The Russian state-backed hacking group Gamaredon (aka “Shuckworm”) has been focusing on a army mission of a Western nation in Ukraine in assaults seemingly deployed from detachable drives.
Symantec risk researchers say the marketing campaign began in February 2025 and continued till March, with hackers deploying an up to date model of the GammaSteel info-stealing malware to exfiltrate information.
In accordance with the report, preliminary entry to the contaminated techniques was most likely achieved by way of detachable drives containing malicious .LNK information, a vector that Gamaredon has used previously.
The researchers word a change within the risk actor’s techniques, together with a shift from VBS scripts to PowerShell-based instruments, extra obfuscation for payloads, and elevated use of authentic companies for evasion.
Newest Gamaredon assaults in Ukraine
Throughout the investigation, the researchers observed within the Home windows Registry of the compromised system a brand new worth underneath the UserAssist key, indicating that the an infection began from an exterior drive from a shortcut file named information.lnk.
Subsequent, a closely obfuscated script creates and runs two information. The primary handles command and management (C2) communications, resolving the server deal with utilizing authentic companies, and connecting to Cloudflare-protected URLs.
The second file handles the spreading mechanism to contaminate different detachable and community drives utilizing LNK information, whereas additionally hiding sure folders and system information to cover the compromise.
Supply: Symantec
Subsequent, Gamaredon used a reconnaissance PowerShell script that may seize and exfiltrate screenshots of the contaminated system and collect details about put in antivirus instruments, information, and operating processes.
The ultimate payload used within the noticed assaults is a PowerShell-based model of GammaSteel that’s saved in Home windows Registry.
Supply: Symantec
The malware can steal paperwork (.DOC, .PDF, .XLS, .TXT) from numerous areas like Desktop, Paperwork, and Downloads, confirming Gamaredon’s persevering with curiosity in espionage.
Finally, the malware makes use of ‘certutil.exe’ to hash the information and exfiltrates them utilizing PowerShell net requests. If the exfiltration fails, Gamaredon makes use of cURL over Tor to switch the stolen information.
Lastly, a brand new key’s added to ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRun’ to ascertain persistence on the goal pc.
The latest Gamaredon marketing campaign displays an effort to extend operational stealth and effectiveness regardless of the risk group’s restricted sophistication in comparison with different Russian state actors.
Symantec feedback that numerous incremental however significant enhancements within the risk group’s TTPs (techniques, strategies, and procedures) elevate the dangers it poses to Western networks, particularly contemplating Gamaredon’s unwavering tenacity.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK strategies behind 93% of assaults and how one can defend in opposition to them.
