Ukraine Hackers Claimed Cyberattack on Major Russian Drone Supplier

Last week, Ukraine’s Main Intelligence Directorate (GUR) orchestrated a sophisticated cyberattack against Gaskar Integration, a leading Russian drone manufacturer.

The operation began with reconnaissance of the company’s public-facing infrastructure, where threat actors identified vulnerable remote desktop services and outdated VPN gateways.

Leveraging a zero-day in a third-party web application firewall, the attackers gained initial foothold within the corporate network. Once inside, they deployed custom malware that exploited Windows Management Instrumentation (WMI) to execute lateral movement and harvest credentials.

Hromadske analysts noted that the malicious payload incorporated a dual-stage loader written in C++ and PowerShell.

The first stage established persistence via a malicious WMI subscription, while the second stage decrypted a reverse-shell implant in memory.

Communications were tunneled over TLS using forged certificates that mimicked the company’s own public key infrastructure.

The malware’s command-and-control (C2) infrastructure was hosted on compromised industrial control system servers, further complicating attribution and takedown efforts.

By the time defenders detected anomalous network traffic, the attackers had exfiltrated more than 47 TB of technical data, including drone design schematics, production logs, and employee records.

All backup copies on the victim’s servers were irreversibly deleted, effectively crippling Gaskar’s manufacturing and accounting operations.

Workers were locked out of production software and physical access systems, with only fire exits remaining functional.

Hromadske researchers identified key modules of the implant by reverse-engineering its unpacker.

Infection Mechanism

The malware’s infection mechanism hinged on the exploitation of a WAF bypass. After gaining access, the attackers uploaded a tiny dropper—less than 15 KB—that executed a Base64-encoded PowerShell one-liner.

This script reached out to a hard-coded C2 domain, downloaded an encrypted payload, and invoked it entirely in memory to evade disk-based detection.

The persistent WMI event filter was crafted as follows:-

$filter = Set-WmiInstance -Namespace rootsubscription -Class __EventFilter `
  -Arguments @{
    Name = "SysUpdateFilter"
    EventNameSpace = "rootcimv2"
    QueryLanguage = "WQL"
    Query = "SELECT * FROM __InstanceModificationEvent WITHIN 60 WHERE TargetInstance ISA 'Win32_LocalTime'"
  }
Set-WmiInstance -Namespace rootsubscription -Class __FilterToConsumerBinding `
  -Arguments @{
    Filter = $filter
    Consumer = $consumer
  }

This ensures execution on every system clock tick, granting the implant high survivability even after reboot.

Boost detection, reduce alert fatigue, accelerate response; all with an interactive sandbox built for security teams -> Try ANY.RUN Now