_name": "MISPGALAXY:Gamaredon Group", "tools": [], "source_id": "MISPGALAXY", "reports": null }, { "id": "61940e18-8f90-4ecc-bc06-416c54bc60f9", "created_at": "2022-10-25T16:07:23.659529Z", "updated_at": "2026-04-10T02:00:04.703976Z", "deleted_at": null, "main_name": "Gamaredon Group", "aliases": [ "Actinium", "Aqua Blizzard", "Armageddon", "Blue Otso", "BlueAlpha", "Callisto", "DEV-0157", "G0047", "Iron Tilden", "Operation STEADY#URSA", "Primitive Bear", "SectorC08", "Shuckworm", "Trident Ursa", "UAC-0010", "UNC530", "Winterflounder" ], "source_name": "ETDA:Gamaredon Group", "tools": [ "Aversome infector", "BoneSpy", "DessertDown", "DilongTrash", "DinoTrain", "EvilGnome", "FRAUDROP", "Gamaredon", "GammaDrop", "GammaLoad", "GammaSteel", "Gussdoor", "ObfuBerry", "ObfuMerry", "PlainGnome", "PowerPunch", "Pteranodon", "Pterodo", "QuietSieve", "Remcos", "RemcosRAT", "Remote Manipulator System", "Remvio", "Resetter", "RuRAT", "SUBTLE-PAWS", "Socmer", "UltraVNC" ], "source_id": "ETDA", "reports": null }, { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434642, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/f359aec53f9387c45e5f9ec93a803e4b2199f39c.pdf", "text": "https://archive.orkl.eu/f359aec53f9387c45e5f9ec93a803e4b2199f39c.txt", "img": "https://archive.orkl.eu/f359aec53f9387c45e5f9ec93a803e4b2199f39c.jpg" } }