Russia's Gamaredon Adapts Tactics to Target Ukraine

Cybercrime , Data Security , Fraud Management & Cybercrime Russia's Gamaredon Adapts Tactics to Target Ukraine Eset Documents New Malware Families and Infrastructure Tactics Tiffany Wang • June 25, 2026     Credit Eligible Get Permission The emblem of the Federal Security Service of Russia in Kazan, Russia, in a photo taken on Sept. 7, 2019. (Image: Shutterstock) A hacking group linked to Russian domestic intelligence expanded its toolkit, intensified phishing operations and increased its use of legitimate online services to conceal infrastructure and stolen data throughout 2025, new research found. See Also: Why Browser Extensions Are Your New Attack Surface The group tracked as Gamaredon spent the first half of the year developing six new PowerShell-based downloaders and shifted focus in the second half to launching at least 35 spear-phishing campaigns, security research firm Eset said in a report. The threat actor also started hiding its back-end infrastructure behind Cloudflare workers, Microsoft's dev tunnels and reverse proxy platform Loophole using "dead drops," a traditional espionage trick, to store command and control information in a legitimate service like Telegram for the malware to retrieve later. The group, which has been operational since 2013 or 2014, consists of regular officers of Russia's Federal Security Service and some former law enforcement officers of Ukraine, the Security Service of Ukraine found in 2021. Among its six new tools, Eset said PteroPaste is the most complex, combining a downloader, a USB weaponizer and a runner component all in one for persistence and execution of other malicious components. Fellow FSB threat actor Turla also used it last year to deploy a backdoor and maintain a foothold. Researchers found newer versions of PteroPaste obtain encrypted C2 information from cloud storage platform Dropbox, decrypt it on the infected system, and connect to infrastructure hidden behind tunneling services. An earlier version of the malware relied on Rentry, a markdown paste service that allows users to quickly create formatted text pages, to stage encrypted payloads. The other five new tools - PteroDee, PteroCache, PteroDum, PteroOdd and PteroEffigy - are all lightweight downloaders that fetch the next payload, C2 information or additional malware. "Rather than investing in highly sophisticated malware, the group prefers a larger number of simple tools that can be updated quickly and combined flexibly," Eset said. The group's spear-phishing activity also evolved during the year, speeding up in tempo in the last six months of 2025 and growing in scale. Beginning in late September, operators started exploiting CVE-2025-8088, a WinRAR vulnerability that can be abused through specially crafted archive files, to place malicious HTA downloaders in victims' Startup folders and automatically execute them at the next login. To protect its network infrastructure, the group relied on tunneling services and serverless worker platforms. These technologies conceal the location of backend servers behind trusted domains and intermediary services, making malicious traffic blend more easily with legitimate internet activity while complicating defenders' efforts to identify and disrupt the group's operations. While Gamaredon had already used Cloudflare tunnels heavily by 2024, it started hiding C2 servers behind Cloudflare workers in May 2025 and added Microsoft's devtunnels.ms and Loophole a month later, Eset found. It also abused No-IP domains and platform-as-a-service offerings from Clever Cloud and Supabase. The group placed infrastructure information on legitimate services, including Telegram, Dropbox, GoFile and Mastodon, for the malware to fetch it from there. The operation is inspired by an old espionage concept, in which one operative leaves information in a public or hidden location and another retrieves it later to avoid meeting directly. "This approach gives attackers several advantages. It makes their operations more flexible because they can switch servers quickly. It also complicates blocking, because defenders may be reluctant to block legitimate and widely used services outright," Eset said. Stolen files were sent to Amazon S3-compatible cloud storage services, with the primary exfiltration destination jumping from Wasabi, Tebi, to Intercolo. This exfiltration method reduces the burden of maintaining one's own file receiving infrastructure and helps malicious traffic blend into legitimate storage providers' networks, Eset said.