A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025.
Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these efforts include Ukrainian governmental and military institutions.
“Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine,” ESET said. “The group’s ultimate goal continues to be the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the ongoing war in Ukraine.”
The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders that are responsible for dropping additional payloads, such as PteroSand. Some of the attacks have also weaponized a now-patched flaw in WinRAR (CVE-2025-8088) as a way of placing the malicious HTA downloader into the victim’s Windows Startup folder.
This, in turn, causes the downloader to be automatically executed on the next login, thereby adding a persistence mechanism to the compromise chain. Gamaredon’s attacks are known to rely on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting USB drives and network drives with malicious LNK files that, when opened by an unsuspecting user, trigger the retrieval of downloader malware.
Also used is PteroSetup, an older Visual Basic Script (VBScript) weaponizer first detected in January 2021 and likely assumed to be discontinued. The tool scans USB and mapped network drives for legitimate installer files, and if found, replaces them with 7z self-extracting (SFX) archives containing the original installer and a malicious VBScript downloader.
“In 2025, the group’s reliance on third-party services grew significantly, with tunnel services and serverless worker platforms becoming an increasingly important part of how it hid its real back-end infrastructure,” ESET said.
The attacks are also characterized by the introduction of six new malicious PowerShell tools, broadening its custom malware arsenal –
- PteroDee and PteroCache for fetching and executing PowerShell payloads in memory
- PteroDum for fetching and executing VBScript payloads in memory
- PteroOdd for fetching a single PowerShell payload using the Telegra.ph API and likely used in campaigns in which the Gamaredon actors collaborated with Turla
- PteroEffigy for fetching the command-and-control (C2) server using the GoFile cloud storage service
- PteroPaste, for weaponizing USB drives and downloading additional PowerShell payloads via an encrypted channel
“While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools,” ESET researcher Zoltán Rusnák said.
“Many updates were made in the lead-up to major holidays in Russia and Crimea. Notably, no updates were observed during or immediately after these holidays, further suggesting that Gamaredon operators are probably government-affiliated employees.”
Another noteworthy aspect of the threat actor’s campaign revolves around the use of a wide range of legitimate services as data exfiltration channels and dead drop resolvers to obtain details of the C2 server and to point malware to infrastructure already hidden behind tunnels or serverless workers. These include –
- Telegra.ph
- Teletype
- Rentry.co
- Write.as
- Dropbox
- GoFile
- DEV Community (dev.to)
- Mastodon
- Lesma
- Nopaste.net
- Paste.ee
- Wasabi
- Tebi
- Intercolo
- Dropbox
“As in previous years, the group compensated for the relative simplicity of its malware with persistence, frequent updates, and an increasingly creative abuse of legitimate online services,” ESET said. “Gamaredon further expanded its use of dead drops, tunnels, workers, dynamic DNS, and cloud storage, making its operations more flexible and harder to disrupt.”
