Gamaredon Deploys Six New Malware Tools to Enhance Stealth, Persistence, and Lateral Movement

Russia’s full-scale invasion of Ukraine in February 2022, cyberespionage has become a defining element of the conflict, with Russia-aligned APT groups relentlessly pursuing Ukrainian targets.

ESET Research reports that the Gamaredon group, attributed to Russia’s FSB 18th Center of Information Security, refocused its entire operational capacity throughout 2024 on Ukrainian governmental institutions, abandoning earlier attempts to compromise NATO-related entities.

The group’s persistent campaigns, driven by a blend of spearphishing and evolving malware, underscore the critical role of cyber operations in the ongoing war.

New Delivery Mechanisms Surface

In the second half of 2024, Gamaredon substantially increased both the frequency and scope of its spearphishing operations.

Campaign duration typically spanned between one and five days, leveraging malicious RAR, ZIP, 7z, and HTML files using HTML smuggling techniques as vectors.

Notably, the group began delivering malicious hyperlinks directly in emails a departure from its reliance on infected attachments.

The group also began deploying LNK files that executed PowerShell from Cloudflare-hosted domains, demonstrating their drive to bypass traditional perimeter defenses.

Enhanced Obfuscation

Gamaredon introduced six new malware tools in 2024, focusing on stealth, persistence, and lateral movement.

Among the newly discovered components: PteroDespair, a PowerShell-based reconnaissance tool; PteroTickle, targeting Python GUI applications for lateral movement.

PteroGraphin, which initially used Excel add-ins for persistence and encrypted payload delivery via the Telegraph API; PteroStew and PteroQuark, both VBScript downloaders with an emphasis on alternate data streams and improved obfuscation.

PteroBox, a PowerShell file stealer that utilizes WMI event subscriptions to monitor USB activity and exfiltrate data to Dropbox, reflecting the group’s growing sophistication and operational stealth.

Existing malware tools were not neglected, with major updates observed across the arsenal.

The upgraded PteroPSDoor adopted stealthier operation by using the IO.FileSystemWatcher object instead of frequent directory scans and moved its code storage exclusively to registry keys.

PteroLNK now weaponizes both USB and mapped network drives, while significantly improving obfuscation, LNK file creation complexity, and victim evasion.

PteroVDoor received updates to facilitate more dynamic C&C server distribution, leveraging external platforms like Codeberg, and PteroPSLoad transitioned its infrastructure from ngrok to Cloudflare tunnels, hiding nearly all C&C traffic behind Cloudflare-generated subdomains.

Network defense evasion remains a central focus for Gamaredon. The group reduced its own domain registrations, instead pivoting towards third-party services such as Telegram, Telegraph, Codeberg, and Cloudflare tunnels to obscure their C&C infrastructure.

Fast-flux DNS techniques continue at a diminished scale, complemented by the frequent use of DNS-over-HTTPS services provided by Google and Cloudflare, as well as independent resolver platforms to bypass blocks and further complicate tracking efforts.

The adoption of embedded HTA and VBScript files dropped into temporary directories for initial C&C resolution highlights creative efforts to thwart automated detection.

In July 2024, researchers traced a unique Gamaredon-delivered VBScript payload that automatically opened a Telegram propaganda channel targeting the Odessa region marking a rare foray into overt information operations by the group.

Despite observable limitations and the abandonment of older tools, Gamaredon’s operational tempo and toolset innovation remain formidable.

As the war in Ukraine persists, so does the likelihood that Gamaredon’s aggressive spearphishing and cyberespionage campaigns, shielded by sophisticated evasion techniques and modular malware, will continue to evolve solidifying the group’s status as a significant and persistent threat to Ukrainian national security.

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant updates