Matryoshka #3/3: Gamaredon's Gammasteel Infostealer
Gamaredon's GammaSteel is a sophisticated infostealer malware used in espionage operations targeting Ukrainian government, military, and critical infrastructure. It operates primarily in memory, leveraging Windows DPAPI encryption and storing multiple payload functions in the registry. The malware collects data through timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Data exfiltration is conducted via legitimate S3-compatible cloud storage with fallback to attacker-controlled servers. The infection chain uses VBScript for evasion and Dead Drop Resolvers on platforms like Telegram and Mastodon for command and control configuration. It includes bidirectional backdoor capabilities allowing arbitrary remote code execution. The attacker infrastructure is highly automated, rotating servers approximately every 24 hours.
AI Analysis
Technical Summary
GammaSteel is an advanced infostealer deployed by the FSB-operated Gamaredon group targeting Ukrainian government and critical infrastructure. It runs mostly from memory, using Windows DPAPI encryption and storing 71 payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition methods: scheduled drive scans, USB device monitoring to compromise air-gapped systems, and real-time file surveillance. Exfiltration occurs through legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain heavily relies on VBScript for evasion and uses Dead Drop Resolvers on Telegram and Mastodon for C2 configuration. It also features a bidirectional backdoor enabling arbitrary remote code execution. The attacker infrastructure is highly automated, with server rotation approximately every 24 hours.
Potential Impact
The malware enables extensive espionage capabilities including data theft from targeted systems, persistence, and remote code execution. It targets sensitive Ukrainian government, military, and critical infrastructure entities, potentially compromising confidential information and operational security. The use of memory-resident techniques and legitimate cloud services for exfiltration complicates detection and mitigation.
Mitigation Recommendations
No official patch or remediation is indicated in the provided data. Patch status is not yet confirmed — check the vendor advisory or trusted threat intelligence sources for current remediation guidance. Defenders should focus on detecting indicators of compromise such as the known domains (justsstop.ru) and IP addresses (165.22.170.129), monitor for unusual VBScript execution, and scrutinize registry keys under HKCU\Printers for suspicious payloads. Network monitoring for connections to S3-compatible cloud storage services like Tebi.io and use of Dead Drop Resolvers on Telegram or Mastodon may also help identify infections. Given the malware's use of USB propagation, controlling removable media use and scanning devices is advisable.
Affected Countries
Ukraine
Indicators of Compromise
- url: https://justsstop.ru/
- domain: justsstop.ru
- ip: 165.22.170.129
- ip: 165.22.170.129
Matryoshka #3/3: Gamaredon's Gammasteel Infostealer
Description
Gamaredon's GammaSteel is a sophisticated infostealer malware used in espionage operations targeting Ukrainian government, military, and critical infrastructure. It operates primarily in memory, leveraging Windows DPAPI encryption and storing multiple payload functions in the registry. The malware collects data through timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Data exfiltration is conducted via legitimate S3-compatible cloud storage with fallback to attacker-controlled servers. The infection chain uses VBScript for evasion and Dead Drop Resolvers on platforms like Telegram and Mastodon for command and control configuration. It includes bidirectional backdoor capabilities allowing arbitrary remote code execution. The attacker infrastructure is highly automated, rotating servers approximately every 24 hours.
AI-Powered Analysis
Machine-generated threat intelligence
Technical Analysis
GammaSteel is an advanced infostealer deployed by the FSB-operated Gamaredon group targeting Ukrainian government and critical infrastructure. It runs mostly from memory, using Windows DPAPI encryption and storing 71 payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition methods: scheduled drive scans, USB device monitoring to compromise air-gapped systems, and real-time file surveillance. Exfiltration occurs through legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain heavily relies on VBScript for evasion and uses Dead Drop Resolvers on Telegram and Mastodon for C2 configuration. It also features a bidirectional backdoor enabling arbitrary remote code execution. The attacker infrastructure is highly automated, with server rotation approximately every 24 hours.
Potential Impact
The malware enables extensive espionage capabilities including data theft from targeted systems, persistence, and remote code execution. It targets sensitive Ukrainian government, military, and critical infrastructure entities, potentially compromising confidential information and operational security. The use of memory-resident techniques and legitimate cloud services for exfiltration complicates detection and mitigation.
Mitigation Recommendations
No official patch or remediation is indicated in the provided data. Patch status is not yet confirmed — check the vendor advisory or trusted threat intelligence sources for current remediation guidance. Defenders should focus on detecting indicators of compromise such as the known domains (justsstop.ru) and IP addresses (165.22.170.129), monitor for unusual VBScript execution, and scrutinize registry keys under HKCU\Printers for suspicious payloads. Network monitoring for connections to S3-compatible cloud storage services like Tebi.io and use of Dead Drop Resolvers on Telegram or Mastodon may also help identify infections. Given the malware's use of USB propagation, controlling removable media use and scanning devices is advisable.
Affected Countries
Technical Details
- Author
- AlienVault
- Tlp
- white
- References
- ["https://blog.sekoia.io/fsbs-matryoshka-3-3-gamaredons-gifts-that-keeps-unpacking-gammasteel/"]
- Adversary
- Gamaredon
- Pulse Id
- 6a21844636a81843ce1af3cc
- Threat Score
- null
Indicators of Compromise
Url
| Value | Description | Copy |
|---|---|---|
urlhttps://justsstop.ru/ | — |
Domain
| Value | Description | Copy |
|---|---|---|
domainjustsstop.ru | — |
Ip
| Value | Description | Copy |
|---|---|---|
ip165.22.170.129 | — | |
ip165.22.170.129 | — |
Threat ID: 6a228d8be29bf47b504f79e4
Added to database: 6/5/2026, 8:49:15 AM
Last enriched: 6/5/2026, 9:03:28 AM
Last updated: 6/5/2026, 1:12:43 PM
Views: 10
Community Reviews
0 reviewsCrowdsource mitigation strategies, share intel context, and vote on the most helpful responses. Sign in to add your voice and help keep defenders ahead.
Want to contribute mitigation steps or threat intel context? Sign in or create an account to join the community discussion.
Actions
Updates to AI analysis require Pro Console access. Upgrade inside Console → Billing.
External Links
Need more coverage?
Upgrade to Pro Console for AI refresh and higher limits.
For incident response and remediation, OffSeq services can help resolve threats faster.
Latest Threats
Check if your credentials are on the dark web
Instant breach scanning across billions of leaked records. Free tier available.