Cyberespionage has remained a continuing characteristic of Russia’s battle in opposition to Ukraine. ESET Analysis has lengthy tracked Gamaredon, one of the crucial energetic Russia-aligned superior persistent risk (APT) teams focusing on Ukraine. The group, attributed by the Safety Service of Ukraine (SSU) to the 18th Middle of Data Safety of Russia’s FSB, maintained a excessive operational tempo all through 2025.
In our newest analysis, we analyze Gamaredon’s exercise throughout 2025, together with new instruments added to its arsenal, vital shifts in the way it protects its community infrastructure, and its rising use of reliable third-party companies to cover each command and management (C&C) info and stolen knowledge. The total technical particulars can be found in our newest white paper.
Key factors of this blogpost:
- All through 2025, Gamaredon solely focused governmental and army establishments in Ukraine.
- We noticed 35 distinct spearphishing campaigns in opposition to new targets. Nearly all of the campaigns had been carried out within the second half of the 12 months, they usually had been considerably bigger than earlier ones.
- Further targets had been compromised through a number of customized weaponizers designed for lateral motion.
- Gamaredon operators developed and deployed six new malicious PowerShell instruments, which we analyze in our white paper, and resurrected an previous VBScript weaponizer – PteroSetup.
- The file stealers PteroVDoor and PteroPSDoor had been upgraded to help exfiltration to cloud storage companies (Wasabi, Tebi, and Intercolo), which grew to become the first exfiltration methodology.
- Gamaredon operators sought new methods to guard their community infrastructure, with their C&C servers now hidden behind varied third-party companies comparable to tunnels, employees, DDNS (dynamic DNS), and PaaS (platform as a service).
- In addition they abused a number of reliable messaging, social media, running a blog, and paste companies as lifeless drops for resolving C&C servers and distributing payloads.
The white paper is our third in-depth installment describing the ways, methods, and procedures (TTPs) of this group, which is believed to function out of occupied Crimea. In September 2024, we revealed a white paper masking Gamaredon actions from 2022 and 2023 – Cyberespionage the Gamaredon manner: Evaluation of toolset used to spy on Ukraine in 2022 and 2023 – and in July 2025, we revealed a white paper masking Gamaredon actions from 2024 – Gamaredon in 2024: Cranking out spearphishing campaigns in opposition to Ukraine with an developed toolset.
Continued knowledge exfiltration and a brand new alliance
All through 2025, Gamaredon stayed extremely energetic and remained targeted solely on Ukraine. The group’s final aim continues to be the exfiltration of delicate info and different important knowledge that may very well be exploited to help Russian pursuits within the ongoing battle in Ukraine. Gamaredon’s actions seem like intently aligned with Russia’s geopolitical aims, focusing on Ukrainian governmental and army establishments to realize an intelligence benefit.
New tooling and cooperation within the first half of the 12 months
Whereas the group took a brief operational break in January 2025, Gamaredon spent a lot of its effort within the first half of the 12 months creating and deploying new instruments. We describe them within the Six new instruments, principally delivery-focused part of this blogpost. Whereas we don’t present the precise timestamps for all modifications launched to the group’s tooling, we noticed that many updates had been made within the lead-up to main holidays in Russia and Crimea. Notably, no updates had been noticed throughout or instantly after these holidays, additional suggesting that Gamaredon operators are most likely government-affiliated staff.
Notably, we uncovered that in early 2025, Gamaredon collaborated with Turla, one other Russia-aligned risk actor additionally linked to the FSB; we documented our findings in our blogpost Gamaredon X Turla collab. This cooperation underscores the potential for coordinated cyberespionage campaigns amongst Russia-aligned teams, prone to amplify their operational affect. Previously, Gamaredon additionally collaborated with a risk actor that we found and named InvisiMole.
Extra broadly, 2025 additionally offered one other instance of cooperation and job sharing amongst Russia-aligned actors: we noticed the Russia-aligned UAC-0099 group conducting preliminary entry operations and subsequently transferring validated targets to Sandworm for follow-up exercise. We documented our findings in ESET APT Exercise Report Q2 2025–Q3 2025.
Bigger and extra frequent spearphishing campaigns within the second half
Within the second half of the 12 months, the group shifted extra towards bigger and extra frequent spearphishing campaigns; throughout 2025, we recognized 35 of those. As in earlier years, most campaigns used archive attachments or XHTML recordsdata using HTML smuggling to ship malicious HTA downloaders, which in flip fetched the VBScript downloader PteroSand and extra payloads. We additionally noticed campaigns that most likely used malicious hyperlinks as a substitute of attachments.
Determine 1 reveals a chart of distinctive samples of HTA downloaders delivered per thirty days in Gamaredon spearphishing campaigns. Word that these figures signify minimums for spearphishing makes an attempt, as one HTA downloader could goal a number of people, and people may be focused in a number of campaigns throughout the similar month.
What modified most noticeably was the tempo. Gamaredon was far more energetic within the second half of the 12 months, when campaigns grew to become each extra frequent and bigger in scale. Late within the 12 months, the group additionally launched a brand new approach – from September 26th, 2025 onward, it started abusing CVE-2025-8088, a WinRAR vulnerability, to position its regular malicious HTA downloader into the sufferer’s Startup folder. That allowed the downloader to execute on the following login, including persistence to a compromise chain that had beforehand relied extra closely on consumer interplay.
Weaponizers for motion past the compromised system
Past spearphishing, Gamaredon additionally continued utilizing customized weaponizers for lateral motion. These instruments weaponize USB drives, mapped community drives, and even software program installers, serving to the group unfold inside or throughout organizations after the preliminary compromise.
Six new instruments, principally delivery-focused
Gamaredon launched six new instruments in 2025, all written in PowerShell. 5 of them appeared within the first quarter of the 12 months, suggesting that the group spent the early months of 2025 constructing new supply chains earlier than shifting extra consideration to large-scale spearphishing within the second half.
Most of those new instruments are comparatively easy:
- PteroDee and PteroCache are simple PowerShell downloaders for fetching and executing PowerShell payloads in reminiscence.
- PteroDum serves the same objective, however for VBScript payloads, writing them quickly to disk, executing them, after which deleting them.
- PteroOdd is a tiny downloader used to retrieve a single PowerShell payload through the Telegra.ph API, and based mostly on what we noticed, it seems to have been used primarily in circumstances linked to Gamaredon’s collaboration with Turla.
- PteroEffigy is one other light-weight downloader, notable primarily for utilizing the GoFile cloud storage service to acquire the following C&C server.
The standout among the many new instruments is PteroPaste, which is significantly extra advanced than the others. It combines a downloader, a USB weaponizer, and a runner element used for persistence and orchestration. Early variations of PteroPaste used Rentry as an middleman staging level for encrypted payloads. Later variations moved away from that method and as a substitute retrieve an encrypted C&C hostname from Dropbox, decrypt it domestically, after which connect with infrastructure hidden behind tunnel companies. PteroPaste can be one of many instruments concerned within the Gamaredon X Turla collaboration that we documented in 2025.
Gamaredon additionally introduced again PteroSetup, an older VBScript weaponizer that had possible been discontinued years earlier. The resurrected model scans fastened, detachable, and community drives for installer-like executable recordsdata and replaces them with malicious self-extracting archives containing each the unique installer and a malicious VBScript downloader. To the sufferer, the file nonetheless seems reliable, however working it launches each the anticipated installer and the malicious code.
Total, the brand new additions to Gamaredon’s arsenal match a sample that we have now seen earlier than – quite than investing in extremely refined malware, the group prefers a bigger variety of easy instruments that may be up to date shortly and mixed flexibly.
Essential updates to beforehand identified instruments comparable to PteroLNK, PteroPSLoad, PteroPSDoor, PteroVDoor, and PteroBox may be discovered within the white paper.
Superior community infrastructure
Gamaredon continued to refine its methods for safeguarding its community infrastructure and hiding its C&C servers. In 2025, the group’s reliance on third-party companies grew considerably, with tunnel companies and serverless employee platforms changing into an more and more vital a part of the way it hid its actual back-end infrastructure.
Tunnel companies are reliable instruments that enable a system or software to be uncovered to the web by way of a provider-controlled area, with out revealing the actual server instantly. Staff serve the same objective, however go a step additional: as a substitute of merely forwarding visitors, they’re serverless platforms that may run code and course of requests earlier than passing them on. In follow, each assist obscure the underlying infrastructure and make disruption harder.
Tunnels, employees, and a return to DDNS
By the tip of 2024, Gamaredon was already relying closely on Cloudflare tunnels (trycloudflare.com) to hide its infrastructure, and in 2025 it expanded that method additional. In Might, we started seeing the group cover C&C servers behind Cloudflare employees (employees.dev), and in June it added Microsoft’s devtunnels.ms and Loophole (loophole.web site). These companies had been usually used collectively, with one appearing as the first communication path and others serving as fallbacks.
In a couple of remoted circumstances, we additionally noticed experiments with different tunnel companies, comparable to loca.lt and bore.pub, however these didn’t seem to turn out to be a part of the group’s common toolkit.
Gamaredon additionally returned to a method that had as soon as been a trademark of its operations: dynamic DNS (DDNS). After a number of years of relying extra closely on registered domains, the group once more started utilizing No-IP domains throughout a number of instruments, particularly in HTA downloaders delivered in spearphishing campaigns. In parallel, we noticed Gamaredon abuse platform-as-a-service choices from Intelligent Cloud (cleverapps.io) and Supabase (supabase.co) in a number of campaigns, suggesting that the group continues to be actively in search of low-cost, disposable infrastructure that blends in with reliable visitors.
Leveraging an previous espionage idea: Useless drops
Probably the most vital points of Gamaredon’s 2025 operations was its heavy use of so-called dead-drop companies. The time period comes from conventional espionage – as a substitute of assembly instantly, one operative leaves info in a public or hidden location and one other retrieves it later. On-line, the precept is comparable. Quite than embedding the actual malicious server instantly in malware, operators place that info on a reliable web site or platform, and the malware retrieves it from there. Which means that the malware could first contact a public web page on a reliable service, learn a hidden or staged worth from it, and solely then connect with the precise C&C server.
This method offers attackers a number of benefits. It makes their operations extra versatile, as a result of they’ll swap servers shortly. It additionally complicates blocking, as a result of defenders could also be reluctant to dam reliable and broadly used companies outright.
In 2025, Gamaredon abused quite a few companies on this manner: Telegram channels (through t.me; Telegram’s official URL shortener service), posts on the Telegra.ph (telegra.ph) and Teletype (teletype.in) platforms, rentry.co, write.as, Dropbox, GoFile, social networks DEV Group (dev.to) and Mastodon (mastodon.social), lesma (lesma.eu), nopaste.web, and Paste.ee (pastee.dev). In some circumstances, these companies had been used to publish up to date C&C info. In others, they had been used to ship payloads or cloud-storage configuration knowledge.
In comparison with 2024, we additionally noticed a shift in how Gamaredon used these lifeless drops. Quite than merely publishing uncooked C&C IP addresses, operators more and more used them to level malware to infrastructure already hidden behind tunnels or employees. In different phrases, the lifeless drop usually now not revealed the actual server instantly; as a substitute, it pointed to a different intermediate layer.
Cloud storage grew to become the popular exfiltration channel
The opposite main infrastructure shift we noticed was on the data-exfiltration facet. Gamaredon upgraded two of its flagship file stealers, PteroPSDoor and PteroVDoor, to add stolen recordsdata to S3-compatible cloud storage companies – suppliers that help the Amazon S3 API, permitting the identical instruments and code to work throughout totally different storage distributors. Over the course of the 12 months, configurations moved from Wasabi (wasabisys.com) to Tebi (tebi.io) after which to Intercolo (de-fra.i3storage.com), which by December had turn out to be the first exfiltration vacation spot.
On the similar time, PteroBox continued to add recordsdata to Dropbox, and one newer variant used the rclone utility to take action.
Importing stolen recordsdata to cloud storage reduces the necessity for Gamaredon to keep up its personal infrastructure for receiving massive quantities of stolen knowledge. It additionally helps malicious visitors mix in with entry to reliable storage suppliers. Primarily, Gamaredon more and more makes use of third-party companies not solely to cover the place directions come from, but in addition to cover the place stolen knowledge goes.
Conclusion
Gamaredon continued to focus its cyberespionage exercise solely on Ukraine all through 2025, and nothing in ESET telemetry means that it will change within the close to future.
Whereas the six new instruments launched in 2025 had been, for probably the most half, easy downloaders, the extra vital improvement was the continued evolution of the infrastructure supporting the group’s operations. Gamaredon additional expanded its use of lifeless drops, tunnels, employees, dynamic DNS, and cloud storage, making its operations extra versatile and more durable to disrupt.
As in earlier years, the group compensated for the relative simplicity of its malware with persistence, frequent updates, and an more and more inventive abuse of reliable on-line companies. So long as Russia’s battle in opposition to Ukraine continues, we count on Gamaredon to stay a major cyberespionage risk to Ukrainian establishments.
IoCs
A complete listing of indicators of compromise (IoCs) may be present in our GitHub repository and the Gamaredon white paper.
