Full Report
A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025. Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these
Analysis Summary
# Threat Actor: Gamaredon (Primitive Bear)
## Attribution & Identity
- **Origin:** Russia (Likely government-affiliated employees).
- **Associated Groups:** Collaborates with **Turla** (Venomous Bear).
- **Identification:** A Russian Advanced Persistent Threat (APT) group active since at least 2013-2014, currently engaged in an ongoing onslaught against Ukraine.
## Activity Summary
Throughout 2025, Gamaredon launched 35 distinct spear-phishing campaigns primarily concentrated in the second half of the year. The group's activity cycles suggest a government-linked schedule, as operations typically pause during Russian and Crimean holidays. Recent operations focus on the deployment of a new PowerShell-based malware arsenal and the heavy exploitation of cloud-based serverless platforms for infrastructure concealment.
## Tactics, Techniques & Procedures
- **Initial Access:** Spear-phishing via archive attachments or XHTML files.
- **Payload Delivery:** HTML Smuggling to deliver HTA downloaders.
- **Exploitation:** Weaponization of **CVE-2025-8088** (WinRAR vulnerability).
- **Persistence:** Placing malicious HTA downloaders into the Windows Startup folder.
- **Lateral Movement:** Infection of USB and mapped network drives using malicious LNK files.
- **Evasion:**
- Using "Dead Drop Resolvers" (DDRs) to hide C2 addresses.
- Cloudflare tunnels and serverless worker platforms to mask back-end infrastructure.
- Fetching and executing payloads in-memory.
- **Execution:** Heavy reliance on VBScript and PowerShell scripts.
## Targeting
- **Sectors:** Governmental institutions, Military institutions.
- **Geography:** Ukraine (sole focus throughout 2025).
- **Victims:** Ukrainian government and military personnel.
## Tools & Infrastructure
### Malware Families
- **PteroSand:** Payload dropped via HTA downloaders.
- **PteroLNK / PteroPaste:** USB and network drive weaponizers.
- **PteroSetup:** VBScript weaponizer used to replace legitimate installers with malicious SFX archives.
- **New 2025 PowerShell Tools:**
- **PteroDee / PteroCache:** In-memory execution.
- **PteroDum:** VBScript execution.
- **PteroOdd:** Uses Telegra.ph API (collaboration with Turla).
- **PteroEffigy:** Uses GoFile for C2 fetching.
### Infrastructure (Defanged)
- **Dead Drop Resolvers & Exfiltration Channels:**
- telegra[.]ph
- teletype[.]in
- rentry[.]co
- write[.]as
- dropbox[.]com
- gofile[.]io
- dev[.]to
- mastodon[.]social
- lesma[.]io
- nopaste[.]net
- paste[.]ee
- wasabi[.]com
- tebi[.]io
- intercolo[.]net
## Implications
Gamaredon's primary objective is the exfiltration of sensitive strategic information to support Russian interests in the ongoing conflict. While their malware is relatively "simple," the group compensates with extreme persistence, massive volume (35 campaigns in a year), and a rapidly evolving ability to abuse legitimate third-party cloud services to bypass traditional network defenses.
## Mitigations
- **Software Patching:** Ensure WinRAR and other archive utilities are updated to mitigate CVE-2025-8088.
- **Email Security:** Implement robust inspection for XHTML and HTA attachments; disable HTML smuggling at the gateway.
- **Network Policy:** Restrict access to public "paste" and "dead drop" services (e.g., Rentry, Paste.ee, Telegra.ph) that are not required for business operations.
- **Endpoint Protection:** Monitor for unauthorized PowerShell execution and VBScript activity originating from the Startup folder or removable media.
- **Removable Media:** Disable AutoRun/AutoPlay and implement strict control over USB device usage.