DeafNews
// 3 CVE · 3 EXPLOIT IN THE LAST 24H
Cybersecurity

Gamaredon 2025: 35 Spear-Phishing Campaigns and 6 PowerShell Tools Target Ukraine

Published: Updated: By DeafSuite team 7 min read Cybersecurity
Share
WhatsApp Facebook X (Twitter) LinkedIn Reddit Telegram Email
The Gamaredon APT group, attributed by Ukraine's SSU to the FSB's 18th Center for Information Security, launched 35 distinct spear-phishing campaigns in 2025, deployed six new PowerShell tools, and built a resilient C2 infrastructure abusing tunnels, serverless workers, and cloud storage. A telling forensic detail — software updates aligned with Russian and Crimean holiday calendars — provides the strongest evidence yet of state-employed operators.

Gamaredon, an APT group attributed by Ukraine's Security Service (SSU) to the 18th Center for Information Security of Russia's FSB, intensified its cyber-espionage operations against Ukrainian government and military institutions in 2025. According to ESET, which tracked the activity in a dedicated white paper, the group mounted 35 distinct spear-phishing campaigns, introduced six new PowerShell tools, and built an increasingly resilient C2 infrastructure through the abuse of tunnels, serverless workers, and cloud storage. A seemingly marginal detail — the timing of software updates aligned with the Russian and Crimean holiday calendar — constitutes the most solid forensic proof of state-employed operators behind the operations.

Key Takeaways
  • Gamaredon conducted 35 distinct spear-phishing campaigns in 2025, concentrated predominantly in the second half of the year, targeting exclusively Ukrainian government and military institutions.
  • The group introduced six new PowerShell tools: PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, and PteroPaste, the most complex of which combines a downloader, USB weaponizer, and runner component.
  • C2 infrastructure evolved to abuse tunnels, serverless workers, DDNS, PaaS, and legitimate services such as Dropbox, Telega.ph, GoFile, and pastebins, rendering blocks based on known domains ineffective.
  • The temporal distribution of updates — suspended during Russian and Crimean holidays — suggests operators on a government office schedule, reinforcing the state-sponsored attribution.

Second-Half Surge: From January Development to 35 Campaigns

After a brief operational pause in January 2025, Gamaredon dedicated the first half of the year to tool development. ESET researcher Zoltán Rusnák stated: "While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools." The five PowerShell tools that emerged in that period — PteroDee, PteroCache, PteroDum, PteroOdd, and PteroEffigy — were followed by PteroPaste, an evolution toward greater integrated complexity.

The tempo shifted in the second half. The 35 campaigns identified by ESET became "both more frequent and larger in scale," per the white paper's phrasing. The objective remained constant: exfiltration of sensitive information to support Russian interests in the ongoing war. ESET stated the claim explicitly: "The group's ultimate goal continues to be the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the ongoing war in Ukraine."

PteroPaste and the Dead-Drop Architecture: From Rentry to Dropbox via Tunnel

PteroPaste represents the convergence point of Gamaredon's evolutionary strategy. Initial versions used Rentry as a dead-drop resolver; later versions shifted resolution to Dropbox, with the encrypted C2 hostname downloaded from the platform and decrypted locally before connecting to infrastructure hidden behind tunneling services. This pattern — public cloud storage as intermediary, tunnels as an obfuscation layer — eliminates the need to contact attacker-controlled C2 servers directly in the initial phase.

Abuse of legitimate services extends beyond Dropbox. ESET documents the use of tunnels, serverless workers, dynamic DNS, PaaS platforms, messaging services, social media, blogging platforms, and pastebins for dead drops. The file stealers PteroVDoor and PteroPSDoor were updated to exfiltrate to Wasabi, Tebi, and Intercolo. The model is consistent: "low sophistication, high adaptability," where the simplicity of the core malware is compensated by update frequency and creativity in abusing others' infrastructure.

"As in previous years, the group compensated for the relative simplicity of its malware with persistence, frequent updates, and an increasingly creative abuse of legitimate online services" — ESET

Hardened Persistence: CVE-2025-8088 and the Return of PteroSetup

Starting September 26, 2025, Gamaredon integrated the WinRAR vulnerability CVE-2025-8088 into its compromise chain, rated CVSS 8.8 HIGH by the National Vulnerability Database. The exploit enables placement of an HTA downloader in victims' Startup folders, adding a persistence layer that survives system reboots. The source describes the vulnerability as "now-patched," without specifying whether the patch was distributed before or during the documented abuse.

In parallel, the group resurrected PteroSetup, a VBScript weaponizer originally detected in January 2021 and presumably abandoned in subsequent years. The mechanism is technically specific: it replaces legitimate installers with 7z self-extracting (SFX) archives containing the original installer alongside a malicious VBScript downloader. The technique exploits the user's trust relationship with legitimate software to conceal the secondary payload.

Collaboration with Turla and the FSB Ecosystem

In Q1 2025, ESET documented collaboration between Gamaredon and Turla, another APT group also linked to the FSB. PteroOdd, one of the six new PowerShell tools, was employed primarily in this context. The ESET white paper dedicates a separate article to the episode, titled "Gamaredon X Turla collab." The source does not specify the duration, exact scope, or division of tasks between the two groups; the collaboration is documented only for the "first months of 2025" and is not confirmed as ongoing at the time of publication.

This convergence, combined with historical parallels to UAC-0099 (a group often associated with Sandworm/GRU but with tooling overlapping Gamaredon in the past, per CERT-UA), indicates a Russian cyber-operations ecosystem with increasing coordination among different units. The brief does not document direct contacts between Gamaredon and Sandworm in 2025.

The Calendar as Digital Fingerprint: Holidays and Office Hours

The most unusual — and perhaps most revealing — data point concerns the temporal distribution of tool updates. ESET observed that "many updates were made in the lead-up to major holidays in Russia and Crimea," with a systematic absence of updates during and immediately after those holidays. Rusnák commented: "Notably, no updates were observed during or immediately after these holidays, further suggesting that Gamaredon operators are probably government-affiliated employees."

This pattern transforms an attribution hypothesis into measurable behavioral evidence. Operators do not act on continuous rotation or a traditional criminal model; they follow a rhythm compatible with Russian public holidays and a state-employee work structure. For APT threat analysts, the calendar becomes an indicator of equal standing to technical indicators of compromise.

Immediate Priorities

For organizations with operations in Ukraine or supporting Ukrainian defenses, the ESET dossier imposes four priorities:

  • Abandon C2 domain blocklists as a sole defense: Gamaredon resolves C2 through Dropbox, tunnels, and legitimate cloud services; controls must shift to behavioral traffic analysis and restriction of unauthorized services.
  • Review execution policies for SFX archives and VBScript in the software installation chain, given the resurrection of PteroSetup and its installer-swapping technique.
  • Monitor for HTA files in the Startup folder in combination with WinRAR archives, considering the documented abuse of CVE-2025-8088 starting September 26, 2025.
  • Assess segmentation of access to third-party cloud services (storage, pastebins, serverless workers) that Gamaredon uses as dead drops and C2 channels.

Reading the Enemy's Clock: When the Schedule Is the Proof

Gamaredon demonstrates that the line between "insufficient sophistication" and "effective adaptability" is thin. Its PowerShell tools do not compete on complexity with frameworks from groups like Turla or APT28; resilience operates by accretion, not architecture. Yet the frequency of updates, speed of reaction to defensive blocks, and integration of legitimate services create an inertia that traditional defenses struggle to counter.

The holiday detail adds a human dimension to an often abstract domain. APTs are not algorithmic entities; in this case, they leave traces on the calendar like any public employee. The challenge for defenders remains technical — redesigning controls for an adversary that no longer has a single domain to block — but the confirmation of state-sponsored attribution arrives from an unexpected observatory: the work schedule.

Information verified against cited sources and current as of publication.

Sources

Sources and references
  1. thehackernews.com
  2. welivesecurity.com
  3. therecord.media