Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

July 4, 2025, 10:53 a.m.

Description

Throughout 2024, Gamaredon focused exclusively on targeting Ukrainian governmental institutions with spearphishing campaigns and weaponized USB drives. The group developed six new tools and significantly updated existing ones, improving stealth and evasion capabilities. Gamaredon increased the scale of its spearphishing campaigns, especially in the second half of the year. The group also made efforts to bypass network-based blocking, hiding most of its command and control infrastructure behind Cloudflare tunnels. Notable updates include enhancements to PteroLNK for weaponizing network drives, improvements in file exfiltration techniques, and the introduction of new downloaders. Despite these advancements, Gamaredon showed signs of operational limitations, occasionally abandoning or infrequently updating certain tools.

External References

https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2024.pdf
https://otx.alienvault.com/pulse/6867ae2d0a53dfda37955c4b
Tags
apt
spearphishing
powershell
cloudflare tunnels
2025-07-04

Date

  • Created: July 4, 2025, 10:34 a.m.
  • Published: July 4, 2025, 10:34 a.m.
  • Modified: July 4, 2025, 10:53 a.m.

Indicators

  • 64.227.139.249
  • 38.54.12.3
  • 213.182.204.71
  • 178.128.215.84
  • 167.172.74.200
  • 167.99.127.118
  • 165.22.120.122
  • 161.35.185.146
  • 164.90.210.128
  • 159.203.21.16
  • 161.35.169.180
  • 157.245.201.196
  • 157.230.94.134
  • 143.198.216.105
  • 157.230.108.94
  • 143.110.168.51
  • 209.38.97.36
  • 64.227.172.243
  • 165.232.136.224
  • 146.190.74.132
  • 159.223.226.57
  • 138.68.161.53
  • 137.184.116.179
  • www.sheepster.ru
  • www.phlovel.ru
  • talent.trycloudflare.com
  • verbal.trycloudflare.com
  • sub-nursery-foo-governing.trycloudflare.com
  • signatures.trycloudflare.com
  • soldier.trycloudflare.com
  • sao-yield-are-domestic.trycloudflare.com
  • niagara-silent-exterior-talent.trycloudflare.com
  • ordering-ratings-motor-soldier.trycloudflare.com
  • kinda-grows-reaches-crimes.trycloudflare.com
  • inside.trycloudflare.com
  • incorporate-two-knowing-inside.trycloudflare.com
  • governing.trycloudflare.com
  • freely.trycloudflare.com
  • drums-hobbies-geological-signatures.trycloudflare.com
  • deny-webshots-hudson-verbal.trycloudflare.com
  • domestic.trycloudflare.com
  • crimes.trycloudflare.com
  • ashley-characters-societies-freely.trycloudflare.com
  • workbookee.ru
  • wasic.ru
  • tienes.ru
  • phlovel.ru
  • noraspdan.ru
  • lucystew.ru
  • loguna.ru
  • litanq.ru
  • iraiz.ru
  • andbien.ru
Download all indicators here!

Attack Patterns

  • PteroWLoad
  • PteroBox
  • PteroStew
  • PteroQuark
  • PteroGraphin
  • PteroTickle
  • PteroDespair
  • PteroSig
  • PteroVDoor
  • PteroPSDoor
  • PteroLNK
  • PteroPSLoad
  • Gamaredon

Additional Informations

  • Government
  • Ukraine