GAMYBEAR
GAMYBEAR is a Go-based backdoor used in phishing-led intrusions targeting Ukrainian organizations, including educational institutions, state authorities, and, in CERT-UA reporting, activity tracked as UAC-0241. Observed delivery chains used ZIP archives containing a Windows LNK file that triggered mshta.exe to run an HTA, which launched JavaScript and then PowerShell to download and execute follow-on payloads. In one reported campaign, a password-protected ZIP hosted on Google Drive contained a shortcut that downloaded and executed zvit.hta, which retrieved update.js and then updater.ps1. GAMYBEAR was deployed alongside other payloads including LaZagne, a .NET-based file or PowerShell stealer, and reverse-shell functionality.
Its core functionality is to receive commands from a command-and-control server, execute them on the compromised host, and send results back to the server over HTTP, with data BASE64-encoded. Reported behavior also includes generating a UUID, collecting system information, storing C2 details in %APPDATA%\updater.json, and establishing persistence via a Windows Run registry key. CERT-UA described it as a listener/executor/sender style implant implemented in Go.
High-confidence infrastructure and campaign details directly mentioned in the content include HTTP C2 communications and an indicator of 185.223.93.102 as a GAMYBEAR C2 in one campaign. Related reporting tied UAC-0241 activity to spear-phishing against Ukrainian educational institutions and government bodies, especially in the Sumy region, using compromised email accounts and social-engineering lures. The malware is associated in the provided content with UAC-0241 operations against Ukrainian institutions.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Попередня Кібератака UAC-0241 у відношенні навчального закладу на сході України з використанням програмного засобу GAMYBEAR (CERT-UA#18329)
Recent activity
5 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Named malware/tool referenced in comparison to another Ukrainian-targeting delivery chain using LNK, HTA, PowerShell, and Go.
Go-based backdoor delivered via spear-phishing chain (LNK→HTA→JS→PowerShell) that executes server-issued commands and returns results base64-encoded over HTTP.
Попередня Кібератака UAC-0241 у відношенні навчального закладу на сході України з використанням програмного засобу GAMYBEAR (CERT-UA#18329)
GAMYBEAR is a Go-based backdoor that enables remote command execution and exfiltration of results to a command and control server over HTTP. It generates a unique identifier, collects system information, and maintains persistence via registry keys. It communicates with its C2 using JSON and BASE64 encoding.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.