Ptechhub
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs
No Result
View All Result
PtechHub
No Result
View All Result

Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse

The Hacker News by The Hacker News
July 3, 2026
Home Cybersecurity
Share on FacebookShare on Twitter


Ravie LakshmananJun 29, 2026Cloud Security / Malware

A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025.

Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these efforts include Ukrainian governmental and military institutions.

“Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine,” ESET said. “The group’s ultimate goal continues to be the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the ongoing war in Ukraine.”

The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders that are responsible for dropping additional payloads, such as PteroSand. Some of the attacks have also weaponized a now-patched flaw in WinRAR (CVE-2025-8088) as a way of placing the malicious HTA downloader into the victim’s Windows Startup folder.

This, in turn, causes the downloader to be automatically executed on the next login, thereby adding a persistence mechanism to the compromise chain. Gamaredon’s attacks are known to rely on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting USB drives and network drives with malicious LNK files that, when opened by an unsuspecting user, trigger the retrieval of downloader malware.

Also used is PteroSetup, an older Visual Basic Script (VBScript) weaponizer first detected in January 2021 and likely assumed to be discontinued. The tool scans USB and mapped network drives for legitimate installer files, and if found, replaces them with 7z self-extracting (SFX) archives containing the original installer and a malicious VBScript downloader.

“In 2025, the group’s reliance on third-party services grew significantly, with tunnel services and serverless worker platforms becoming an increasingly important part of how it hid its real back-end infrastructure,” ESET said.

The attacks are also characterized by the introduction of six new malicious PowerShell tools, broadening its custom malware arsenal –

  • PteroDee and PteroCache for fetching and executing PowerShell payloads in memory
  • PteroDum for fetching and executing VBScript payloads in memory
  • PteroOdd for fetching a single PowerShell payload using the Telegra.ph API and likely used in campaigns in which the Gamaredon actors collaborated with Turla
  • PteroEffigy for fetching the command-and-control (C2) server using the GoFile cloud storage service
  • PteroPaste for weaponizing USB drives and downloading additional PowerShell payloads via an encrypted channel

“While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools,” ESET researcher Zoltán Rusnák said.

“Many updates were made in the lead-up to major holidays in Russia and Crimea. Notably, no updates were observed during or immediately after these holidays, further suggesting that Gamaredon operators are probably government-affiliated employees.”

Another noteworthy aspect of the threat actor’s campaign revolves around the use of a wide range of legitimate services as data exfiltration channels and dead drop resolvers to obtain details of the C2 server and to point malware to infrastructure already hidden behind tunnels or serverless workers. These include –

  • Telegra.ph
  • Teletype
  • Rentry.co
  • Write.as
  • Dropbox
  • GoFile
  • DEV Community (dev.to)
  • Mastodon
  • Lesma
  • Nopaste.net
  • Paste.ee
  • Wasabi
  • Tebi
  • Intercolo
  • Dropbox

“As in previous years, the group compensated for the relative simplicity of its malware with persistence, frequent updates, and an increasingly creative abuse of legitimate online services,” ESET said. “Gamaredon further expanded its use of dead drops, tunnels, workers, dynamic DNS, and cloud storage, making its operations more flexible and harder to disrupt.”



Source link

The Hacker News

The Hacker News

Next Post
Why Post-Quantum Cryptography Starts With Credentials

Why Post-Quantum Cryptography Starts With Credentials

Recommended.

Rapidtek Successfully Launches Black Kite-1 with TASA to Advance LEO IoT Constellation

Rapidtek Successfully Launches Black Kite-1 with TASA to Advance LEO IoT Constellation

December 1, 2025
Microsoft erweitert sein Engagement im Bildungsbereich mit dem Programm „Elevate for Educators” und neuen KI-gestützten Tools

Microsoft erweitert sein Engagement im Bildungsbereich mit dem Programm „Elevate for Educators” und neuen KI-gestützten Tools

January 15, 2026

Trending.

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

CELLCOM ISRAEL LTD. Announcement of A Special General Meeting of The Shareholders of The Company

May 21, 2025
Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

Veeam Debuts Data Resiliency Maturity Model To Assess, Improve Customers’ Cyber Resiliency

April 23, 2025
MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

MocPOGO Easter Special Deals: The Pokémon GO Spoofer You Need for Might and Mastery 2025!

April 7, 2025
VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

VNET Wins 40MW Wholesale Order from Leading Internet Company for Its New Strategic IDC Campus

September 11, 2025
Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

Insurance Modernization at Risk as Workforce Strategies Fall Behind, Says Info-Tech Research Group

May 8, 2026

PTechHub

A tech news platform delivering fresh perspectives, critical insights, and in-depth reporting — beyond the buzz. We cover innovation, policy, and digital culture with clarity, independence, and a sharp editorial edge.

Follow Us

Industries

  • AI & ML
  • Cybersecurity
  • Enterprise IT
  • Finance
  • Telco

Navigation

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Subscribe to Our Newsletter

  • About
  • Advertise
  • Privacy & Policy
  • Contact

Copyright © 2025 | Powered By Porpholio

No Result
View All Result
  • News
  • Industries
    • Enterprise IT
    • AI & ML
    • Cybersecurity
    • Finance
    • Telco
  • Brand Hub
    • Lifesight
  • Blogs

Copyright © 2025 | Powered By Porpholio