Gamaredon group expands malware arsenal in ongoing Ukraine cyberattacks

The Hacker News reports that the Russian advanced persistent threat (APT) group Gamaredon has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025.

ESET reported that Gamaredon conducted 35 distinct spear-phishing campaigns targeting Ukrainian governmental and military institutions in 2025, primarily in the latter half of the year. The group's objective remains the exfiltration of sensitive information to support Russian interests. Attacks utilize archive attachments or XHTML files with HTML smuggling to deliver malicious HTA downloaders, which then drop additional payloads like PteroSand. Some campaigns exploited a now-patched WinRAR flaw (CVE-2025-8088) to place the downloader in the Windows Startup folder for persistence. Gamaredon also employed PteroLNK and PteroPaste for lateral movement via infected USB and network drives, and PteroSetup to replace legitimate installer files with malicious 7z archives.

The group increasingly relied on third-party services for tunneling and serverless worker platforms to obscure its back-end infrastructure. Six new PowerShell tools, including PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, and PteroPaste, were introduced, broadening their custom malware capabilities. Gamaredon also leveraged legitimate services like Telegra.ph, Dropbox, and GoFile for data exfiltration and command-and-control communication, making their operations more resilient and difficult to disrupt.

Source: The Hacker News