A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025.
Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these efforts include Ukrainian governmental and military institutions.
“Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine,” ESET said. “The group’s ultimate goal continues to be the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the ongoing war in Ukraine.”
The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders that are responsible for dropping additional payloads, such as PteroSand. Some of the attacks have also weaponized a now-patched flaw in WinRAR (CVE-2025-8088) as a way of placing the malicious HTA downloader into the victim’s Windows Startup folder.
This, in turn, causes the downloader to be automatically executed on the next login, thereby adding a persistence mechanism to the compromise chain. Gamaredon’s attacks are known to rely on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting USB drives and network drives with malicious LNK files that, when opened by an unsuspecting user, trigger the retrieval of downloader malware.
Also used is PteroSetup, an older Visual Basic Script (VBScript) weaponizer first detected in January 2021 and likely assumed to be discontinued. The tool scans USB and mapped network drives for legitimate installer files, and if found, replaces them with 7z self-extracting (SFX) archives containing the original installer and a malicious VBScript downloader.
“In 2025, the group’s reliance on third-party services grew significantly, with tunnel services and serverless worker platforms becoming an increasingly important part of how it hid its real back-end infrastructure,” ESET said.
The attacks are also characterized by the introduction of six new malicious PowerShell tools, broadening its custom malware arsenal –
- PteroDee and PteroCache for fetching and executing PowerShell payloads in memory
- PteroDum for fetching and executing VBScript payloads in memory
- PteroOdd for fetching a single PowerShell payload using the Telegra.ph API and likely used in campaigns in which the Gamaredon actors collaborated with Turla
- PteroEffigy for fetching the command-and-control (C2) server using the GoFile cloud storage service
- PteroPaste, for weaponizing USB drives and downloading additional PowerShell payloads via an encrypted channel
“While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the…
Source link
Disclaimer
We strive to uphold the highest ethical standards in all of our reporting and coverage. We blogs.grocliq.com want to be transparent with our readers about any potential conflicts of interest that may arise in our work. It’s possible that some of the investors we feature may have connections to other businesses, including competitors or companies we write about. However, we want to assure our readers that this will not have any impact on the integrity or impartiality of our reporting. We are committed to delivering accurate, unbiased news and information to our audience, and we will continue to uphold our ethics and principles in all of our work. Thank you for your trust and support.
Website Upgradation is going on for any glitch kindly connect at [email protected]
