Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to malware
MalwareUsed by 1 actor

PteroBox

PteroBox is a PowerShell file stealer attributed to the Russia-aligned Gamaredon threat actor, also tracked as Primitive Bear, UNC530, and Aqua Blizzard. It was discovered in November 2024 and was reported as a new Gamaredon tool introduced during the group’s cyberespionage operations targeting Ukraine, particularly governmental and military or broader governmental institutions. The malware closely resembles PteroPSDoor but is distinguished by exfiltrating stolen files to Dropbox via the Dropbox API. Reported behavior includes uploading files to Dropbox, with at least one newer variant using the rclone utility for that exfiltration. ESET reported that PteroBox used WMI event subscriptions to detect newly inserted USB drives and tracked stolen files to avoid redundant uploads. High-confidence context links PteroBox to Gamaredon’s broader espionage activity in support of Russian interests in the war against Ukraine.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Gamaredon Group

At the same time, PteroBox continued to upload files to Dropbox, and one newer variant used the rclone utility to do so.

via eset welivesecurity blogwelivesecurity.com
MITRE ATT&CK

Techniques & procedures

3 distinct techniques documented for this family, organized by ATT&CK tactic.

Execution

1 technique
T1059.001PowerShellEvidence1

using malicious LNK files to execute PowerShell commands directly from Cloudflare-generated domains

Persistence

1 technique
T1546.003Windows Management Instrumentation Event SubscriptionEvidence1

It leverages WMI event subscriptions to detect newly inserted USB drives ... PteroPSDoor ... also implemented WMI event subscriptions to detect new USB insertions

Privilege Escalation

1 technique
T1546.003Windows Management Instrumentation Event SubscriptionEvidence1

It leverages WMI event subscriptions to detect newly inserted USB drives ... PteroPSDoor ... also implemented WMI event subscriptions to detect new USB insertions

Exfiltration

1 technique
T1567.002Exfiltration to Cloud StorageEvidence2

The file stealers PteroVDoor and PteroPSDoor were upgraded to support exfiltration to cloud storage services (Wasabi, Tebi, and Intercolo), which became the primary exfiltration method... PteroBox continued to upload files to Dropbox, and one newer variant used the rclone utility to do so.

ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
eset welivesecurity blogNews
Jun 25, 2026
Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances

A tool used to upload stolen files to Dropbox; a newer variant used rclone for exfiltration.

Read more
the hacker newsNews
Aug 6, 2025
CERT-UA Warns of HTA-Delivered C# Malware Attacks Using Court Summons Lures

PowerShell file stealer that exfiltrates stolen files to Dropbox.

Read more
eset welivesecurity blogNews
Jul 2, 2025
Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

A PowerShell file stealer that monitors for newly inserted USB drives via WMI event subscriptions and exfiltrates selected files to Dropbox while tracking uploads to avoid redundancy.

Read more
help net securityNews
May 21, 2025
Nation-state APTs ramp up attacks on Ukraine and the EU

File stealer malware leveraging Dropbox for exfiltration, introduced by Gamaredon targeting Ukraine.

Read more
+3 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping3

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.