Full Report
ESET Research analyzes Gamaredon’s new toolset and the group’s growing reliance on legitimate online services to hide its C&C infrastructure and exfiltrate stolen data
Analysis Summary
# Threat Actor: Gamaredon
## Attribution & Identity
* **Identification:** Attributed by the Security Service of Ukraine (SSU) to the **18th Center of Information Security of Russia’s FSB**.
* **Origin:** Believed to operate out of occupied **Crimea**.
* **Aliases/Associations:** Known to be Russia-aligned. In early 2025, evidence showed collaboration with **Turla** (another Russia-aligned APT).
* **Actor Type:** Advanced Persistent Threat (APT) / Cyberespionage group.
## Activity Summary
Throughout 2025, Gamaredon maintained a high operational tempo focused on the ongoing conflict in Ukraine. After a brief hiatus in January 2025, the group launched 35 distinct spearphishing campaigns, with the majority occurring in the second half of the year. The 2025 campaigns were notably larger than previous years and featured a shift toward abusing legitimate third-party services to mask Command & Control (C2) and data exfiltration.
## Tactics, Techniques & Procedures
* **Spearphishing:** Primary initial access vector using malicious attachments to deliver payloads.
* **Weaponization:** Use of custom weaponizers for lateral movement and broad infection.
* **Dead Drop Resolvers:** Abuses messaging, social media, blogging, and paste services to host encrypted C2 IP addresses.
* **Living off the Cloud:** Growing reliance on "Tunnels" (e.g., Cloudflare Tunnels), "Workers," and PaaS to hide backend infrastructure.
* **Data Exfiltration:** Shifted from self-hosted servers to S3-compatible cloud storage.
* **Infrastructure Obfuscation:** Frequent use of Dynamic DNS (DDNS) and legitimate third-party services to blend with normal traffic.
* **MITRE ATT&CK Techniques:**
* **T1566:** Phishing
* **T1102:** Web Service (Dead Drop Resolvers)
* **T1071.004:** Application Layer Protocol: DNS (Dynamic DNS)
* **T1567.002:** Exfiltration to Cloud Storage
* **T1059.001/.003:** Command and Scripting Interpreter (PowerShell/VBScript)
## Targeting
* **Sectors:** Governmental and military institutions.
* **Geography:** Ukraine (exclusive focus).
* **Victims:** Ukrainian state bodies and defense organizations.
## Tools & Infrastructure
* **Malware Families:**
* **PteroVDoor / PteroPSDoor:** Flagship file stealers, updated in 2025 to support S3 cloud exfiltration.
* **PteroSetup:** A resurrected VBScript weaponizer.
* **PteroBox:** Tool used for uploading files to Dropbox.
* **New 2025 Tools:** Six new PowerShell-based delivery tools/downloaders.
* **Rclone:** Legitimate utility abused for data exfiltration.
* **Infrastructure:**
* **Cloud Storage Providers:** Wasabi (wasabisys[.]com), Tebi (tebi[.]io), and Intercolo (de-fra[.]i3storage[.]com).
* **C2 Hiding:** Cloudflare Workers, Tunnels, and various PaaS providers.
## Implications
Gamaredon's strategy prioritizes persistence and volume over technical complexity. Their transition to legitimate cloud services (S3-compatible storage and Tunnels) makes detection significantly harder for defenders, as the traffic blends with legitimate enterprise cloud usage. The collaboration with Turla suggests a potential consolidation of Russian cyber operations or shared access/intelligence between FSB-aligned units and other elite threat actors.
## Mitigations
* **Network Monitoring:** Implement strict egress filtering and monitor for unauthorized connections to S3-compatible storage providers (Wasabi, Tebi, Intercolo) and Cloudflare Workers/Tunnels.
* **Email Security:** Heighten scrutiny of macro-enabled documents and suspicious attachments, particularly those mimicking Ukrainian government communications.
* **PowerShell Security:** Enforce Constrained Language Mode and enable comprehensive logging (Script Block Logging) to detect Gamaredon’s heavy use of PowerShell scripts.
* **Endpoint Defense:** Deploy EDR solutions to identify the execution of known "Ptero" malware families and unauthorized use of `rclone.exe`.