Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset
Throughout 2024, Gamaredon focused exclusively on targeting Ukrainian governmental institutions with spearphishing campaigns and weaponized USB drives. The group developed six new tools and significantly updated existing ones, improving stealth and evasion capabilities. Gamaredon increased the scale of its spearphishing campaigns, especially in the second half of the year. The group also made efforts to bypass network-based blocking, hiding most of its command and control infrastructure behind Cloudflare tunnels. Notable updates include enhancements to PteroLNK for weaponizing network drives, improvements in file exfiltration techniques, and the introduction of new downloaders. Despite these advancements, Gamaredon showed signs of operational limitations, occasionally abandoning or infrequently updating certain tools.
AI Analysis
Technical Summary
Gamaredon is a persistent advanced threat actor that throughout 2024 has concentrated its cyber operations against Ukrainian governmental institutions. The group employs spearphishing campaigns and weaponized USB drives as primary infection vectors. In 2024, Gamaredon significantly evolved its toolset by developing six new malware tools and enhancing existing ones to improve stealth and evasion capabilities. Key technical advancements include improvements to PteroLNK, a tool used to weaponize network drives, enabling more effective lateral movement and infection spread within targeted networks. The group also refined file exfiltration techniques, making data theft more efficient and harder to detect. Additionally, Gamaredon introduced new downloader malware variants to facilitate payload delivery. To evade network-based detection and blocking, the group increasingly leveraged Cloudflare tunnels to conceal its command and control (C2) infrastructure, complicating attribution and mitigation efforts. Despite these enhancements, Gamaredon exhibited some operational constraints, occasionally abandoning or infrequently updating certain tools, which may indicate resource limitations or shifting priorities. The threat actor’s focus on Ukrainian government entities, combined with its use of sophisticated evasion techniques and multi-vector infection methods, underscores its role as a state-aligned APT group engaged in espionage and disruption activities. No known public exploits have been reported, and the threat remains primarily targeted rather than opportunistic.
Potential Impact
For European organizations, especially those with close ties or operational overlap with Ukrainian institutions or interests, the Gamaredon threat presents a significant risk. The spearphishing campaigns and USB-based infection vectors could be adapted to target diplomatic, governmental, or critical infrastructure entities within Europe, potentially leading to unauthorized data exfiltration, espionage, and disruption of operations. The use of Cloudflare tunnels to mask C2 infrastructure complicates detection and response efforts, increasing dwell time and the likelihood of successful data theft or network compromise. While the current focus is on Ukraine, the geopolitical context and the group’s evolving capabilities suggest a potential spillover risk to European allies and partners. The threat to confidentiality is high due to advanced exfiltration techniques, while integrity and availability impacts could arise from lateral movement and potential deployment of destructive payloads. The medium severity rating reflects targeted scope but sophisticated capabilities that could be leveraged against European targets under certain conditions.
Mitigation Recommendations
European organizations should implement targeted defenses against spearphishing and USB-based attacks by enforcing strict email filtering policies, including advanced threat protection with sandboxing and attachment analysis. Endpoint security solutions must be configured to detect and block known Gamaredon tool signatures and behaviors, including monitoring for suspicious PowerShell activity and network drive manipulations indicative of PteroLNK usage. Network defenses should incorporate anomaly detection to identify unusual outbound connections, especially those leveraging Cloudflare tunnels or other proxy services for C2 communications. Organizations should enforce strict USB device control policies, including disabling autorun features and restricting usage to authorized devices only. Regular threat intelligence sharing with national CERTs and European cybersecurity agencies can improve detection of emerging Gamaredon variants. Incident response teams should be trained to recognize the group’s tactics, techniques, and procedures (TTPs), and conduct regular phishing simulation exercises to raise user awareness. Finally, network segmentation and least privilege access controls can limit lateral movement if initial compromise occurs.
Affected Countries
Ukraine, Poland, Germany, France, United Kingdom, Estonia, Lithuania, Latvia
Indicators of Compromise
- ip: 137.184.116.179
- ip: 138.68.161.53
- ip: 146.190.74.132
- ip: 159.223.226.57
- ip: 165.232.136.224
- ip: 209.38.97.36
- ip: 64.227.172.243
- ip: 143.110.168.51
- ip: 143.198.216.105
- ip: 157.230.108.94
- ip: 157.230.94.134
- ip: 157.245.201.196
- ip: 159.203.21.16
- ip: 161.35.169.180
- ip: 161.35.185.146
- ip: 164.90.210.128
- ip: 165.22.120.122
- ip: 167.172.74.200
- ip: 167.99.127.118
- ip: 178.128.215.84
- ip: 213.182.204.71
- ip: 38.54.12.3
- ip: 64.227.139.249
- domain: andbien.ru
- domain: iraiz.ru
- domain: litanq.ru
- domain: loguna.ru
- domain: lucystew.ru
- domain: noraspdan.ru
- domain: phlovel.ru
- domain: tienes.ru
- domain: wasic.ru
- domain: workbookee.ru
- domain: ashley-characters-societies-freely.trycloudflare.com
- domain: crimes.trycloudflare.com
- domain: deny-webshots-hudson-verbal.trycloudflare.com
- domain: domestic.trycloudflare.com
- domain: drums-hobbies-geological-signatures.trycloudflare.com
- domain: freely.trycloudflare.com
- domain: governing.trycloudflare.com
- domain: incorporate-two-knowing-inside.trycloudflare.com
- domain: inside.trycloudflare.com
- domain: kinda-grows-reaches-crimes.trycloudflare.com
- domain: niagara-silent-exterior-talent.trycloudflare.com
- domain: ordering-ratings-motor-soldier.trycloudflare.com
- domain: sao-yield-are-domestic.trycloudflare.com
- domain: signatures.trycloudflare.com
- domain: soldier.trycloudflare.com
- domain: sub-nursery-foo-governing.trycloudflare.com
- domain: talent.trycloudflare.com
- domain: verbal.trycloudflare.com
- domain: www.phlovel.ru
- domain: www.sheepster.ru
Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset
Description
Throughout 2024, Gamaredon focused exclusively on targeting Ukrainian governmental institutions with spearphishing campaigns and weaponized USB drives. The group developed six new tools and significantly updated existing ones, improving stealth and evasion capabilities. Gamaredon increased the scale of its spearphishing campaigns, especially in the second half of the year. The group also made efforts to bypass network-based blocking, hiding most of its command and control infrastructure behind Cloudflare tunnels. Notable updates include enhancements to PteroLNK for weaponizing network drives, improvements in file exfiltration techniques, and the introduction of new downloaders. Despite these advancements, Gamaredon showed signs of operational limitations, occasionally abandoning or infrequently updating certain tools.
AI-Powered Analysis
Technical Analysis
Gamaredon is a persistent advanced threat actor that throughout 2024 has concentrated its cyber operations against Ukrainian governmental institutions. The group employs spearphishing campaigns and weaponized USB drives as primary infection vectors. In 2024, Gamaredon significantly evolved its toolset by developing six new malware tools and enhancing existing ones to improve stealth and evasion capabilities. Key technical advancements include improvements to PteroLNK, a tool used to weaponize network drives, enabling more effective lateral movement and infection spread within targeted networks. The group also refined file exfiltration techniques, making data theft more efficient and harder to detect. Additionally, Gamaredon introduced new downloader malware variants to facilitate payload delivery. To evade network-based detection and blocking, the group increasingly leveraged Cloudflare tunnels to conceal its command and control (C2) infrastructure, complicating attribution and mitigation efforts. Despite these enhancements, Gamaredon exhibited some operational constraints, occasionally abandoning or infrequently updating certain tools, which may indicate resource limitations or shifting priorities. The threat actor’s focus on Ukrainian government entities, combined with its use of sophisticated evasion techniques and multi-vector infection methods, underscores its role as a state-aligned APT group engaged in espionage and disruption activities. No known public exploits have been reported, and the threat remains primarily targeted rather than opportunistic.
Potential Impact
For European organizations, especially those with close ties or operational overlap with Ukrainian institutions or interests, the Gamaredon threat presents a significant risk. The spearphishing campaigns and USB-based infection vectors could be adapted to target diplomatic, governmental, or critical infrastructure entities within Europe, potentially leading to unauthorized data exfiltration, espionage, and disruption of operations. The use of Cloudflare tunnels to mask C2 infrastructure complicates detection and response efforts, increasing dwell time and the likelihood of successful data theft or network compromise. While the current focus is on Ukraine, the geopolitical context and the group’s evolving capabilities suggest a potential spillover risk to European allies and partners. The threat to confidentiality is high due to advanced exfiltration techniques, while integrity and availability impacts could arise from lateral movement and potential deployment of destructive payloads. The medium severity rating reflects targeted scope but sophisticated capabilities that could be leveraged against European targets under certain conditions.
Mitigation Recommendations
European organizations should implement targeted defenses against spearphishing and USB-based attacks by enforcing strict email filtering policies, including advanced threat protection with sandboxing and attachment analysis. Endpoint security solutions must be configured to detect and block known Gamaredon tool signatures and behaviors, including monitoring for suspicious PowerShell activity and network drive manipulations indicative of PteroLNK usage. Network defenses should incorporate anomaly detection to identify unusual outbound connections, especially those leveraging Cloudflare tunnels or other proxy services for C2 communications. Organizations should enforce strict USB device control policies, including disabling autorun features and restricting usage to authorized devices only. Regular threat intelligence sharing with national CERTs and European cybersecurity agencies can improve detection of emerging Gamaredon variants. Incident response teams should be trained to recognize the group’s tactics, techniques, and procedures (TTPs), and conduct regular phishing simulation exercises to raise user awareness. Finally, network segmentation and least privilege access controls can limit lateral movement if initial compromise occurs.
For access to advanced analysis and higher rate limits, contact root@offseq.com
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2024.pdf"]
- Adversary
- Gamaredon
- Pulse Id
- 6867ae2d0a53dfda37955c4b
- Threat Score
- null
Indicators of Compromise
Ip
Value | Description | Copy |
---|---|---|
ip137.184.116.179 | — | |
ip138.68.161.53 | — | |
ip146.190.74.132 | — | |
ip159.223.226.57 | — | |
ip165.232.136.224 | — | |
ip209.38.97.36 | — | |
ip64.227.172.243 | — | |
ip143.110.168.51 | — | |
ip143.198.216.105 | — | |
ip157.230.108.94 | — | |
ip157.230.94.134 | — | |
ip157.245.201.196 | — | |
ip159.203.21.16 | — | |
ip161.35.169.180 | — | |
ip161.35.185.146 | — | |
ip164.90.210.128 | — | |
ip165.22.120.122 | — | |
ip167.172.74.200 | — | |
ip167.99.127.118 | — | |
ip178.128.215.84 | — | |
ip213.182.204.71 | — | |
ip38.54.12.3 | — | |
ip64.227.139.249 | — |
Domain
Value | Description | Copy |
---|---|---|
domainandbien.ru | — | |
domainiraiz.ru | — | |
domainlitanq.ru | — | |
domainloguna.ru | — | |
domainlucystew.ru | — | |
domainnoraspdan.ru | — | |
domainphlovel.ru | — | |
domaintienes.ru | — | |
domainwasic.ru | — | |
domainworkbookee.ru | — | |
domainashley-characters-societies-freely.trycloudflare.com | — | |
domaincrimes.trycloudflare.com | — | |
domaindeny-webshots-hudson-verbal.trycloudflare.com | — | |
domaindomestic.trycloudflare.com | — | |
domaindrums-hobbies-geological-signatures.trycloudflare.com | — | |
domainfreely.trycloudflare.com | — | |
domaingoverning.trycloudflare.com | — | |
domainincorporate-two-knowing-inside.trycloudflare.com | — | |
domaininside.trycloudflare.com | — | |
domainkinda-grows-reaches-crimes.trycloudflare.com | — | |
domainniagara-silent-exterior-talent.trycloudflare.com | — | |
domainordering-ratings-motor-soldier.trycloudflare.com | — | |
domainsao-yield-are-domestic.trycloudflare.com | — | |
domainsignatures.trycloudflare.com | — | |
domainsoldier.trycloudflare.com | — | |
domainsub-nursery-foo-governing.trycloudflare.com | — | |
domaintalent.trycloudflare.com | — | |
domainverbal.trycloudflare.com | — | |
domainwww.phlovel.ru | — | |
domainwww.sheepster.ru | — |
Threat ID: 6867b2e56f40f0eb72a03c7a
Added to database: 7/4/2025, 10:54:29 AM
Last enriched: 7/4/2025, 11:09:36 AM
Last updated: 7/4/2025, 1:54:19 PM
Views: 2
Related Threats
NightEagle APT Exploits Microsoft Exchange Flaw to Target China's Military and Tech Sectors
HighDiscovery of Qwizzserial: A New Android SMS Stealer Family
MediumA flaw in Catwatchful spyware exposed logins of +62,000 users
MediummacOS NimDoor | North Korean Threat Actors Target Web3 and Crypto Platforms with Nim-Based Malware
MediumHunters International Ransomware Gang Rebrands as World Leaks
MediumActions
Updates to AI analysis are available only with a Pro account. Contact root@offseq.com for access.
External Links
Need enhanced features?
Contact root@offseq.com for Pro access with improved analysis and higher rate limits.