[{"data":1,"prerenderedAt":-1},["ShallowReactive",2],{"$fX1WUpntibPeeTzNOnTqMzSCyK2ZGzq9ELWGdWWBHHF8":3},{"article":4,"iocs":57},{"id":5,"title":6,"slug":7,"summary":8,"ai_summary":9,"brief":10,"full_text":11,"url":12,"image_url":13,"published_at":14,"ingested_at":15,"relevance_score":16,"entities":17,"category_id":34,"category":35,"article_tags":39},"18ba3fb3-b0e7-4316-94db-bcebb62426b4","Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse","gamaredon-expands-ukraine-attacks-with-new-malware-and-cloud-service-abuse-9eaf1e","A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025. Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these","The Russian APT group Gamaredon significantly evolved its malware arsenal and tactics in 2025, launching 35 spear-phishing campaigns against Ukrainian governmental and military institutions. The group leveraged new PowerShell tools, abused cloud services for C2 infrastructure, and exploited a WinRAR vulnerability for persistence, aiming to exfiltrate sensitive data to support Russian interests.","Gamaredon APT group expands Ukraine attacks with new malware and cloud service abuse in 2025.","Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse Ravie LakshmananJun 29, 2026Cloud Security \u002F Malware A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025. Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these efforts include Ukrainian governmental and military institutions. \"Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine,\" ESET said. \"The group's ultimate goal continues to be the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the ongoing war in Ukraine.\" The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders that are responsible for dropping additional payloads, such as PteroSand. Some of the attacks have also weaponized a now-patched flaw in WinRAR (CVE-2025-8088) as a way of placing the malicious HTA downloader into the victim's Windows Startup folder. This, in turn, causes the downloader to be automatically executed on the next login, thereby adding a persistence mechanism to the compromise chain. Gamaredon's attacks are known to rely on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting USB drives and network drives with malicious LNK files that, when opened by an unsuspecting user, trigger the retrieval of downloader malware. Also used is PteroSetup, an older Visual Basic Script (VBScript) weaponizer first detected in January 2021 and likely assumed to be discontinued. The tool scans USB and mapped network drives for legitimate installer files, and if found, replaces them with 7z self-extracting (SFX) archives containing the original installer and a malicious VBScript downloader. \"In 2025, the group's reliance on third-party services grew significantly, with tunnel services and serverless worker platforms becoming an increasingly important part of how it hid its real back-end infrastructure,\" ESET said. The attacks are also characterized by the introduction of six new malicious PowerShell tools, broadening its custom malware arsenal - PteroDee and PteroCache for fetching and executing PowerShell payloads in memory PteroDum for fetching and executing VBScript payloads in memory PteroOdd for fetching a single PowerShell payload using the Telegra.ph API and likely used in campaigns in which the Gamaredon actors collaborated with Turla PteroEffigy for fetching the command-and-control (C2) server using the GoFile cloud storage service PteroPaste, for weaponizing USB drives and downloading additional PowerShell payloads via an encrypted channel “While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools,\" ESET researcher Zoltán Rusnák said. \"Many updates were made in the lead-up to major holidays in Russia and Crimea. Notably, no updates were observed during or immediately after these holidays, further suggesting that Gamaredon operators are probably government-affiliated employees.\" Another noteworthy aspect of the threat actor's campaign revolves around the use of a wide range of legitimate services as data exfiltration channels and dead drop resolvers to obtain details of the C2 server and to point malware to infrastructure already hidden behind tunnels or serverless workers. These include - Telegra.ph Teletype Rentry.co Write.as Dropbox GoFile DEV Community (dev.to) Mastodon Lesma Nopaste.net Paste.ee Wasabi Tebi Intercolo Dropbox \"As in previous years, the group compensated for the relative simplicity of its malware with persistence, frequent updates, and an increasingly creative abuse of legitimate online services,\" ESET said. \"Gamaredon further expanded its use of dead drops, tunnels, workers, dynamic DNS, and cloud storage, making its operations more flexible and harder to disrupt.\" Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  Cloud security, Gamaredon, HTML Smuggling, Malware, powershell, Russia, Spear Phishing, Ukraine, WinRAR ⚡ Top Stories This Week Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data ⭐ Featured Resources Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale [Watch Demo] See Which Security Gaps Attackers Could Exploit First AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check","https:\u002F\u002Fthehackernews.com\u002F2026\u002F06\u002Fgamaredon-expands-ukraine-attacks-with.html","https:\u002F\u002Fblogger.googleusercontent.com\u002Fimg\u002Fb\u002FR29vZ2xl\u002FAVvXsEijvTMs5lEwRQ2ndqc7YNsz1eNQK0XuR_q4uSjl8tLZ8Nh8vA4WRKZsQhyphenhyphenUx1O0gR-QJtdvAj8LDEUaGscAEXAlA9_e9c0LNtEeV-6NJzdqEdGt0gb7mDEUBNmlMNI2L05YQ8lPXA6kNBFL4s7BsjiJSPD72fyhQq2fmYJwZBPQhyHI4PN_zvSrnxtRbRtI\u002Fs1600\u002Fuk.jpg","2026-06-29T11:40:24+00:00","2026-06-29T12:00:21.988567+00:00",9,[18,21,23,26,29,32],{"name":19,"type":20},"Gamaredon","threat_actor",{"name":22,"type":20},"Turla",{"name":24,"type":25},"ESET","vendor",{"name":27,"type":28},"WinRAR","product",{"name":30,"type":31},"PowerShell","technology",{"name":33,"type":31},"VBScript","6cbdd207-aaa1-4176-9534-e156b125e917",{"id":34,"icon":36,"name":37,"slug":38},null,"Nation-state","nation-state",[40,45,47,52],{"category":41},{"id":42,"icon":36,"name":43,"slug":44},"26b0b636-0e31-4db1-bffb-61bdf9f20a58","Supply Chain","supply-chain",{"category":46},{"id":34,"icon":36,"name":37,"slug":38},{"category":48},{"id":49,"icon":36,"name":50,"slug":51},"89f78b1c-3503-45a1-9fc7-e23d2ce1c6d5","Malware","malware",{"category":53},{"id":54,"icon":36,"name":55,"slug":56},"e7b231c8-5f79-4465-8d38-1ef13aea5a14","Threat Intelligence","threat-intelligence",[58,62,65,68,71,74,77,79,82,85,88,92,95,97,99,101,103,105],{"type":59,"value":60,"context":61},"cve","CVE-2025-8088","WinRAR vulnerability exploited for persistence",{"type":51,"value":63,"context":64},"PteroSand","Payload dropped by HTA downloaders",{"type":51,"value":66,"context":67},"PteroLNK","Weaponizer used for lateral movement via USB\u002Fnetwork drives",{"type":51,"value":69,"context":70},"PteroPaste","Weaponizer used for USB drives and downloading payloads",{"type":51,"value":72,"context":73},"PteroSetup","VBScript weaponizer replacing legitimate installers",{"type":51,"value":75,"context":76},"PteroDee","New PowerShell tool for fetching\u002Fexecuting payloads",{"type":51,"value":78,"context":76},"PteroCache",{"type":51,"value":80,"context":81},"PteroDum","New PowerShell tool for fetching VBScript payloads",{"type":51,"value":83,"context":84},"PteroOdd","New PowerShell tool using Telegra.ph API",{"type":51,"value":86,"context":87},"PteroEffigy","New PowerShell tool fetching C2 via GoFile",{"type":89,"value":90,"context":91},"domain","telegra.ph","Legitimate service used for data exfiltration and C2 resolution",{"type":89,"value":93,"context":94},"gofile.io","Cloud storage service used for C2 communication",{"type":89,"value":96,"context":91},"dropbox.com",{"type":89,"value":98,"context":91},"dev.to",{"type":89,"value":100,"context":91},"mastodon.social",{"type":89,"value":102,"context":91},"nopaste.net",{"type":89,"value":104,"context":91},"paste.ee",{"type":89,"value":106,"context":91},"wasabisys.com"]