Russian APT 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses

THREAT INTELLIGENCE CYBERATTACKS & DATA BREACHES СLOUD SECURITY CYBER RISK NEWS Russian APT 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses The FSB state-sponsored operation has gotten a lot better at loading its malware and hiding its servers. Nate Nelson,Contributing Writer June 25, 2026 4 Min Read SOURCE: GWENGOAT VIA ALAMY STOCK PHOTO A Russian cyber espionage group has improved a variety of its tactics, techniques, and procedures (TTPs), helping it become a more effective belligerent in the Ukraine war and beyond. Enterprises should implement fresh strategies to be effective against this adversary, which reaped dividends from the upgrade in terms of mounting larger and more successful cyberattacks. Organizations often grow stale and outmoded over time, but the Gamaredon group (aka Aqua Blizzard, Armageddon, BlueAlpha) is fighting back against old age. It's been around since at least 2013 — a lifetime in hacker years — and it's still one of the Russian government's most active and evolving threat actors. In a report this week, ESET tracks 35 separate Gamaredon spear-phishing campaigns against Ukraine carried out last year. In that time, the APT developed a half dozen new downloaders, and adopted a variety of tactics aimed at concealing its command-and-control (C2) infrastructure. Related:Local Police Collusion Hampers Crackdown on Asian Scam Centers Gamaredon's Custom Malware Tooling Conceptually, ESET split Gamaredon's 2025 into two halves. The first half of the year was its preparatory stage. It took January 2025 off, probably because its hackers are government employees. The Security Service of Ukraine identifies Gamaredon as the The 18th Center for Information Security within Russia's Federal Security Service (FSB). In Russia, there is a large concentration of federal holidays in the month of January. It resumed its malicious activity in February, but for most of the first half of 2025 it focused on building tools and techniques that would pay off later in the year. It invented five new PowerShell programs in the first quarter of the year, then one more a little later in the summer. Most of its new tools are simple downloaders, but one of them, "PteroPaste," bundles a few more significant features. Most notably, PteroPaste repeatedly checks for the presence of USB drives connected to compromised systems, and if it finds one, it attempts to smuggle a malicious downloader script onto it. Cleverly, it randomly selects a Word document on the infected system, appends a .lnk extension to it, and gives the smuggled loader that filename, so that any human passerby might think it an ordinary file. Gamaredon has long used USBs as a vector for carrying its malware farther and wider than it otherwise might go, both geographically and particularly within compromised organizations, where some more sensitive systems might otherwise be air-gapped and shielded from the open Internet. Organizations can mitigate the risk of USB-borne malware by at least scanning USB files, sanitizing them at dedicated stations, or outright banning unvetted drives. Related:SprySOCKS Windows Variant Abuses Kernel Drivers to Evade Detection Jean-Ian Boutin, ESET's director of threat research, suggests strategies can help protect against Gamaredon's PowerShell malware, be it the complex PteroPaste or its simpler cousins. "Depending on business needs and user roles, organizations may restrict or remove PowerShell access for non-administrative users, or disable or limit unnecessary scripting capabilities, such as Windows Management Instrumentation (WMI)," he says. Gamaredon's New Cyber Espionage Infrastructure Besides creating custom initial access malware, Gamaredon seems to be equally obsessed with hiding its C2 infrastructure. The group, for instance, began using Microsoft and Cloudflare tunneling services, and Cloudflare serverless workers, to hide its malicious activity behind legitimate domains. It also uses dead drops — pointing its malware to legitimate websites to find its hidden C2 addresses to complicate analysis and blocklisting. Most recently, Gamaredon has begun to combine these two tactics together, hiding tunneling domains at those dead drop sites. Gamaredon has also updated two of its primary stealer tools to upload stolen files to legitimate cloud storage services like Amazon Simple Storage Service (S3) buckets. Its best new tool, the aforementioned PteroPaste, uploads to Dropbox. Related:China-Nexus Actor Spies on US Researchers Undetected for a Year "Defenders can no longer assume that traffic to a trusted platform is inherently safe," Louis Eichenbaum, federal CTO at ColorTokens, tells Dark Reading. "Instead, they must determine whether that communication is expected, authorized, and consistent with normal application and user behavior." He explains that "organizations need a deep understanding of application workflows and communication patterns across their environments. With that knowledge, organizations can implement granular, identity-aware microsegmentation policies that break attack paths and contain compromises before they spread." With its tooling revamped and its infrastructure concealed, Gamaredon used the second half of 2025 to carry out significantly more cyberattacks than it did in the first, and larger ones as well. Notably, some of these attacks were part of an ongoing collaboration with another Russian state advanced persistent threat (APT), Turla (aka Snake, Venomous Bear, Waterbug, or Ourobouros). Gamaredon used its library of loaders to provide initial access for Turla's heftier exploitation framework, Kazuar. Characteristic of its history in general, Gamaredon's 2025 spear-phishing campaigns exclusively targeted Ukraine's government and military. The point of its attacks are always to steal sensitive data which might in one way or another advance Russia's interests in the war there. Don't miss the latest Dark Reading Confidential podcast, Do CISOs Need a Code of Ethics? Kickbacks, no-show jobs, "dirty" VCs, and shelfware — industry expert Robert "RSnake" Hansen explains why he thinks it’s time for a CISO code of ethics. It could ensure cybersecurity bosses aren't engaged in self-dealing that could risk enterprise, and even national, security. Listen now! About the Author Nate Nelson Contributing Writer Nate Nelson is a journalist and award-winning scriptwriter. In addition to Dark Reading he writes for Darknet Diaries, the most popular show in cybersecurity across all media. He began his career as a freelancer, ghostwriting Forbes and CNBC op-eds for executives in tech and finance. Then he transitioned to journalism at Threatpost, where he covered cybersecurity news and trends. Throughout those years he co-created a cybersecurity podcast, Malicious Life, which in its day climbed into the Top 20 technology podcasts charts on Apple Podcasts and Spotify. He holds degrees from New York University and Bard College. As a born and bred New Yorker, he enjoys a superiority complex, but is polite enough to keep it to himself. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Threat Hunting That Gets Big Results Despite Small Budgets Say Yes to AI: Securing Innovation Without Compromise Zero Trust Identity: Beyond Traditional Authentication Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed More Webinars You May Also Like THREAT INTELLIGENCE Hackers Target Cybersecurity Firm Outpost24 in 7-Stage Phish by Jai Vijayan MAR 17, 2026 THREAT INTELLIGENCE Iran's Cyber-Kinetic War Doctrine Takes Shape by Alexander Culafi MAR 06, 2026 THREAT INTELLIGENCE React2Shell Exploits Flood the Internet as Attacks Continue by Rob Wright DEC 12, 2025 THREAT INTELLIGENCE Chinese Gov't Fronts Trick the West to Obtain Cyber Tech by Nate Nelson, Contributing Writer OCT 06, 2025 Editor's Choice APPLICATION SECURITY FIFA Bug Exposes World Cup Streams to Remote Takeover byNate Nelson JUN 18, 2026 4 MIN READ CYBERSECURITY OPERATIONS EU Gets a Head Start in Developing 6G Network Security byNate Nelson JUN 18, 2026 4 MIN READ CYBER RISK UK Social Media Ban for Minors Has Privacy Experts Worried byRobert Lemos JUN 17, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS