Overview
Russia's FSB-sponsored advanced persistent threat (APT) group Gamaredon — also tracked as Trident Ursa and BlueAlpha — has significantly evolved its capabilities, according to fresh research from ESET. The group has upgraded both its malware delivery mechanisms and its command-and-control (C2) infrastructure obfuscation, making traditional indicator-of-compromise (IoC) based defenses increasingly ineffective.
Active throughout 2025 and into 2026, Gamaredon has conducted at least 35 distinct spearphishing campaigns exclusively targeting Ukrainian governmental and military institutions, with a marked surge in activity during H2 2025.
Upgraded Tactics, Techniques, and Procedures (TTPs)
C2 Infrastructure Obfuscation
Gamaredon has dramatically improved its ability to hide its backend infrastructure from defenders. The group now routes C2 traffic through:
- Cloudflare Workers and other serverless platforms as front-end proxies
- Tunnel services that mask the true origin of C2 servers
- Dynamic DNS (DDNS) for rapid IP rotation
- Platform-as-a-Service (PaaS) providers to further obscure backend servers
This layered obfuscation makes it extremely difficult to block C2 infrastructure based on IP addresses or hostnames alone.
Living-off-the-Land with Legitimate Services
Gamaredon extensively abuses legitimate services as "dead drop resolvers" — using them to host encoded C2 addresses that malware retrieves at runtime. Services abused include:
- Telegram channels
- Cloud storage platforms
- Messaging and paste services
- Blogging platforms
This technique makes network-level blocking significantly harder, as the traffic blends with legitimate platform usage.
Malware Fleet Strategy
Rather than investing in a single sophisticated implant, Gamaredon maintains a large fleet of simple, rapidly updated tools. This approach provides resilience against signature-based detection — when one tool is burned by defenders, another variant is quickly deployed.
January 2026 Attack Chain
A notable campaign observed in January 2026 used the following kill chain:
- GammaPhish: A weaponized xHTML file delivered via spearphishing email
- CVE-2025-8088 Exploitation: A RAR archive exploiting this vulnerability to drop a hidden HTA (HTML Application) file
- Persistence: The HTA file is placed in the Windows Startup directory for persistence across reboots
- Payload Delivery: Subsequent malware stages are fetched from dead-drop resolvers via legitimate platform APIs
Targets and Objectives
Gamaredon operates exclusively against Ukrainian government and military targets, in direct support of Russian war objectives. The group's primary goal is intelligence collection — exfiltrating sensitive documents, communications, and operational data from compromised organizations.
Defensive Implications
The group's infrastructure evolution demands a shift in defensive strategy:
| Traditional Defense | Why It Falls Short | Better Approach |
|---|---|---|
| IoC-based IP/domain blocking | Infrastructure rotates rapidly through tunnels and DDNS | Behavioral endpoint detection |
| Blocking known malicious domains | Legit platforms (Telegram, cloud storage) are used | TLS inspection + anomaly detection |
| Signature AV/EDR | Malware fleet is rapidly updated | Heuristic + behavioral detection |
| Email filtering on known IoCs | New campaigns use fresh infrastructure | Sandboxing + content detonation |
Security teams defending against Gamaredon should prioritize:
- Endpoint behavioral detection over signature-based scanning
- Email security with sandboxed detonation of attachments and links
- Network-level monitoring for abuse of tunnel services and worker platforms
- Threat intelligence subscriptions tracking Gamaredon's evolving TTPs
References
- Dark Reading — Russian APT Gamaredon Upgrades Its Arsenal
- ESET Research — Gamaredon Campaign Analysis (2025–2026)