Pierluigi Paganini April 11, 2025

Gamaredon targeted a foreign military mission in Ukraine with updated GammaSteel malware on Feb 26, 2025, per Symantec.

Symantec Threat Hunter researchers reported that the Russia-linked APT group Gamaredon (a.k.a. Shuckworm, Armageddon, Primitive Bear, ACTINIUM, Callisto) targeted a foreign military mission based in Ukraine with an updated version of the GamaSteel infostealer.

Shuckworm is known for targeting government, law enforcement, and defense organizations in Ukraine since 2013.

“Shuckworm’s relentless focus on Ukraine has continued into 2025, with the group targeting the military mission of a Western country based in the Eastern European nation.” reads the report published by Symantec Threat Hunter. “This first activity in this campaign occurred in February 2025, and it continued into March. The initial infection vector used by the attackers appears to have been an infected removable drive.”

Gamaredon’s campaign began in February 2025, using infected removable drives as the initial attack vector, and continued into March.

The updated version of the GammaSteel used by the APT group supports multiple exfiltration methods, including write.as, cURL, and Tor.

Shuckworm’s campaign shifted from VBS to PowerShell-based tools for obfuscation, using registry scripts. The experts observed that APT group was deploying GammaSteel after a multi-stage, obfuscated attack.

The attack chain starts with creating a Windows Registry value under UserAssist, using “mshta.exe” via “explorer.exe” to launch a multi-stage infection. The first file (“NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms”) connects to a C2 server via URLs like Teletype, Telegram, and Telegraph. The second file (“NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms,”) infects removable and network drives, creating shortcuts to execute “mshta.exe” and hide it.

On March 1, the experts noticed malicious occurred on the targeted network. A script contacted a C2 server, exfiltrated system metadata, and received a Base64-encoded payload that triggered a PowerShell command. This command downloaded a new obfuscated script, which then fetched two PowerShell scripts: one for reconnaissance (capturing screenshots, system info, and files) and another, an upgraded version of the GammaSteel infostealer, exfiltrating specific files.

This version of GammaSteel attempts to exfiltrate files via a PowerShell web request, and if it fails, it uses cURL with a Tor network proxy as a fallback to obfuscate the origin IP.

“This attack does mark something of an increase in sophistication for Shuckworm, which appears to be less skilled than other Russian actors, though it compensates for this with its relentless focus on targets in Ukraine. While the group does not appear to have access to the same skill set as some other Russian groups, Shuckworm does now appear to be trying to compensate for this by continually making minor modifications to the code it uses, adding obfuscation, and leveraging legitimate web services, all to try lower the risk of detection.” concludes the report. “This campaign also demonstrates that the group remains laser-focused on targeting entities within Ukraine for espionage purposes.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon

Pierluigi Paganini

(SecurityAffairs – hacking, Gamaredon)