{ "id": "11570866-4e97-45a8-aa86-81d1879df364", "created_at": "2026-04-06T00:09:26.945141Z", "updated_at": "2026-04-10T03:37:04.145207Z", "deleted_at": null, "sha1_hash": "fbfb3a2533ecfbe2a9af8ca6ff46c841f52c3de6", "title": "Russia-backed hacker group Gamaredon attacking Ukraine with info-stealing malware", "llm_title": "", "authors": "", "file_creation_date": "0001-01-01T00:00:00Z", "file_modification_date": "0001-01-01T00:00:00Z", "file_size": 78001, "plain_text": "Russia-backed hacker group Gamaredon attacking Ukraine with\r\ninfo-stealing malware\r\nBy Daryna Antoniuk\r\nPublished: 2023-02-06 · Archived: 2026-04-05 20:24:07 UTC\r\nThe Russian-sponsored hacker group known as Gamaredon continues to attack Ukrainian organizations and\r\nremains one of the “key cyber threats” for Ukraine’s cyberspace, according to a report the Ukrainian government\r\npublished Wednesday. \r\nUkraine claims that Gamaredon operates from the city of Sevastopol in Russia-occupied Crimea, but acts on\r\norders from the FSB Center for Information Security in Moscow. The group began operations in June 2013, just\r\nmonths before Russia forcibly annexed the Crimean Peninsula from Ukraine.\r\nIn its recent campaigns against Ukraine, Gamaredon used variants of PowerShell info-stealer malware known as\r\nGammaLoad and GammaSteel. \r\nThese are custom-made information stealer implants that can exfiltrate files of specific extensions, steal user\r\ncredentials and take screenshots of the victim’s computer, according to Ukraine’s State Cyber Protection Centre.\r\nThe two malware variants are not new and have been used previously by Gamaredon hackers to target Ukraine’s\r\nsecurity and government services.\r\nTo gain initial access to the victim’s network, hackers use phishing emails. These emails contain malicious LNK\r\nfiles distributed in RAR archives. Only users with Ukrainian IP addresses can open these files.\r\nHackers send the phishing emails from domains associated with legitimate organizations, such as the Security\r\nService of Ukraine, according to the report.\r\nGamaredon's most popular targets include government organizations, critical infrastructure facilities, and\r\nUkraine’s defense, security, and law enforcement agencies. The names of the enclosed malicious files are usually\r\nassociated with the war in Ukraine.\r\nGamaredon's recent activity is characterized by the multi-stage deployment of malware payloads used to maintain\r\npersistence. These payloads represent similar variants of the same malware, each designed to behave in much the\r\nsame way as the others.\r\nAccording to the report, Gamaredon hackers have evolved throughout the war, improving their tactics and\r\nredeveloping used malware variants to stay undetected.\r\nUkraine’s computer emergency response team, CERT-UA, told The Record that Gamaredon is responsible for the\r\nlargest number of cyberattacks on Ukraine. “Not a week goes by that we didn’t detect some new mass phishing\r\nemail campaign with Gamaredon malware,” a CERT-UA spokesperson said.\r\nhttps://therecord.media/russia-backed-hacker-group-gamaredon-attacking-ukraine-with-info-stealing-malware/\r\nPage 1 of 3\n\nIn 2022, Ukraine registered more than 70 incidents related to the group, the agency said.\r\nGamaredon also attacks Ukraine’s allies. In late January, Latvia confirmed a phishing attack on its Ministry of\r\nDefense, linking it to the group.\r\nUkrainian cybersecurity officials described their attacks as intrusive and audacious, and said the group’s main\r\npurpose was “to conduct targeted cyberintelligence operations.”\r\nGet more insights with the\r\nRecorded Future\r\nIntelligence Cloud.\r\nLearn more.\r\nNo previous article\r\nNo new articles\r\nhttps://therecord.media/russia-backed-hacker-group-gamaredon-attacking-ukraine-with-info-stealing-malware/\r\nPage 2 of 3\n\nDaryna Antoniuk\r\nis a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in\r\nEastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for\r\nForbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.\r\nSource: https://therecord.media/russia-backed-hacker-group-gamaredon-attacking-ukraine-with-info-stealing-malware/\r\nhttps://therecord.media/russia-backed-hacker-group-gamaredon-attacking-ukraine-with-info-stealing-malware/\r\nPage 3 of 3", "extraction_quality": 1, "language": "EN", "sources": [ "ETDA" ], "references": [ "https://therecord.media/russia-backed-hacker-group-gamaredon-attacking-ukraine-with-info-stealing-malware/" ], "report_names": [ "russia-backed-hacker-group-gamaredon-attacking-ukraine-with-info-stealing-malware" ], "threat_actors": [ { "id": "236a8303-bf12-4787-b6d0-549b44271a19", "created_at": "2024-06-04T02:03:07.966137Z", "updated_at": "2026-04-10T02:00:03.706923Z", "deleted_at": null, "main_name": "IRON TILDEN", "aliases": [ "ACTINIUM ", "Aqua Blizzard ", "Armageddon", "Blue Otso ", "BlueAlpha ", "Dancing Salome ", "Gamaredon", "Gamaredon Group", "Hive0051 ", "Primitive Bear ", "Shuckworm ", "Trident Ursa ", "UAC-0010 ", "UNC530 ", "WinterFlounder " ], "source_name": "Secureworks:IRON TILDEN", "tools": [ "Pterodo" ], "source_id": "Secureworks", "reports": null } ], "ts_created_at": 1775434166, "ts_updated_at": 1775792224, "ts_creation_date": 0, "ts_modification_date": 0, "files": { "pdf": "https://archive.orkl.eu/fbfb3a2533ecfbe2a9af8ca6ff46c841f52c3de6.pdf", "text": "https://archive.orkl.eu/fbfb3a2533ecfbe2a9af8ca6ff46c841f52c3de6.txt", "img": "https://archive.orkl.eu/fbfb3a2533ecfbe2a9af8ca6ff46c841f52c3de6.jpg" } }