Summary: Security researchers have analyzed the tactics of the Russian-affiliated threat group Gamaredon, particularly their use of the PteroLNK variant within the Pterodo malware family. The group primarily targets Ukrainian military, government, and infrastructure sectors using advanced malware techniques to maintain persistent access. Their operations highlight a significant geopolitical cybersecurity threat through persistent spearphishing and agile operational methods.
Affected: Ukrainian military, government, and infrastructure sectors
Keypoints :
- Gamaredon employs obfuscated VBScript malware to sustain access and deploy payloads dynamically.
- Utilizes scheduled tasks, Windows Explorer modifications, and downloader activity for command-and-control infrastructure.
- Relies on Dead Drop Resolvers and disguises connections with benign domains, obscuring communication through Cloudflare tunnels.
- Ongoing malware activity was noted from late 2024 to March 2025, demonstrating operational agility.
- Attribution to Gamaredon is supported by domain reuse and links to Russia’s FSB.
- Despite low sophistication, Gamaredon poses a considerable geopolitical cybersecurity risk.
Source: https://www.scworld.com/brief/russian-apt-gamaredon-targets-ukraine-with-new-lnk