Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances

MITRE Techniques

• [T1566.001 ] Spearphishing Attachment – Used to deliver archive attachments and XHTML files carrying HTA downloaders to targets (‘most campaigns used archive attachments or XHTML files employing HTML smuggling to deliver malicious HTA downloaders’).
• [T1027 ] Obfuscated Files or Information – HTML smuggling and hidden service layers were used to conceal payload delivery and infrastructure (’employing HTML smuggling to deliver malicious HTA downloaders’).
• [T1204.002 ] User Execution: Malicious File – Execution depended on users opening downloaded content, and later on a malicious file placed in Startup for execution after login (‘allowed the downloader to execute on the next login’).
• [T1053.005 ] Scheduled Task/Job: Startup Items – CVE-2025-8088 was abused to place the HTA downloader into the victim’s Startup folder for persistence (‘place its usual malicious HTA downloader into the victim’s Startup folder’).
• [T1068 ] Exploitation for Privilege Escalation – A WinRAR vulnerability was abused to gain persistence and aid compromise (‘began abusing CVE-2025-8088, a WinRAR vulnerability’).
• [T1105 ] Ingress Tool Transfer – Many tools downloaded payloads or fetched additional content from services like Telegra.ph, GoFile, and Dropbox (‘used to retrieve a single PowerShell payload via the Telegra.ph API’).
• [T1218.005 ] System Binary Proxy Execution: Mshta – HTA downloaders were a core delivery mechanism in spearphishing chains (‘deliver malicious HTA downloaders’).
• [T1059.001 ] Command and Scripting Interpreter: PowerShell – Gamaredon introduced multiple PowerShell tools and payload loaders (‘Gamaredon operators developed and deployed six new malicious PowerShell tools’).
• [T1059.005 ] Command and Scripting Interpreter: Visual Basic – VBScript was used by PteroDum, PteroSetup, and other weaponizers (‘resurrected an old VBScript weaponizer – PteroSetup’).
• [T1055 ] Process Injection – Payloads were executed in memory in some downloader chains (‘fetching and executing PowerShell payloads in memory’).
• [T1022 ] Data Encrypted for Impact – Encrypted payloads and encrypted C&C hostnames were retrieved and decrypted locally (‘retrieve an encrypted C&C hostname from Dropbox, decrypt it locally’).
• [T1095 ] Non-Application Layer Protocol – The group used tunnels, workers, and cloud infrastructure to relay communication and obscure the real server (‘hide C&C servers behind various third-party services such as tunnels, workers’).
• [T1219 ] Remote Access Software – Legitimate third-party services were abused to provide access and staging through intermediary infrastructure (‘using legitimate third-party services to hide both command and control information’).
• [T1114.001 ] Email Collection: Local Email Collection – Stolen data was exfiltrated to cloud storage services rather than directly to attacker infrastructure (‘upload stolen files to S3-compatible cloud storage services’).
• [T1074.001 ] Data Staged: Local Data Staging – The group staged or routed information through dead-drop services before reaching the final server (‘publish updated C&C information’).
• [T1090.003 ] Proxy: Multi-hop Proxy – Infrastructure was layered through dead drops, tunnels, workers, and DDNS to conceal the final C&C server (‘point to another intermediate layer’).
• [T1106 ] Native API – PteroPaste and related tools orchestrated execution and persistence using system capabilities (‘used for persistence and orchestration’).
• [T1132.001 ] Data Encoding: Standard Encoding – Encrypted/staged values were encoded and retrieved from public services before use (‘retrieve an encrypted C&C hostname from Dropbox’).
• [T1071.001 ] Application Layer Protocol: Web Protocols – Communications relied on web-based services such as Telegram, Telegra.ph, Dropbox, and GoFile (‘abuse numerous services in this way’).