PteroPaste
PteroPaste is a custom Gamaredon malware family and one of six new PowerShell-based tools documented by ESET in relation to the Russia-linked threat group’s 2025 operations. It is described as the most complex of the newly identified tools, combining downloader, USB weaponization, and runner functionality to provide persistence and execute additional malicious components. Newer variants retrieve encrypted command-and-control information from Dropbox, decrypt it on the infected host, and then connect to backend infrastructure concealed behind tunneling services; an earlier version used Rentry to stage encrypted payloads. The broader Gamaredon ecosystem also used legitimate services such as Telegram, Dropbox, GoFile, and Mastodon for dead-drop retrieval of infrastructure information, and hid backend servers behind Cloudflare Workers, Microsoft devtunnels.ms, Loophole, and previously Cloudflare Tunnels.
ESET reported PteroPaste being used in attacks against Ukrainian targets during 2025, including high-value systems. In April and June 2025, Gamaredon tools PteroOdd and PteroPaste were used to deploy Turla’s Kazuar v2 implant on compromised Ukrainian machines, and ESET assessed with high confidence that Gamaredon was providing initial access to Turla. On June 5–6, 2025, ESET observed a PowerShell downloader referred to as PteroPaste dropping and installing Kazuar v2 from 91.231.182[.]187 on two machines in Ukraine; the installed script was named ekrn.ps1, which ESET assessed may have been intended to masquerade as the legitimate ESET component ekrn.exe. Reported likely infection vectors for related Gamaredon activity include spear-phishing and malicious .lnk files on removable drives, and later in 2025 Gamaredon also exploited CVE-2025-8088 in WinRAR via crafted archives that placed malicious HTA downloaders in Startup folders for persistence. The activity is associated with Gamaredon, a threat group long linked to Russia’s FSB and known for targeting Ukrainian military, judiciary, law enforcement, non-profit, governmental, and defense-sector entities.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
2 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Among its six new tools, Eset said PteroPaste is the most complex, combining a downloader, a USB weaponizer and a runner component all in one for persistence and execution of other malicious components.
Among its six new tools, Eset said PteroPaste is the most complex, combining a downloader, a USB weaponizer and a runner component all in one for persistence and execution of other malicious components.
Techniques & procedures
8 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques
Initial Access
Execution
2 techniques
Execution
Lateral Movement
1 technique
Lateral Movement
Command and Control
4 techniques
Command and Control
The threat actor also started hiding its back-end infrastructure behind Cloudflare workers, Microsoft's dev tunnels and reverse proxy platform Loophole...
The group placed infrastructure information on legitimate services, including Telegram, Dropbox, GoFile and Mastodon, for the malware to fetch it from there.
...using 'dead drops,' a traditional espionage trick, to store command and control information in a legitimate service like Telegram for the malware to retrieve later... The group placed infrastructure information on legitimate services, including Telegram, Dropbox, GoFile and Mastodon, for the malware to fetch it from there.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
Other indicator types observed in public reporting.
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
A multi-component Gamaredon tool that combines downloader, USB propagation/weaponization, and runner functionality to maintain persistence and execute additional malicious components. Newer versions retrieve encrypted C2 information from Dropbox and connect to infrastructure hidden behind tunneling services; earlier versions used Rentry to stage encrypted payloads.
Custom malware family attributed (in the cited reporting) to Gamaredon; described here as being used to deploy another malware payload (Kazuar).
A Gamaredon PowerShell downloader used to fetch and install Kazuar v2 from attacker-controlled infrastructure; observed in June 2025 activity in Ukraine.
A Gamaredon malware tool used to deploy Kazuar v2 on compromised systems in Ukraine.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.