Researchers Expose Gamaredon’s PteroLNK VBScript Malware TTPs and Infrastructure

Researchers have uncovered new technical details on the Gamaredon group’s latest PteroLNK VBScript malware campaign, revealing a sophisticated ecosystem of obfuscated scripts, modular payloads, and resilient command-and-control (C2) infrastructure.

The campaign, active from late 2024 through March 2025, primarily targets Ukrainian government, military, and critical infrastructure entities, leveraging military-themed lures and advanced propagation techniques to maximize operational impact.

Advanced Propagation and Stealth: PteroLNK’s Technical Arsenal

PteroLNK, a heavily obfuscated VBScript malware, dynamically constructs two additional payloads during execution: a downloader and an LNK dropper.

The primary script ensures persistence by deploying itself to multiple locations and modifying Windows Explorer settings to conceal its activities.

Parameters such as file names, paths, persistence mechanisms, and detection logic are easily customizable, enabling rapid adaptation by operators.

Upon execution, the script drops itself to %PUBLIC%\NTUSER.DAT.TMContainer and %APPDATA%\~.drv, while the downloader and LNK dropper are deployed as disguised regtrans-ms files.

The downloader component, scheduled to execute every three minutes, is designed for modular, multi-stage retrieval of additional malware.

It persistently stores and rotates C2 addresses using Windows registry keys, and uniquely identifies infected hosts via custom User-Agent strings containing system-specific data.

The downloader uses a sequence of fallback mechanisms, including hardcoded Dead Drop Resolvers (DDRs) hosted on platforms such as Telegraph and Teletype, to extract updated C2 addresses and maintain communication even under active disruption efforts.

Cloudflare quick tunnels are frequently employed as C2 endpoints, leveraging their anonymity and ability to blend with legitimate traffic.

Infrastructure Resilience and Attribution to Russian State-Linked Actors

The LNK dropper, executed every nine minutes, systematically replaces files and folders on local and network drives with malicious shortcuts that execute the primary PteroLNK script.

According to the Report, it employs military-themed decoy filenames in Ukrainian to maximize social engineering effectiveness.

The malware also ensures the presence of at least two malicious shortcuts per directory, propagating itself across shared storage environments and increasing the likelihood of lateral movement within targeted networks.

Gamaredon’s infrastructure demonstrates high operational resilience. DDRs are updated daily, and C2 domains are registered via REGRU-RU and hosted on Cloudflare, with some flagged as ‘Suspected Phishing’ to disrupt payload retrieval.

The group’s use of Cloudflare quick tunnels allows for rapid, low-profile C2 channel rotation, complicating detection and mitigation by defenders.

The campaign’s victimology, lure themes, and technical artifacts including custom User-Agent formats and characteristic filename conventions strongly attribute the activity to Gamaredon, a group widely linked to Russia’s Federal Security Service (FSB).

The campaign’s technical sophistication lies in its adaptability and redundancy, rather than novel exploitation techniques.

Aggressive spearphishing, rapid deployment of obfuscated scripts, and robust infrastructure enable Gamaredon to maintain persistent access and intelligence collection capabilities against Ukrainian targets.

As the geopolitical conflict evolves, continued analysis of Gamaredon’s tactics, techniques, and procedures (TTPs) is essential for both immediate defense and broader strategic countermeasures.

Indicators of Compromise (IoC)

Find this Story Interesting! Follow us on LinkedIn and X to Get More Instant Updates