- The Russian-linked Gamaredon APT group executed 35 spear-phishing campaigns in 2025, primarily targeting Ukrainian government and military entities.
- Their arsenal expanded with six new PowerShell tools and novel exploitation of a WinRAR vulnerability to achieve persistent access.
- The attackers increasingly relied on legitimate cloud services, tunnel platforms, and “dead drops” to conceal their command-and-control infrastructure.
The Russian advanced persistent threat group Gamaredon intensified its cyber campaign against Ukraine throughout 2025, launching dozens of sophisticated spear-phishing attacks primarily aimed at government and military institutions according to ESET. Their ongoing objective remains the theft of sensitive information to support Russian military interests in the ongoing conflict.
These attacks often employed malicious archive attachments or XHTML files using HTML smuggling to deliver downloaders. Some campaigns even weaponized a patched WinRAR flaw, allowing malware to be placed directly in the Windows Startup folder for automatic execution.
Consequently, the group’s toolkit saw significant expansion with the introduction of six new custom PowerShell tools. These include PteroDee, PteroCache, and PteroOdd, which fetch and execute payloads from hidden channels.
Meanwhile, Gamaredon also revived older weaponizers like PteroSetup to infect USB and network drives. Their operations relied heavily on lateral movement through malicious LNK files to spread the infection across compromised networks.
However, a defining trend in 2025 was the group’s growing dependence on third-party services to hide their activities. They extensively used tunnel services, serverless workers, and a wide array of legitimate platforms as dead drop resolvers and data exfiltration channels.
These services included cloud storage like Dropbox and GoFile, blogging platforms such as Telegra.ph and DEV Community, and even social networks like Mastodon. This approach made their infrastructure more flexible and significantly harder for defenders to track and disrupt.
ESET researcher Zoltán Rusnák noted, “While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools.” The timing of updates around Russian holidays further suggested the operators are likely government-affiliated employees.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
