Menu
Browse

Cyber Threat Actor: Gamaredon

Aliases: 3 aliases
Actor Type Location Known Incidents
 Icon
Nation State
Russia
16 incidents
Profile

Gamaredon, also referred to as the Gamaredon APT, is a Russia‑linked cyberespionage group that has been publicly identified in multiple threat‑intelligence reports. The actor focuses its operations on Ukrainian governmental entities, including diplomats, military personnel and the Ministry of Foreign Affairs, and has been observed affecting more than five thousand Ukrainian entities, including physical military hardware and field artillery systems as part of broader hybrid warfare efforts. Public attributions describe the group’s objectives as strategic infiltration aligned with known Russian state‑sponsored tactics, emphasizing intelligence gathering and the establishment of persistent access within critical Ukrainian infrastructure rather than financial gain.

The group’s typical tactics begin with spear‑phishing emails that deliver weaponized documents employing template injection to retrieve malicious templates from remote servers, thereby bypassing traditional macro‑based defenses. Once opened, the documents execute VBA macros that write a VBScript to the Windows startup folder, which executes upon reboot and contacts dynamic‑DNS domains to fetch an encrypted payload. Persistence and evasion are reinforced through forged certificates, registry manipulation, the use of Nginx forwarders to relay traffic, and dynamic‑DNS infrastructure for command‑and‑control. The malware payloads are often packaged in self‑extracting archives containing obfuscated .NET components and additional macro payloads, reflecting a modular tooling style designed to avoid detection.

Notable publicly reported operations include a November 2019 spear‑phishing campaign that specifically targeted Ukrainian diplomats, military officials and the Ministry of Foreign Affairs, as detailed in a SecurityAffairs analysis. Earlier in 2019, threat‑intelligence outlets such as ThreatPost highlighted the Gamaredon APT toolset used against Ukrainian targets, describing the use of self‑extracting archives and obfuscated .NET modules. Collectively, these campaigns illustrate the group’s sustained focus on espionage‑oriented intrusion against Ukrainian state and military assets, leveraging a combination of social engineering, script‑based infection chains and resilient infrastructure to maintain long‑term presence within victim networks.

Incidents
Attributed incidents available to members
15 incidents
Sources
Sources available to members
0 sources