ESET's 2025 Gamaredon paper: exfil and C2 moved wholesale onto trusted cloud services (ANNUAL REPORT)

ESET's annual Gamaredon paper documents the FSB-linked group's 2025 toolset — six new PowerShell tools (PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, PteroPaste) plus a resurrected PteroSetup VBScript weaponizer — and, more usefully for defenders elsewhere, a wholesale shift of infrastructure onto trusted services (ESET, 2026-06-25). C2 now rides Cloudflare tunnels (trycloudflare.com), Cloudflare Workers (workers.dev), Microsoft DevTunnels (devtunnels.ms), Loophole, No-IP DDNS, Clever Cloud and Supabase; data is exfiltrated via rclone to S3-compatible object storage (Wasabi, Tebi, and Intercolo — which became the primary destination by December), and hostnames are brokered through dead-drop resolvers spread across Telegram, Telegra.ph, Dropbox, GoFile, Mastodon and a dozen paste services so no fixed IP or domain appears in the implant. ESET also confirms an early-2025 collaboration with Turla. Sekoia independently documented the same 2025 shift toward tunnel-service C2 and S3-compatible cloud-storage exfiltration in its parallel "FSB's Matryoshka" Gamaredon series (Sekoia, 2026-06-04). Targeting stayed exclusively Ukrainian government and military — the report names no EU targets — so the relevance here is the tradecraft, not the victimology.

Why it matters to us: the tunnel-and-cloud-storage model defeats domain/IP blocklists and blends with legitimate egress, and it is exactly the pattern any espionage operator can adopt. Detection concepts: alert on tunnel-service egress (trycloudflare.com / workers.dev / devtunnels.ms) initiated by Office or scripting processes; flag rclone or S3-API PUT/POST from hosts with no backup role; hunt PowerShell that reads paste-site domains and decodes base64 blobs.