Gamaredon (also known as Armageddon, ACTINIUM, Primitive Bear, and UAC-0010), the Russian FSB-linked advanced persistent threat group, has significantly expanded its operations against Ukraine throughout 2025. New research from Slovak cybersecurity firm ESET documents 35 distinct spear-phishing campaigns and an evolved malware toolkit that increasingly abuses legitimate cloud services to evade detection.
Background: Gamaredon and Ukraine
Gamaredon is one of the most persistent and prolific APT groups targeting Ukraine. Attributed to Russia's Federal Security Service (FSB), the group has been conducting cyber operations against Ukrainian government, military, and critical infrastructure since at least 2013. Unlike more sophisticated APT groups that prioritize stealth and dwell time, Gamaredon is characterized by high operational tempo and volume — launching frequent, broad campaigns rather than a small number of precision operations.
35 Campaigns in 2025
ESET's research identifies 35 distinct spear-phishing campaigns conducted by Gamaredon throughout 2025. Key observations:
- New targets: The campaigns show Gamaredon expanding beyond traditional government and military targets to include new organizational categories
- Consistent lure themes: Campaigns continue to leverage Ukrainian language lures with themes related to the ongoing war, government documents, and military communications
- Rapid iteration: The group continues to quickly modify tooling and infrastructure in response to detection
Expanded Malware Arsenal
New and Updated Implants
ESET's analysis reveals Gamaredon has significantly expanded its malware toolkit. The group is known for developing custom tooling rather than relying on commodity malware, and 2025 has seen continued development of new capabilities.
Gamaredon's toolkit historically includes:
| Malware | Type | Function |
|---|---|---|
| Pterodo | Backdoor | Primary Windows backdoor with modular capabilities |
| GammaLoad | Downloader | Initial access downloader used to deploy additional payloads |
| GammaSteel | Infostealer | File exfiltration focused on documents and media |
| LitterDrifter | USB worm | Self-spreading worm targeting USB drives for air-gap crossing |
| PteroPSLoad | Loader | PowerShell-based loader |
New variants and previously undocumented components identified in the 2025 campaigns reflect continued active development of the group's capabilities.
Cloud Service Abuse for C2
A significant evolution in Gamaredon's tradecraft is the increased abuse of legitimate cloud services for command-and-control (C2) communication. Rather than communicating directly with attacker-controlled servers (which are more easily blocked), the group is routing C2 traffic through:
- Telegram — Using Telegram bot APIs for C2 communication; traffic blends with legitimate messaging app usage
- OneDrive and other cloud storage — Staging payloads and receiving commands via legitimate file-sharing services
- GitHub — Using public repositories for dead-drop resolvers and payload staging
This technique — sometimes called living off trusted sites (LOTS) — makes detection significantly harder because:
- Security tools rarely block legitimate cloud services entirely
- Traffic to these services is encrypted (HTTPS) and appears normal
- IP reputation and domain blocklists cannot block Microsoft, Telegram, or GitHub infrastructure
Operational Evolution
Why Gamaredon Remains Effective
Despite extensive public documentation of Gamaredon's techniques and consistent attribution, the group remains highly active. This persistence is explained by several factors:
- State backing: As an FSB-sponsored operation, Gamaredon has resources and protection that purely financially motivated groups lack
- Operational tempo: Volume-based approach means even low success rates yield meaningful intelligence and access
- Evolving tradecraft: Continuous adaptation in response to detection
- Targeting advantage: Operating against a nation under active military attack means a large, sustained pool of stressed targets susceptible to social engineering
Spear-Phishing Effectiveness
Gamaredon's campaigns succeed because:
- Linguistically and culturally targeted — Ukrainian-language lures that reference real, current events
- Contextually relevant — Themes directly related to the ongoing conflict lower recipients' guard
- Leverages trust — Spoofed sender addresses impersonating government agencies and known contacts
- High volume — Large numbers of campaigns mean some will evade filtering
Detection and Mitigation
For Ukrainian and NATO-Adjacent Organizations
Organizations targeted by Gamaredon should implement:
Email Security
- Advanced phishing filtering with sandboxing for Office documents and archives
- DMARC, DKIM, and SPF enforcement to catch spoofed senders
- User training focused on Gamaredon's common lure themes
Endpoint Detection
- Behavioral detection for PowerShell execution patterns associated with GammaLoad and PteroPSLoad
- USB monitoring to detect LitterDrifter self-spreading behavior
- File access monitoring for GammaSteel-style mass document exfiltration
Network Monitoring
- Monitor for abnormal Telegram bot API traffic patterns
- Alert on cloud storage APIs accessed by unexpected processes
- Track outbound connections to newly registered or recently seen domains
Indicators of Compromise
ESET's full report contains detailed IOCs including file hashes, C2 domains, and behavioral patterns. Organizations should subscribe to ESET Threat Intelligence or equivalent feeds for up-to-date Gamaredon IOCs.
Geopolitical Context
Gamaredon's operations exist within the broader context of Russian hybrid warfare against Ukraine. While kinetic operations continue, cyber operations serve complementary objectives:
- Intelligence collection on military operations, troop movements, and government communications
- Disruption of Ukrainian government and defense coordination
- Psychological effect — Creating uncertainty and resource drain
- Preparation for potential critical infrastructure attacks
The group's continued activity despite extensive public documentation reflects Russia's calculation that the operational benefits outweigh the reputational costs of attribution.
Key Takeaways
- Gamaredon conducted 35 spear-phishing campaigns against Ukrainian targets in 2025
- The group has expanded its malware toolkit with new implants and updated variants
- Cloud service abuse (Telegram, OneDrive, GitHub) for C2 makes detection harder
- The FSB-linked group shows no signs of slowing — high operational tempo will continue
- Organizations in Ukraine and NATO partner nations should maintain heightened vigilance against Gamaredon TTPs