Summary: The Russian hacking group Gamaredon has targeted a military mission in Ukraine, using advanced tactics that include malware deployment through removable drives. Recent attacks, which took place from February to March 2025, feature the updated GammaSteel malware and promote stealth through the use of legitimate services for command and control. The campaign illustrates an evolution in Gamaredon’s techniques, increasing the potential threat to Western networks.
Affected: Military organizations in Western countries, particularly Ukraine
Keypoints :
- Initial access achieved via malicious .LNK files from removable drives.
- Shift from VBS scripts to PowerShell tools, increasing obfuscation.
- Reconnaissance scripts used to capture screenshots and gather system information.
- GammaSteel malware is used to exfiltrate documents from various system locations.
- Persistence mechanisms established by modifying Windows Registry keys.
- Utilization of legitimate services like Cloudflare to evade detection.