Skip to main content

Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

Medium
Published: Fri Jul 04 2025 (07/04/2025, 10:34:21 UTC)
Source: AlienVault OTX General

Description

Throughout 2024, Gamaredon focused exclusively on targeting Ukrainian governmental institutions with spearphishing campaigns and weaponized USB drives. The group developed six new tools and significantly updated existing ones, improving stealth and evasion capabilities. Gamaredon increased the scale of its spearphishing campaigns, especially in the second half of the year. The group also made efforts to bypass network-based blocking, hiding most of its command and control infrastructure behind Cloudflare tunnels. Notable updates include enhancements to PteroLNK for weaponizing network drives, improvements in file exfiltration techniques, and the introduction of new downloaders. Despite these advancements, Gamaredon showed signs of operational limitations, occasionally abandoning or infrequently updating certain tools.

AI-Powered Analysis

AILast updated: 07/04/2025, 11:09:36 UTC

Technical Analysis

Gamaredon is a persistent advanced threat actor that throughout 2024 has concentrated its cyber operations against Ukrainian governmental institutions. The group employs spearphishing campaigns and weaponized USB drives as primary infection vectors. In 2024, Gamaredon significantly evolved its toolset by developing six new malware tools and enhancing existing ones to improve stealth and evasion capabilities. Key technical advancements include improvements to PteroLNK, a tool used to weaponize network drives, enabling more effective lateral movement and infection spread within targeted networks. The group also refined file exfiltration techniques, making data theft more efficient and harder to detect. Additionally, Gamaredon introduced new downloader malware variants to facilitate payload delivery. To evade network-based detection and blocking, the group increasingly leveraged Cloudflare tunnels to conceal its command and control (C2) infrastructure, complicating attribution and mitigation efforts. Despite these enhancements, Gamaredon exhibited some operational constraints, occasionally abandoning or infrequently updating certain tools, which may indicate resource limitations or shifting priorities. The threat actor’s focus on Ukrainian government entities, combined with its use of sophisticated evasion techniques and multi-vector infection methods, underscores its role as a state-aligned APT group engaged in espionage and disruption activities. No known public exploits have been reported, and the threat remains primarily targeted rather than opportunistic.

Potential Impact

For European organizations, especially those with close ties or operational overlap with Ukrainian institutions or interests, the Gamaredon threat presents a significant risk. The spearphishing campaigns and USB-based infection vectors could be adapted to target diplomatic, governmental, or critical infrastructure entities within Europe, potentially leading to unauthorized data exfiltration, espionage, and disruption of operations. The use of Cloudflare tunnels to mask C2 infrastructure complicates detection and response efforts, increasing dwell time and the likelihood of successful data theft or network compromise. While the current focus is on Ukraine, the geopolitical context and the group’s evolving capabilities suggest a potential spillover risk to European allies and partners. The threat to confidentiality is high due to advanced exfiltration techniques, while integrity and availability impacts could arise from lateral movement and potential deployment of destructive payloads. The medium severity rating reflects targeted scope but sophisticated capabilities that could be leveraged against European targets under certain conditions.

Mitigation Recommendations

European organizations should implement targeted defenses against spearphishing and USB-based attacks by enforcing strict email filtering policies, including advanced threat protection with sandboxing and attachment analysis. Endpoint security solutions must be configured to detect and block known Gamaredon tool signatures and behaviors, including monitoring for suspicious PowerShell activity and network drive manipulations indicative of PteroLNK usage. Network defenses should incorporate anomaly detection to identify unusual outbound connections, especially those leveraging Cloudflare tunnels or other proxy services for C2 communications. Organizations should enforce strict USB device control policies, including disabling autorun features and restricting usage to authorized devices only. Regular threat intelligence sharing with national CERTs and European cybersecurity agencies can improve detection of emerging Gamaredon variants. Incident response teams should be trained to recognize the group’s tactics, techniques, and procedures (TTPs), and conduct regular phishing simulation exercises to raise user awareness. Finally, network segmentation and least privilege access controls can limit lateral movement if initial compromise occurs.

Need more detailed analysis?Get Pro

Technical Details

Author
AlienVault
Tlp
white
References
["https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2024.pdf"]
Adversary
Gamaredon
Pulse Id
6867ae2d0a53dfda37955c4b
Threat Score
null

Indicators of Compromise

Ip

ValueDescriptionCopy
ip137.184.116.179
ip138.68.161.53
ip146.190.74.132
ip159.223.226.57
ip165.232.136.224
ip209.38.97.36
ip64.227.172.243
ip143.110.168.51
ip143.198.216.105
ip157.230.108.94
ip157.230.94.134
ip157.245.201.196
ip159.203.21.16
ip161.35.169.180
ip161.35.185.146
ip164.90.210.128
ip165.22.120.122
ip167.172.74.200
ip167.99.127.118
ip178.128.215.84
ip213.182.204.71
ip38.54.12.3
ip64.227.139.249

Domain

ValueDescriptionCopy
domainandbien.ru
domainiraiz.ru
domainlitanq.ru
domainloguna.ru
domainlucystew.ru
domainnoraspdan.ru
domainphlovel.ru
domaintienes.ru
domainwasic.ru
domainworkbookee.ru
domainashley-characters-societies-freely.trycloudflare.com
domaincrimes.trycloudflare.com
domaindeny-webshots-hudson-verbal.trycloudflare.com
domaindomestic.trycloudflare.com
domaindrums-hobbies-geological-signatures.trycloudflare.com
domainfreely.trycloudflare.com
domaingoverning.trycloudflare.com
domainincorporate-two-knowing-inside.trycloudflare.com
domaininside.trycloudflare.com
domainkinda-grows-reaches-crimes.trycloudflare.com
domainniagara-silent-exterior-talent.trycloudflare.com
domainordering-ratings-motor-soldier.trycloudflare.com
domainsao-yield-are-domestic.trycloudflare.com
domainsignatures.trycloudflare.com
domainsoldier.trycloudflare.com
domainsub-nursery-foo-governing.trycloudflare.com
domaintalent.trycloudflare.com
domainverbal.trycloudflare.com
domainwww.phlovel.ru
domainwww.sheepster.ru

Threat ID: 6867b2e56f40f0eb72a03c7a

Added to database: 7/4/2025, 10:54:29 AM

Last enriched: 7/4/2025, 11:09:36 AM

Last updated: 7/4/2025, 1:54:19 PM

Views: 2

Actions

PRO

Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.

Please log in to the Console to use AI analysis features.

External Links

Need enhanced features?

Contact root@offseq.com for Pro access with improved analysis and higher rate limits.

Latest Threats