ESET Gamaredon 2025 — annual actor retrospective

Background. Gamaredon (FSB-linked, Russia-nexus) has been ESET's most-tracked Ukraine-focused operator for years; its prior annual papers documented a high-tempo, PowerShell-heavy toolset and aggressive infrastructure churn.

ESET's 2025 Gamaredon paper (covered 06-26) documents six new PowerShell tools and the wholesale migration of exfiltration and C2 onto trusted cloud services, tunnels and "workers" — the horizon implication for European public-sector defenders is detection-oriented: Gamaredon-class C2 increasingly hides inside legitimate cloud-service traffic (Cloudflare workers, Telegram, dead-drop resolvers), so network-indicator blocking degrades and behavioural detection on the endpoint and on anomalous cloud-service egress becomes the durable control.