Threat Research

Inside Gamaredon’s PteroLNK: Dead Drop Resolvers and evasive Infrastructure

Harfanglab
Inside Gamaredon’s PteroLNK: Dead Drop Resolvers and evasive Infrastructure

This report discusses the ongoing threat posed by the Russian-nexus Gamaredon group, specifically their use of the Pterodo malware family, particularly through PteroLNK VBScript files. The report highlights the malware’s techniques, victimology, and the infrastructure used by Gamaredon, including Dead Drop Resolvers (DDRs). The findings indicate active operations targeting Ukrainian entities, predominantly government and military sectors, providing insights into their malware deployment strategies. Affected: Ukraine, military, government, critical infrastructure

Keypoints :

  • Proactive hunting for threats linked to Russia revealed Pterodo malware associated with Gamaredon.
  • Pterodo samples were uploaded between late 2024 and mid-March 2025, with daily updates to related DDRs.
  • The PteroLNK VBScript is heavily obfuscated and uses dynamic payload construction for modified operations.
  • Malware includes a downloader and an LNK dropper aimed at maintaining persistent control over infected systems.
  • Victimology indicates targeting of Ukrainian government and military sectors, leveraging military-themed lures.
  • Gamaredon is believed to be linked to Russia’s Federal Security Service (FSB).
  • Infrastructure includes usage of Cloudflare quick tunnels for Command and Control (C2) operations.
  • Detection signatures and indicators of compromise are available for further analysis by the security community.

MITRE Techniques :

  • T1071.001 – Application Layer Protocol: Uses HTTP for communication.
  • T1203 – Exploitation for Client Execution: Uses obfuscated VBScript to exploit user action.
  • T1027 – Obfuscation: The malware utilizes heavy obfuscation techniques for concealing its operations.
  • T1059.003 – Cross-Platform Scripting: Deploys VBScript for execution of payloads.
  • T1112 – Modify Registry: Modifies Windows registry to establish persistence and control over the C2 method.

Indicator of Compromise :

  • [MD5] 98CF1A959F11AF59BD5AC2C2D746541F
  • [MD5] A38399ECB70B504573CE708C7A26C306
  • [MD5] 09958DEBBD3336D374892D92C8939D75
  • [URL] hxxps://telegra[.]ph/Vizit-12-28
  • [Domain] nandayo[.]ru

Full Story: https://harfanglab.io/insidethelab/gamaredons-pterolnk-analysis/

SHARE THIS STORY

WhatsAppX (Twitter)TelegramBlueskyFacebookLinkedInThreadsEmailPrint