Full Report
The group known as Gamaredon has been observed using Cloudflare Tunnels — a tool that helps hide the real location of servers or infrastructure — to infect their targets with custom GammaDrop malware and stay undetected.
Analysis Summary
# Threat Actor: Gamaredon
## Attribution & Identity
**Attribution:** Russian state-sponsored hacker group.
**Aliases and Associations:** BlueAlpha. Believed to operate from the Russian-annexed Crimean peninsula and likely acts on orders from Russia’s Federal Security Service (FSB).
## Activity Summary
Gamaredon has been active since at least 2013. The actor is currently engaged in an ongoing cyber-espionage campaign primarily targeting Ukrainian-speaking victims. In August, the group targeted Ukraine’s military and government agencies during the country's counteroffensive. The latest observed campaign involves high levels of obfuscation and evasion techniques to maintain persistence and steal data.
## Tactics, Techniques & Procedures
- **Defense Evasion:** Utilizing Cloudflare Tunnels to hide the real location of infrastructure.
- **Delivery:** Deploying initial payloads via malicious email attachments.
- **Persistence and Foothold:** Using custom malware (GammaDrop) to establish a foothold and subsequently deploy the custom backdoor, GammaLoad.
- **Evasion:** GammaDrop samples are heavily obfuscated with "extensive amounts" of junk code and random variable names.
- **C2/Reconnaissance:** Malware retrieves domain names for command and control from legitimate services (Cloudflare, Telegram, Telegraph) instead of using real IP addresses.
- **Goals of Compromise:** Exfiltrate data, steal credentials, execute additional payloads, and maintain persistent access.
- **MITRE ATT&CK IDs:** Not explicitly provided, but techniques relate to Defense Evasion (T1218, related to tunneling services) and Command and Control (T1573, related to encrypted communication).
## Targeting
- **Sectors:** Military and government agencies.
- **Geography:** Ukraine (specifically targeting Ukrainian-speaking victims).
- **Victims:** Ukraine’s military and government agencies (specific organizations were not disclosed).
## Tools & Infrastructure
- **Malware Families Used:** GammaDrop (initial payload), GammaLoad (custom backdoor).
- **Infrastructure:** Abusing legitimate services like Cloudflare Tunnels for C2 concealment. Retrieves domain names from Cloudflare, Telegram, and Telegraph to mask operational IPs.
## Implications
Gamaredon remains one of the most engaged Moscow-backed hacker groups targeting Ukraine. Their continued refinement of evasion techniques, especially leveraging legitimate cloud services like Cloudflare Tunnels, demonstrates a proactive effort toward operational security and longevity within compromised networks. Their focus on military and government entities highlights their role in Russia's information/cyber warfare objectives against Ukraine.
## Mitigations
- Monitor network traffic for unusual connections to Cloudflare Tunnels utilized for ingress/egress traffic originating from otherwise trusted channels.
- Implement heightened scrutiny and sandboxing for attachments delivered via email, especially focusing on obfuscated binaries.
- Enhance monitoring for processes attempting to retrieve domains or IPs from Telegram or Telegraph APIs for external connectivity, suggesting potential C2 activity bypassing traditional IP blacklisting.
- Ensure endpoint detection and response (EDR) solutions are tuned to detect high levels of junk code or structural obfuscation in executable files.