ctipilot.ch

Gamaredon

actor · actor:gamaredon single-source

Russia-nexus (FSB-linked) APT focused on Ukrainian government targets; pipeline coverage documents the GammaPhish/GammaWorm NTFS-ADS USB+network worm (Sekoia) and ESET's 2025 annual paper on its tunnel/Workers/dead-drop infrastructure and collaboration with Turla.

Coverage timeline
7
first 2026-06-01 → last 2026-06-29
Peak priority
high
2 high · 5 notable
Sources cited
11
10 hosts
Sections touched
6
research, updates, weekly-annual-reports
Co-occurring entities
8
see Related entities below
2026-06-017 appearances2026-06-29

Story timeline

  1. 2026-06-29Threat-actor developments: Russia-nexus espionage broadens; new China-nexus and DPRK clusters
    weekly-research
  2. 2026-06-29ESET Gamaredon 2025 — annual actor retrospective
    weekly-annual-reports
  3. 2026-06-26ESET's 2025 Gamaredon paper: exfil and C2 moved wholesale onto trusted cloud services (ANNUAL REPORT)
    research
  4. 2026-06-03Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer
    updates
  5. 2026-06-02Sekoia consolidates Gamaredon tooling under GammaPhish / GammaWorm, details an NTFS-ADS USB+network worm
    research
  6. 2026-06-01Gamaredon: GammaPhish → GammaWorm (NTFS ADS + USB) → GammaSteel (S3 exfil) — the week's most complete intrusion kill-chain disclosure
    weekly-multi-day
  7. 2026-06-01Gamaredon — GammaPhish / GammaWorm / GammaSteel: Russian FSB campaign with USB worm and S3 exfiltration (Sekoia TDR part one)
    weekly-long-running

Where this entity is cited

  • research2
  • weekly-long-running1
  • weekly-multi-day1
  • updates1
  • weekly-annual-reports1
  • weekly-research1

Source distribution

  • thehackernews.com2 (18%)
  • blog.sekoia.io1 (9%)
  • cloud.google.com1 (9%)
  • ic3.gov1 (9%)
  • infosecurity-magazine.com1 (9%)
  • securelist.com1 (9%)
  • sekoia.com1 (9%)
  • sentinelone.com1 (9%)
  • other2 (18%)

Related entities

All cited sources (11)

Entries about Gamaredon (7)

2026-06-29 · view entry permalink →

NOTABLE

ESET Gamaredon 2025 — annual actor retrospective

Background. Gamaredon (FSB-linked, Russia-nexus) has been ESET's most-tracked Ukraine-focused operator for years; its prior annual papers documented a high-tempo, PowerShell-heavy toolset and aggressive infrastructure churn.

ESET's 2025 Gamaredon paper (covered 06-26) documents six new PowerShell tools and the wholesale migration of exfiltration and C2 onto trusted cloud services, tunnels and "workers" — the horizon implication for European public-sector defenders is detection-oriented: Gamaredon-class C2 increasingly hides inside legitimate cloud-service traffic (Cloudflare workers, Telegram, dead-drop resolvers), so network-indicator blocking degrades and behavioural detection on the endpoint and on anomalous cloud-service egress becomes the durable control.

annual-report29 Jun 00:21Zmulti-sourceOpen finding ↗

2026-06-29 · view entry permalink →

HIGH

Threat-actor developments: Russia-nexus espionage broadens; new China-nexus and DPRK clusters

The most significant new actor finding the dailies did not carry is Turla's STOCKSTAY — Google GTIG characterised a multi-component .NET/Windows Forms backdoor that communicates C2 over secure WebSocket and shares significant code overlap with Kazuar (Turla's staple implant since 2017). Delivery used malicious RDP files by phishing and, as recently as November 2025, RAR archives exploiting WinRAR's CVE-2025-8088 (a flaw also abused by Sandworm, Gamaredon and RomCom). Current targeting is Ukrainian government and military, but earlier victims had Italian, Dutch, Polish and German foreign-policy interest — a direct read-across for Swiss federal and European governmental entities with Ukraine-adjacent policy work (The Hacker News). This sits alongside the week's other Russia-nexus signal: FBI/CISA escalated their warning that Russian intelligence (tracked as UNC5792) is now phishing Signal Backup Recovery Keys for persistent account takeover, and ESET's Gamaredon retrospective (§ 7) shows the FSB-linked group moving exfil and C2 wholesale onto trusted cloud services.

Two non-Russian clusters round out the picture. Unit 42 documented CL-STA-1062, a Chinese-speaking cluster (overlapping Talos's UAT-7237) deploying the new TinyRCT .NET backdoor via AppDomainManager injection against Southeast-Asian government and state-owned energy targets (Unit 42); Kaspersky GReAT analysed the StrikeShark cluster's SharkLoader deploying Cobalt Strike via "Perfect DLL Hijacking" against government targets (Securelist). And SentinelLABS' macOS.Gaslight, a DPRK-aligned Rust backdoor, notably turns prompt injection on the LLM-assisted analyst rather than the sandbox (SentinelLABS) — an early instance of tradecraft built specifically to poison AI-assisted triage. Attribute the claim to the research outfit, not the state, where the source itself hedges.

research29 Jun 00:21Zmulti-sourceOpen finding ↗

2026-06-26 · view entry permalink →

HIGH

ESET's 2025 Gamaredon paper: exfil and C2 moved wholesale onto trusted cloud services (ANNUAL REPORT)

ESET's annual Gamaredon paper documents the FSB-linked group's 2025 toolset — six new PowerShell tools (PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, PteroPaste) plus a resurrected PteroSetup VBScript weaponizer — and, more usefully for defenders elsewhere, a wholesale shift of infrastructure onto trusted services (ESET, 2026-06-25). C2 now rides Cloudflare tunnels (trycloudflare.com), Cloudflare Workers (workers.dev), Microsoft DevTunnels (devtunnels.ms), Loophole, No-IP DDNS, Clever Cloud and Supabase; data is exfiltrated via rclone to S3-compatible object storage (Wasabi, Tebi, and Intercolo — which became the primary destination by December), and hostnames are brokered through dead-drop resolvers spread across Telegram, Telegra.ph, Dropbox, GoFile, Mastodon and a dozen paste services so no fixed IP or domain appears in the implant. ESET also confirms an early-2025 collaboration with Turla. Sekoia independently documented the same 2025 shift toward tunnel-service C2 and S3-compatible cloud-storage exfiltration in its parallel "FSB's Matryoshka" Gamaredon series (Sekoia, 2026-06-04). Targeting stayed exclusively Ukrainian government and military — the report names no EU targets — so the relevance here is the tradecraft, not the victimology.

Why it matters to us: the tunnel-and-cloud-storage model defeats domain/IP blocklists and blends with legitimate egress, and it is exactly the pattern any espionage operator can adopt. Detection concepts: alert on tunnel-service egress (trycloudflare.com / workers.dev / devtunnels.ms) initiated by Office or scripting processes; flag rclone or S3-API PUT/POST from hosts with no backup role; hunt PowerShell that reads paste-site domains and decodes base64 blobs.

annual-report26 Jun 04:54Zmulti-sourceOpen finding ↗

Earlier coverage (4)

2026-06-03NOTABLEexploitedupdateGamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealerUPDATE (originally covered 2026-06-02): Sekoia TDR's "FSB's Matryoshka" series adds material technical detail to the Gamaredon (UAC-0010 / ACTINIUM) tooling consolidation covered yesterday: the group is exploiting the WinRAR path-traversal flaw CVE-2025-8088 as an initial-access vector, using the traversal to …2026-06-02NOTABLESekoia consolidates Gamaredon tooling under GammaPhish / GammaWorm, details an NTFS-ADS USB+network wormSekoia's Threat Detection & Research team published part one of a Gamaredon (UAC-0010 / ACTINIUM, attributed to Russia's FSB) series describing a January 2026 campaign against Ukrainian government and military targets, introducing unified naming for two capability clusters: GammaPhish (the funnel from …2026-06-01NOTABLEGamaredon — GammaPhish / GammaWorm / GammaSteel: Russian FSB campaign with USB worm and S3 exfiltration (Sekoia TDR part one)Sekoia's first part of the Gamaredon series disclosed a January 2026 campaign arc (Sekoia TDR, 2026-06-01; daily 2026-06-02; update daily 2026-06-03). Initial access via CVE-2025-8088 (WinRAR path-traversal, widely unpatched) drops HTA payloads from xHTML attachments.2026-06-01NOTABLEGamaredon: GammaPhish → GammaWorm (NTFS ADS + USB) → GammaSteel (S3 exfil) — the week's most complete intrusion kill-chain disclosureMonday 2 June brought Sekoia's part-one Gamaredon series (Sekoia TDR, 2026-06-01), consolidating three capability clusters under unified naming: GammaPhish (the spearphishing-through-GammaLoad funnel), GammaWorm (the USB-and-network-propagation layer), and GammaSteel (the S3-exfiltration stealer confirmed …