Skip to main content
COSMICBYTEZLABS
NewsSecurityHOWTOsToolsTraining
StudyProjectsNewsletterHire MeAbout
Subscribe

Press Enter to search or Esc to close

News
Security
HOWTOs
Tools
Training
Study
Projects
Newsletter
Hire Me
About
RSS Feed
Reading List
Subscribe

Stay in the Loop

Get the latest security alerts, tutorials, and tech insights delivered to your inbox.

Subscribe NowFree forever. No spam.
COSMICBYTEZLABS

Your trusted source for IT intelligence, cybersecurity insights, and hands-on technical guides.

1794+ Articles
149+ Guides

CONTENT

  • Latest News
  • Security Alerts
  • HOWTOs
  • Checklists
  • Projects
  • Exam Prep

RESOURCES

  • Search
  • Browse Tags
  • Newsletter Archive
  • Reading List
  • RSS Feed

COMPANY

  • About Us
  • Contact
  • Privacy Policy
  • Terms of Service

© 2026 CosmicBytez Labs. All rights reserved.

System Status: Operational
  1. Home
  2. News
  3. Gamaredon Expands Ukraine Attacks with New Malware and Cloud Abuse
Gamaredon Expands Ukraine Attacks with New Malware and Cloud Abuse
NEWS

Gamaredon Expands Ukraine Attacks with New Malware and Cloud Abuse

Russian FSB-linked APT group Gamaredon has mounted 35 distinct spear-phishing campaigns against Ukrainian targets in 2025, deploying an expanded malware...

Dylan H.

News Desk

June 29, 2026
5 min read

Gamaredon (also known as Armageddon, ACTINIUM, Primitive Bear, and UAC-0010), the Russian FSB-linked advanced persistent threat group, has significantly expanded its operations against Ukraine throughout 2025. New research from Slovak cybersecurity firm ESET documents 35 distinct spear-phishing campaigns and an evolved malware toolkit that increasingly abuses legitimate cloud services to evade detection.

Background: Gamaredon and Ukraine

Gamaredon is one of the most persistent and prolific APT groups targeting Ukraine. Attributed to Russia's Federal Security Service (FSB), the group has been conducting cyber operations against Ukrainian government, military, and critical infrastructure since at least 2013. Unlike more sophisticated APT groups that prioritize stealth and dwell time, Gamaredon is characterized by high operational tempo and volume — launching frequent, broad campaigns rather than a small number of precision operations.

35 Campaigns in 2025

ESET's research identifies 35 distinct spear-phishing campaigns conducted by Gamaredon throughout 2025. Key observations:

  • New targets: The campaigns show Gamaredon expanding beyond traditional government and military targets to include new organizational categories
  • Consistent lure themes: Campaigns continue to leverage Ukrainian language lures with themes related to the ongoing war, government documents, and military communications
  • Rapid iteration: The group continues to quickly modify tooling and infrastructure in response to detection

Expanded Malware Arsenal

New and Updated Implants

ESET's analysis reveals Gamaredon has significantly expanded its malware toolkit. The group is known for developing custom tooling rather than relying on commodity malware, and 2025 has seen continued development of new capabilities.

Gamaredon's toolkit historically includes:

MalwareTypeFunction
PterodoBackdoorPrimary Windows backdoor with modular capabilities
GammaLoadDownloaderInitial access downloader used to deploy additional payloads
GammaSteelInfostealerFile exfiltration focused on documents and media
LitterDrifterUSB wormSelf-spreading worm targeting USB drives for air-gap crossing
PteroPSLoadLoaderPowerShell-based loader

New variants and previously undocumented components identified in the 2025 campaigns reflect continued active development of the group's capabilities.

Cloud Service Abuse for C2

A significant evolution in Gamaredon's tradecraft is the increased abuse of legitimate cloud services for command-and-control (C2) communication. Rather than communicating directly with attacker-controlled servers (which are more easily blocked), the group is routing C2 traffic through:

  • Telegram — Using Telegram bot APIs for C2 communication; traffic blends with legitimate messaging app usage
  • OneDrive and other cloud storage — Staging payloads and receiving commands via legitimate file-sharing services
  • GitHub — Using public repositories for dead-drop resolvers and payload staging

This technique — sometimes called living off trusted sites (LOTS) — makes detection significantly harder because:

  1. Security tools rarely block legitimate cloud services entirely
  2. Traffic to these services is encrypted (HTTPS) and appears normal
  3. IP reputation and domain blocklists cannot block Microsoft, Telegram, or GitHub infrastructure

Operational Evolution

Why Gamaredon Remains Effective

Despite extensive public documentation of Gamaredon's techniques and consistent attribution, the group remains highly active. This persistence is explained by several factors:

  • State backing: As an FSB-sponsored operation, Gamaredon has resources and protection that purely financially motivated groups lack
  • Operational tempo: Volume-based approach means even low success rates yield meaningful intelligence and access
  • Evolving tradecraft: Continuous adaptation in response to detection
  • Targeting advantage: Operating against a nation under active military attack means a large, sustained pool of stressed targets susceptible to social engineering

Spear-Phishing Effectiveness

Gamaredon's campaigns succeed because:

  1. Linguistically and culturally targeted — Ukrainian-language lures that reference real, current events
  2. Contextually relevant — Themes directly related to the ongoing conflict lower recipients' guard
  3. Leverages trust — Spoofed sender addresses impersonating government agencies and known contacts
  4. High volume — Large numbers of campaigns mean some will evade filtering

Detection and Mitigation

For Ukrainian and NATO-Adjacent Organizations

Organizations targeted by Gamaredon should implement:

Email Security

  • Advanced phishing filtering with sandboxing for Office documents and archives
  • DMARC, DKIM, and SPF enforcement to catch spoofed senders
  • User training focused on Gamaredon's common lure themes

Endpoint Detection

  • Behavioral detection for PowerShell execution patterns associated with GammaLoad and PteroPSLoad
  • USB monitoring to detect LitterDrifter self-spreading behavior
  • File access monitoring for GammaSteel-style mass document exfiltration

Network Monitoring

  • Monitor for abnormal Telegram bot API traffic patterns
  • Alert on cloud storage APIs accessed by unexpected processes
  • Track outbound connections to newly registered or recently seen domains

Indicators of Compromise

ESET's full report contains detailed IOCs including file hashes, C2 domains, and behavioral patterns. Organizations should subscribe to ESET Threat Intelligence or equivalent feeds for up-to-date Gamaredon IOCs.

Geopolitical Context

Gamaredon's operations exist within the broader context of Russian hybrid warfare against Ukraine. While kinetic operations continue, cyber operations serve complementary objectives:

  • Intelligence collection on military operations, troop movements, and government communications
  • Disruption of Ukrainian government and defense coordination
  • Psychological effect — Creating uncertainty and resource drain
  • Preparation for potential critical infrastructure attacks

The group's continued activity despite extensive public documentation reflects Russia's calculation that the operational benefits outweigh the reputational costs of attribution.

Key Takeaways

  • Gamaredon conducted 35 spear-phishing campaigns against Ukrainian targets in 2025
  • The group has expanded its malware toolkit with new implants and updated variants
  • Cloud service abuse (Telegram, OneDrive, GitHub) for C2 makes detection harder
  • The FSB-linked group shows no signs of slowing — high operational tempo will continue
  • Organizations in Ukraine and NATO partner nations should maintain heightened vigilance against Gamaredon TTPs

References

  • The Hacker News — Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse
  • ESET Research — Gamaredon Analysis
  • MITRE ATT&CK — Gamaredon Group (G0047)
  • Ukraine CERT-UA — Gamaredon Advisories
#Malware#Phishing#APT#Russia#Cloud Security#The Hacker News#Gamaredon#Ukraine

Related Articles

Russian APT Gamaredon Upgrades Its Arsenal, Requiring New Defenses

ESET research reveals FSB-sponsored Gamaredon has significantly upgraded its C2 infrastructure obfuscation and malware delivery capabilities, running 35...

3 min read

Ghostwriter Targets Ukraine Government Entities with Prometheus Phishing Malware

The Belarus-aligned Ghostwriter APT (UAC-0057/UNC1151) has launched a new phishing campaign impersonating Prometheus, a Ukrainian e-learning platform, to...

3 min read

''FrostyNeighbor'' APT Carefully Targets Govt Orgs in Poland, Ukraine

A Belarusian nation-state threat group dubbed FrostyNeighbor is conducting a precise espionage campaign against government organizations in Poland and...

5 min read
Back to all News