Full Report
Group uses updated PowerShell version of its GammaSteel malware in attack.
Analysis Summary
# Threat Actor: Shuckworm (aka Gamaredon, Armageddon)
## Attribution & Identity
* **Attribution:** Russia-linked espionage group.
* **Association:** Believed to operate on behalf of the Russian Federal Security Service (FSB) by Ukrainian security services (SSU).
* **Known Aliases:** Gamaredon, Armageddon.
## Activity Summary
Shuckworm has maintained a relentless focus on Ukraine into 2025. A recent campaign observed in February–March 2025 targeted the military mission of a Western country based in Ukraine. The group demonstrated an evolution in its tradecraft, moving from heavy use of VBS scripts to more PowerShell-based tools later in the attack chain, likely for obfuscation and persistence via registry storage. The initial infection vector utilized appears to have been an infected removable drive (USB drive). The infection leverages a multi-staged attack chain culminating in the deployment of the GammaSteel infostealer. The group also engages in spreading malware via shortcut files (.lnk) on infected removable and network drives to propagate the initial infection mechanism.
## Tactics, Techniques & Procedures
* **Initial Access:** Infection via infected removable drives (LNK files observed).
* **Execution/Persistence:** Use of `mshta.exe` to execute obfuscated VBScripts (`~.drv`). Leveraging PowerShell for later stages of the attack chain for obfuscation and storing scripts in the registry.
* **Defense Evasion:** Frequent use of obfuscation in stages to minimize detection. Modification of registry to show hidden and system files (`Hidden`, `ShowSuperHidden`, `HideFileExt` keys).
* **Command and Control (C2):** C2 communication initiation relies on successful WMI query for ping status against `mil.gov.ua`. C2 addresses are resolved dynamically using various legitimate web services (e.g., teletype, telegraph, Telegram).
* **Exfiltration:** Use of the `GammaSteel` infostealer. Data exfiltration methods include using the `_write.as_` web service and a backup method utilizing cURL alongside Tor.
## Targeting
* **Sectors:** Government, law enforcement, and defense organizations.
* **Geography:** Exclusively focused on Ukraine.
* **Victims:** Military mission of a Western country based in Ukraine (in the context of the 2025 campaign).
## Tools & Infrastructure
* **Malware Families Used:**
* GammaSteel (Infostealer)
* `~.drv` (Highly obfuscated VBScript loader)
* `NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms` (C2 communication and initial checks)
* `NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms` (Registry modification/system file visibility adjustment)
* **Infrastructure (C2):**
* **Observed IPs:** 107.189.19.218, 3.73.33.225, 107.189.19.137, 165.232.153.27, 172.104.187.254, 64.23.190.235, 85.92.111.12, 45.61.166.43, 159.223.50.199, 139.59.136.192, 104.16.230.132, 104.16.231.132
* **Cloudflare Tunnels (Detected across past/current activity):** des-cinema-democrat-san.trycloudflare[.]com
* **Dynamic Resolution Domains:** teletype[.]in, telegra[.]ph, t[.]me, crudoes[.]ru, check-host[.]net
## Implications
Shuckworm remains a persistent and highly focused threat aligned with Russian state interests, prioritizing sensitive military and government targets within Ukraine. The group's adaptation towards methods like PowerShell usage signifies an ongoing effort to refine techniques for persistence and evasion in modern defensive environments. The dependency on removable media highlights a tactic targeting physical access or insider vectors often associated with compromised government facilities or personnel.
## Mitigations
* Implement strict policies regarding the execution of scripts launched via MSHTA or WScript, especially those originating from untrusted sources or executed via LNK files.
* Disable Autorun functionality for removable media or implement strong controls over the execution of files launched from external drives.
* Monitor the UserAssist registry key for unusual execution artifacts (ROT13 encoded paths).
* Monitor for WMI queries against critical infrastructure status indicators like `Win32_PingStatus` targeting key national defense domains (e.g., mil.gov.ua).
* Use application control solutions to prevent the execution of scripts (VBScript, PowerShell) where possible, particularly when invoked by Office components or system utilities like MSHTA.
* Block dynamic resolution infrastructure related to known C2 domains (Telegram, Teletype, etc.) if possible, or establish baseline monitoring for traffic to newly observed domains hosting configuration data.