Analysis of APT-C-53 (Gamaredon) Attack on Ukrainian Government Agencies

Sept. 1, 2025, 10:32 a.m.

Description

APT-C-53, also known as Gamaredon, is a Russian state-sponsored threat group active since 2013, targeting Ukrainian government and military entities. The group has upgraded its attack techniques, focusing on dynamic cloud-based C2 infrastructure and targeted delivery of cloud storage tools. In 2025, they conducted high-density intelligence theft activities against Ukrainian government agencies. The attack chain involves dynamic changes in infrastructure, abuse of Microsoft Dev Tunnels, and sophisticated data exfiltration techniques. The group employs white-listed domain camouflage, domain shadowing, and weaponization of cloud tunnel services to evade detection. Their data theft process includes registry-based persistence, multi-stage payload delivery via Cloudflare Workers, and exfiltration through legitimate cloud tools like Dropbox.

External References

https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247507351&idx=1&sn=0b8c9e5b3ff9d7b6551b3a69c151f7e0&chksm=f9c1ee9eceb66788c94178eec69e10142c58dc7721874f9e4d3120d7ea952faa230221a6e2cc
https://otx.alienvault.com/pulse/68b56d89967a129544d7aa5c
Tags
apt
dropbox
powershell
russia
ukraine
cyberespionage
vbscript
2025-09-01
cloudflareworkers
devtunnels

Date

  • Created: Sept. 1, 2025, 9:55 a.m.
  • Published: Sept. 1, 2025, 9:55 a.m.
  • Modified: Sept. 1, 2025, 10:32 a.m.

Indicators

  • 31.129.22.156
  • 194.67.71.128
  • http://nandayo.ru/srgssdfsf
  • wise.com@p9tm15n7-80.euw.devtunnels.ms
  • megamarket.ua@p9tm15n7-80.euw.devtunnels.ms
  • euw.devtunnels.ms
  • 80.euw.devtunnels.ms
  • nandayo.ru
  • fulagam.ru
  • bulam.ru
  • litanq.ru
Download all indicators here!

Attack Patterns

  • APT-C-53 (Gamaredon)

Additional Informations

  • Defense
  • Government
  • Ukraine