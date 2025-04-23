Security researchers have detailed the evolving tactics of the Russian-affiliated threat group Gamaredon, particularly its use of the PteroLNK variant within the Pterodo malware family, GBHackers reports.
Known for targeting Ukrainian military, government, and infrastructure sectors, the group leverages obfuscated VBScript malware to maintain persistent access and dynamically deploy payloads. The campaign uses a combination of scheduled tasks, Windows Explorer tweaks, and frequent downloader activity to connect with a multi-stage command-and-control infrastructure. Gamaredon relies on Dead Drop Resolvers hosted on platforms like Telegraph, disguising connectivity checks with benign domains and using Cloudflare quick tunnels to obscure C2 communications. Analysts observed ongoing malware activity from late 2024 through March 2025, revealing Gamaredons operational agility and consistent use of military-themed lures. Attribution to the group is supported by domain reuse, infrastructure overlap, and links to Russias FSB. Experts warn that while not highly sophisticated, Gamaredons persistent spearphishing and agile operations present a serious geopolitical cybersecurity threat.
Known for targeting Ukrainian military, government, and infrastructure sectors, the group leverages obfuscated VBScript malware to maintain persistent access and dynamically deploy payloads. The campaign uses a combination of scheduled tasks, Windows Explorer tweaks, and frequent downloader activity to connect with a multi-stage command-and-control infrastructure. Gamaredon relies on Dead Drop Resolvers hosted on platforms like Telegraph, disguising connectivity checks with benign domains and using Cloudflare quick tunnels to obscure C2 communications. Analysts observed ongoing malware activity from late 2024 through March 2025, revealing Gamaredons operational agility and consistent use of military-themed lures. Attribution to the group is supported by domain reuse, infrastructure overlap, and links to Russias FSB. Experts warn that while not highly sophisticated, Gamaredons persistent spearphishing and agile operations present a serious geopolitical cybersecurity threat.