Gamaredon Group

Gamaredon is a Russia-linked, state-sponsored cyberespionage threat actor officially linked in the provided reporting to Russia’s Federal Security Service (FSB). The group has been active since at least 2013/2014 and is consistently described as focusing primarily on Ukraine. Reported targets include Ukrainian government, military, critical infrastructure, law enforcement, journalists, NGOs, and other national security-related organizations. Known aliases in the provided content include Actinium, APT-C-53, Aqua Blizzard, Armageddon, DEV-0157, Gamaredon, Iron Tilden, Primitive Bear, SectorC08, Shuckworm, Trident Ursa, UNC530, UAC-0010, BlueAlpha, and ACTINUM. The content also notes that SBU publicly associated Callisto/Calisto with Gamaredon, but that this link is not supported by other security companies or researchers. The group is described as specializing in long-term, persistent intrusion and espionage operations against Ukraine, with heavy use of spear-phishing and malicious attachments, including booby-trapped RAR archives. Recent reporting in the provided content describes exploitation of the WinRAR path traversal vulnerability CVE-2025-8088 to deliver a modular malware chain. Sekoia grouped this tooling under a "Gamma" taxonomy including GammaPhish, GammaLoad, GammaWorm, GammaSteel, and GammaWipe/GamaWiper. In that chain, weaponized XHTML lures and HTML smuggling delivered malicious RAR archives that placed an HTA file in the Windows Startup folder, leading to execution via mshta.exe. GammaLoad was described as a VBScript staging component used to fingerprint hosts, update registry-based network configuration through dead-drop resolvers, and fetch arbitrary VBScript payloads from command-and-control servers. GammaWorm was described as a heavily obfuscated VBScript worm that stores modules in NTFS Alternate Data Streams, persists via RunOnce registry keys and scheduled tasks, and propagates through USB drives and network shares by hiding legitimate folders and replacing them with malicious LNK shortcuts. The group’s infrastructure resolution and C2 concealment techniques include use of Telegram channels, Telegra.ph, graph.org, Teletype, Cloudflare Workers, public third-party websites, ngrok, TXT records, and cloud storage. GammaSteel was described as a modular information stealer that collects targeted files and exfiltrates them to AWS S3 or other actor-controlled servers. Additional behaviors directly mentioned in the content include use of obfuscated PowerShell scripts for staging, batch scripts for C2 establishment and payload download, registry Run keys for persistence, process enumeration including Process Explorer, file collection and upload to C2, removable-drive scanning, and deletion of files used during operations. The content also states that ESET presented technical evidence in 2025 that Gamaredon facilitated Turla access to high-value Ukrainian targets. In incidents observed between February and June 2025, Gamaredon tooling including PteroGraphin and PteroOdd was used to deploy Turla’s Kazuar backdoor, and in at least one case Gamaredon restored Turla’s access after Turla appeared to lose its foothold. The reporting characterizes this as direct operational collaboration and a division of labor in which Gamaredon establishes or maintains access while Turla deploys a more advanced espionage platform.