Matryoshka #3/3: Gamaredon's Gammasteel Infostealer

June 5, 2026, 9:12 a.m.

Description

This analysis examines Gamaredon's (UAC-0010, Armagedon) advanced espionage operations targeting Ukrainian government, military, and critical infrastructure. The FSB-operated group deploys GammaSteel, a sophisticated stealer operating almost entirely from memory using Windows DPAPI encryption and storing 71 distinct payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition mechanisms: timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Exfiltration occurs via legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain extensively uses VBScript for evasion, Dead Drop Resolvers on platforms like Telegram and Mastodon for C2 configuration, and includes bidirectional backdoor capabilities enabling arbitrary remote code execution. Infrastructure demonstrates high automation with servers rotated approximately every 24 hours.

External References

https://otx.alienvault.com/pulse/6a21844636a81843ce1af3cc
https://blog.sekoia.io/fsbs-matryoshka-3-3-gamaredons-gifts-that-keeps-unpacking-gammasteel/
Tags
infostealer
ukraine
cyberespionage
vbscript
fsb
gammaload
gamaredon
gammasteel
gammaphish
gammaworm
2026-06-04
gammawipe
dead-drop-resolver
dpapi
usb-propagation

Date

  • Created: June 4, 2026, 1:57 p.m.
  • Published: June 4, 2026, 1:57 p.m.
  • Modified: June 5, 2026, 9:12 a.m.

Indicators

  • 165.22.170.129
  • https://justsstop.ru/
Download all indicators here!

Attack Patterns

  • GammaSteel
  • GammaLoad
  • GammaWorm
  • GammaPhish
  • GammaWipe
  • Gamaredon

Additional Informations

  • Defense
  • Government
  • justsstop.ru
  • Ukraine