FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps unpacking – GammaLoad
Gamaredon, an FSB-linked cyberespionage group, employs a sophisticated multi-stage malware called GammaLoad targeting Ukrainian government, military, and critical infrastructure. GammaLoad uses VBScript loaders in three stages to maintain persistent access, leveraging legitimate platforms like Telegram and Telegraph for command and control. It abuses Windows features such as Alternate Data Streams and scheduled tasks to evade detection and establish persistence. The final payload, GammaSteel, is delivered via obfuscated PowerShell scripts. This layered 'matryoshka' approach allows flexible deployment of arbitrary payloads while minimizing visibility.
AI Analysis
Technical Summary
GammaLoad is a multi-stage malware framework used by the FSB-operated Gamaredon group to conduct cyberespionage against Ukrainian targets. The infection chain involves three distinct stages: the first stage fingerprints hosts and implements failover mechanisms; the second stage writes payloads to Alternate Data Streams and creates scheduled tasks for persistence; the third stage executes obfuscated PowerShell scripts to deploy the final GammaSteel payload. Command and control communications are maintained through Dead Drop Resolvers hosted on legitimate platforms such as Telegram, Telegraph, and Check-Host, with configuration data stored in Windows registry keys. This architecture abuses trusted Windows features and cloud platforms to maintain stealth and continuous access.
Potential Impact
The malware enables persistent unauthorized access to targeted systems within Ukrainian government, military, and critical infrastructure sectors. It facilitates espionage activities by allowing operators to deploy arbitrary payloads covertly. The use of legitimate platforms for C2 and Windows native features for persistence complicates detection and mitigation efforts. Although no known exploits in the wild are reported, the threat poses a medium severity risk due to its targeted nature and sophisticated evasion techniques.
Mitigation Recommendations
No official patch or vendor advisory is available for this malware. Mitigation should focus on detecting and disrupting the multi-stage infection chain by monitoring for suspicious use of Alternate Data Streams, scheduled tasks, and obfuscated PowerShell execution. Network monitoring for unusual communications to platforms like Telegram, Telegraph, and Check-Host may help identify C2 activity. Incident response teams should apply threat intelligence to identify indicators of compromise related to GammaLoad and GammaSteel. Since this is a targeted espionage campaign, tailored detection and response strategies are recommended.
Indicators of Compromise
- hash: a2c6e01001c62f6198e31a9d603977c6
- hash: bf94f4056627907d86ce1cae8b44c67a
- hash: d2a6009587b3cb73355c2d1e53d5cdfa
- url: https://insight-sweet-drainage-appreciated.trycloudflare.com/log
- domain: insight-sweet-drainage-appreciated.trycloudflare.com
FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps unpacking – GammaLoad
Description
Gamaredon, an FSB-linked cyberespionage group, employs a sophisticated multi-stage malware called GammaLoad targeting Ukrainian government, military, and critical infrastructure. GammaLoad uses VBScript loaders in three stages to maintain persistent access, leveraging legitimate platforms like Telegram and Telegraph for command and control. It abuses Windows features such as Alternate Data Streams and scheduled tasks to evade detection and establish persistence. The final payload, GammaSteel, is delivered via obfuscated PowerShell scripts. This layered 'matryoshka' approach allows flexible deployment of arbitrary payloads while minimizing visibility.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GammaLoad is a multi-stage malware framework used by the FSB-operated Gamaredon group to conduct cyberespionage against Ukrainian targets. The infection chain involves three distinct stages: the first stage fingerprints hosts and implements failover mechanisms; the second stage writes payloads to Alternate Data Streams and creates scheduled tasks for persistence; the third stage executes obfuscated PowerShell scripts to deploy the final GammaSteel payload. Command and control communications are maintained through Dead Drop Resolvers hosted on legitimate platforms such as Telegram, Telegraph, and Check-Host, with configuration data stored in Windows registry keys. This architecture abuses trusted Windows features and cloud platforms to maintain stealth and continuous access.
Potential Impact
The malware enables persistent unauthorized access to targeted systems within Ukrainian government, military, and critical infrastructure sectors. It facilitates espionage activities by allowing operators to deploy arbitrary payloads covertly. The use of legitimate platforms for C2 and Windows native features for persistence complicates detection and mitigation efforts. Although no known exploits in the wild are reported, the threat poses a medium severity risk due to its targeted nature and sophisticated evasion techniques.
Mitigation Recommendations
No official patch or vendor advisory is available for this malware. Mitigation should focus on detecting and disrupting the multi-stage infection chain by monitoring for suspicious use of Alternate Data Streams, scheduled tasks, and obfuscated PowerShell execution. Network monitoring for unusual communications to platforms like Telegram, Telegraph, and Check-Host may help identify C2 activity. Incident response teams should apply threat intelligence to identify indicators of compromise related to GammaLoad and GammaSteel. Since this is a targeted espionage campaign, tailored detection and response strategies are recommended.
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.sekoia.io/fsbs-matryoshka-2-3-gamaredons-gifts-that-keeps-unpacking-gammaload/"]
- Adversary
- Gamaredon
- Pulse Id
- 6a2029a0dfb4183bb573e8b2
- Threat Score
- null
Indicators of Compromise
Hash
| Value | Description | Copy |
|---|---|---|
hasha2c6e01001c62f6198e31a9d603977c6 | — | |
hashbf94f4056627907d86ce1cae8b44c67a | — | |
hashd2a6009587b3cb73355c2d1e53d5cdfa | — |
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://insight-sweet-drainage-appreciated.trycloudflare.com/log | — |
Domain
| Value | Description | Copy |
|---|---|---|
domaininsight-sweet-drainage-appreciated.trycloudflare.com | — |
Threat ID: 6a213bede29bf47b50851cfd
Added to database: 6/4/2026, 8:48:45 AM
Last enriched: 6/4/2026, 9:04:05 AM
Last updated: 6/4/2026, 10:14:39 AM
Views: 4
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.