The Russian state-backed hacking group Gamaredon (aka “Shuckworm”) has been focusing on a army mission of a Western nation in Ukraine in assaults possible deployed from detachable drives.
Symantec risk researchers say the marketing campaign began in February 2025 and continued till March, with hackers deploying an up to date model of the GammaSteel info-stealing malware to exfiltrate knowledge.
In response to the report, preliminary entry to the contaminated methods was most likely achieved by way of detachable drives containing malicious .LNK information, a vector that Gamaredon has used previously.
The researchers notice a change within the risk actor’s ways, together with a shift from VBS scripts to PowerShell-based instruments, extra obfuscation for payloads, and elevated use of reliable providers for evasion.
Newest Gamaredon assaults in Ukraine
Through the investigation, the researchers seen within the Home windows Registry of the compromised system a brand new worth underneath the UserAssist key, indicating that the an infection began from an exterior drive from a shortcut file named information.lnk.
Subsequent, a closely obfuscated script creates and runs two information. The primary handles command and management (C2) communications, resolving the server tackle utilizing reliable providers, and connecting to Cloudflare-protected URLs.
The second file handles the spreading mechanism to contaminate different detachable and community drives utilizing LNK information, whereas additionally hiding sure folders and system information to cover the compromise.
Supply: Symantec
Subsequent, Gamaredon used a reconnaissance PowerShell script that may seize and exfiltrate screenshots of the contaminated gadget and collect details about put in antivirus instruments, information, and operating processes.
The ultimate payload used within the noticed assaults is a PowerShell-based model of GammaSteel that’s saved in Home windows Registry.
Supply: Symantec
The malware can steal paperwork (.DOC, .PDF, .XLS, .TXT) from varied areas like Desktop, Paperwork, and Downloads, confirming Gamaredon’s persevering with curiosity in espionage.
Finally, the malware makes use of ‘certutil.exe’ to hash the information and exfiltrates them utilizing PowerShell net requests. If the exfiltration fails, Gamaredon makes use of cURL over Tor to switch the stolen knowledge.
Lastly, a brand new key’s added to ‘HKCUSoftwareMicrosoftWindowsCurrentVersionRun’ to ascertain persistence on the goal laptop.
The current Gamaredon marketing campaign displays an effort to extend operational stealth and effectiveness regardless of the risk group’s restricted sophistication in comparison with different Russian state actors.
Symantec feedback that varied incremental however significant enhancements within the risk group’s TTPs (ways, methods, and procedures) elevate the dangers it poses to Western networks, particularly contemplating Gamaredon’s unwavering tenacity.
Based mostly on an evaluation of 14M malicious actions, uncover the highest 10 MITRE ATT&CK methods behind 93% of assaults and the right way to defend towards them.
