AGP Picks
View all

Slovak Entertainment Daily
Provided by AGP

ESET Research investigates Russian-aligned Gamaredon group – new toolset, alliances, and a reliance on legitimate services

  • Throughout 2025, the Russia-aligned Gamaredon threat group exclusively targeted governmental and military institutions in Ukraine.
  • Gamaredon operators developed and deployed six new malicious PowerShell tools, which we analyze in our white paper.
  • Its file stealers were upgraded to support exfiltration to cloud storage services (Wasabi, Tebi, and Intercolo), which became the primary exfiltration method.
  • ESET also documented abuse of multiple legitimate messaging, social media, blogging, and paste services as dead drops for resolving C&C servers and distributing payloads.

BRATISLAVA, Slovakia, June 25, 2026 (GLOBE NEWSWIRE) -- ESET Research released its latest report on Gamaredon, a Russia-aligned threat actor, and its activity during 2025. The paper analyzes new tools added to its arsenal, significant shifts in how it protects its network infrastructure, and its growing use of legitimate third-party services to hide both command and control (C&C) information and stolen data. Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine. The group’s ultimate goal continues to be the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the ongoing war in Ukraine. Gamaredon’s activities appear to be closely aligned with Russia’s geopolitical objectives, targeting Ukrainian governmental and military institutions to gain an intelligence advantage.

“While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools. ESET observed that many updates were made in the lead-up to major holidays in Russia and Crimea. Notably, no updates were observed during or immediately after these holidays, further suggesting that Gamaredon operators are probably government-affiliated employees,” said ESET researcher Zoltán Rusnák, who investigates Gamaredon. The group is attributed by the Security Service of Ukraine to the 18th Center of Information Security of Russia’s FSB and is believed to operate out of occupied Crimea.

In early 2025, Gamaredon collaborated with Turla, another Russia-aligned threat actor. This cooperation underscores the potential for coordinated cyberespionage campaigns among Russia-aligned groups, likely to amplify their operational impact. In the past, Gamaredon also collaborated with a threat actor that ESET discovered and named InvisiMole. More broadly, 2025 also provided another example of cooperation and task sharing among Russia-aligned actors: ESET observed the Russia-aligned UAC-0099 group conducting initial access operations and subsequently transferring validated targets to Sandworm for follow-up activity.

In the second half of the year, Gamaredon shifted more toward larger and more frequent spear phishing campaigns. What changed most noticeably was the tempo. The group was much more active in the second half of the year, when campaigns became both more frequent and larger in scale. Beyond spear phishing, Gamaredon also continued using custom weaponizers for lateral movement. These tools weaponize USB drives, mapped network drives, and even software installers, helping the group spread within or across organizations after the initial compromise.

Gamaredon introduced six new tools in 2025, all written in PowerShell: PteroDee, PteroCache, PteroDum, PteroOdd, PteroPaste, and PteroEffigy. The standout among the new tools is PteroPaste, which is considerably more complex than the others. It combines a downloader, a USB weaponizer, and a runner component used for persistence and orchestration. Additionally, it resurrected an old VBScript weaponizer – PteroSetup, which first appeared in 2021.

Additionally, Gamaredon operators sought new ways to protect their network infrastructure, with their C&C servers now hidden behind various third-party services such as tunnels, workers, DDNS (dynamic DNS), and PaaS (platform as a service).

One of the most important aspects of Gamaredon’s 2025 operations was its heavy use of so-called dead-drop services. The term comes from traditional espionage – instead of meeting directly, one operative leaves information in a public or hidden location and another retrieves it later. Online, the principle is similar. Rather than embedding the real malicious server directly in malware, operators place that information on a legitimate website or platform, and the malware retrieves it from there. This means that the malware may first contact a public page on a legitimate service, read a hidden or staged value from it, and only then connect to the actual C&C server. In 2025, Gamaredon abused numerous services in this way: Telegram channels, Dropbox, social networks DEV Community, Mastodon, and others.

The other major infrastructure shift ESET observed was on the data-exfiltration side. Gamaredon upgraded two of its flagship file stealers, PteroPSDoor and PteroVDoor, to upload stolen files to S3-compatible cloud storage services – providers that support the Amazon S3 API (Wasabi, Tebi, and Intercolo), allowing the same tools and code to work across different storage vendors. At the same time, PteroBox continued to upload files to Dropbox.

Uploading stolen files to cloud storage reduces the need for Gamaredon to maintain its own infrastructure for receiving large amounts of stolen data. It also helps malicious traffic blend in with access to legitimate storage providers. Essentially, Gamaredon increasingly uses third-party services not only to hide where instructions come from, but also to hide where stolen data goes.

For more details about Gamaredon and its activity in 2025, check out the ESET Research blogpost and white paper “Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances,” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

About ESET
ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown – securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts and blogs.


Media contact:
Jessica Beffa
jessica.beffa@eset.com
720-413-4938

Primary Logo

Legal Disclaimer:

EIN Presswire provides this news content "as is" without warranty of any kind. We do not accept any responsibility or liability for the accuracy, content, images, videos, licenses, completeness, legality, or reliability of the information contained in this article. If you have any complaints or copyright issues related to this article, kindly contact the author above.

Share this page:

Advanced Search Options

Search for:

Search scope:

Type:

Search in:

Date range:

The last

Sort by:

Sign up for:

Slovak Entertainment Daily

The daily local news briefing you can trust. Every day. Subscribe now.

By signing up, you agree to our Terms & Conditions.