Russia-linked APT Gamaredon update TTPs in recent attacks against Ukraine

Pierluigi Paganini June 15, 2023

Russia-linked APT group Gamaredon is using a new toolset in attacks aimed at critical organizations in Ukraine.

The Gamaredon APT group (aka Shuckworm, Actinium, Armageddon, Primitive Bear, UAC-0010, and Trident Ursa) continues to carry out attacks against entities in Ukraine, including security services, military, and government organizations.

Symantec researchers reported that in some cases, the cyberespionage group remained undetected in the target networks for three months. The threat actors focuses on stealing sensitive information such as reports about the deaths of Ukrainian military service members, enemy engagements and air strikes, arsenal inventories, military training, and more.

Gamaredon has been active since 2014, its activity focus on Ukraine, the group was observed using the multistage backdoor Pteranodon/Pterodo.

Symantec pointed out that the group has repeatedly refreshed its toolset to avoid detection, the researchers discovered new versions of known tools and observed the group using short-lived infrastructure.

The attack chain commences with spear-phishing emails with malicious attachments (.docx, .rar, .sfx (self-extracting archives), .lnk, .hta (HTML smuggling files)) using armed conflicts, criminal proceedings, combating crime, and protection of children, as a lure.

The group recently used new variants of the Pteranodon implant that are distributed using a new PowerShell script.

“Shuckworm has also been observed using a new PowerShell script in order to spread its custom backdoor malware, Pterodo, via USB. Researchers from Symantec, part of Broadcom, blogged about Backdoor.Pterodo in April 2022, documenting how we had found four variants of the backdoor with similar functionality.” reads the report published by Symantec. “The variants are Visual Basic Script (VBS) droppers that will drop a VBScript file, use Scheduled Tasks (shtasks.exe) to maintain persistence, and download additional code from a command-and-control (C&C) server.”

The PowerShell script is used in recent attacks first copy itself onto the infected systems and create a shortcut file using an rtk.lnk extension. Then the script uses file names such as “porn_video.rtf.lnk”, “do_not_delete.rtf.lnk”” and “evidence.rtf.lnk” in an attempt to trick individuals into oping the files.

A novelty observed in the recent attacks is the use of a USB propagation malware.

The script also enumerates all drives and copies itself to removable disks – USB drives connected to the system. Threat actors use USB drives for lateral movement, and potentially target air-gapped networks.

In this recent attacks, the APT group was using legitimate services as C&C servers, including the Telegram messaging service and the Telegram’s micro-blogging platform, called Telegraph.


Most of the attacks began in February/March 2023 and threat actors remained undetected in the target networks until May. In some attacks threat actors successfully breached the victims’ human resources departments in an attempt to gather intelligence on the personnel at the various organizations.

The report published by Symantec includes indicators of compromise for the recent attacks.

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon)

you might also like

leave a comment