Gamaredon 2025: New Tools, Turla Alliance, Cloud Exfiltration
Published
Key Takeaways
- Exclusive Target: Throughout 2025, Gamaredon focused solely on Ukrainian governmental and military institutions, a new report says.
- New Tools: ESET Research documented six new PowerShell tools and 35 distinct spearphishing campaigns.
- New Alliance: Gamaredon collaborated with fellow FSB-linked group Turla in early 2025.
ESET Research has published a detailed analysis of Gamaredon's 2025 cyberespionage operations. The report tracks the Russia-aligned APT group, attributed by the Security Service of Ukraine to the 18th Center of Information Security of Russia's FSB, as it maintained a high operational tempo against Ukraine.
Expanded Toolset and Spearphishing Campaigns
Gamaredon deployed six new PowerShell tools in 2025, most of which are delivery-focused downloaders. The standout, PteroPaste, combines a downloader, USB weaponizer, and persistence orchestrator.
ESET has identified 35 distinct spearphishing campaigns, with the larger, more frequent operations concentrated in the second half of the year.
From September 26, 2025, the group began abusing CVE-2025-8088, a WinRAR vulnerability, to drop malicious HTA downloaders into the victim's Startup folder for persistence.
The report also outlines new alliances among Russia-aligned actors. In early 2025, Gamaredon collaborated with Turla, another FSB-linked threat actor. The cooperation echoes Gamaredon's past work with InvisiMole.
ESET also observed UAC-0099 conducting initial access operations before transferring validated targets to Sandworm.
Hidden Infrastructure and Cloud Exfiltration
Gamaredon increasingly concealed its command-and-control (C2) servers behind legitimate services, including Cloudflare tunnels and workers, dynamic DNS, and platform-as-a-service providers. The group leaned heavily on services such as Telegram and Dropbox to resolve C2 servers or distribute payloads.
For exfiltration, the file stealers PteroVDoor and PteroPSDoor were upgraded to upload stolen data to S3-compatible cloud storage, with configurations shifting from Wasabi to Tebi and finally Intercolo, which became the primary destination by December.
A February Google report said state-backed hackers APT42 (Iran) used Gemini AI to research exploits for the WinRAR flaw CVE-2025-8088, among others. In early 2025, Sandworm APT targeted Ukraine with trojanized Microsoft activators and fake updates.
Related
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular
Get expert insights on threats, breaches, scams, and security trends — delivered every Monday.
Most Popular