ESET Research analyzes Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed throughout 2024

02 Jul 2025
 • 
,
6 min. read

Since Russia’s full-scale invasion of Ukraine in February 2022, cyberespionage has played a crucial role in the broader threatscape. Russia-aligned advanced persistent threat (APT) groups have relentlessly targeted Ukrainian entities, employing cyberattacks alongside disinformation campaigns. ESET Research has closely monitored these activities, regularly documenting cyber-operations carried out by various threat actors, including the highly active Gamaredon group.

Key points of this blogpost:

• Gamaredon refocused exclusively on targeting Ukrainian governmental institutions in 2024, abandoning prior attempts against NATO countries.
• The group significantly increased the scale and frequency of spearphishing campaigns, employing new delivery methods such as malicious hyperlinks and LNK files executing PowerShell from Cloudflare-hosted domains.
• Gamaredon introduced six new malware tools, leveraging PowerShell and VBScript, designed primarily for stealth, persistence, and lateral movement.
• Existing tools received major upgrades, including enhanced obfuscation, improved stealth tactics, and sophisticated methods for lateral movement and data exfiltration.
• Gamaredon operators managed to hide almost their entire C&C infrastructure behind Cloudflare tunnels.
• Gamaredon increasingly relied on third-party services (Telegram, Telegraph, Cloudflare, Dropbox) and DNS-over-HTTPS (DoH) for protecting its C&C infrastructure.

In our previous blogpost, Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023, we described Gamaredon’s aggressive cyberespionage activities against Ukrainian governmental institutions. As part of our continued investigation, we’ve conducted a thorough technical analysis of Gamaredon’s operations throughout 2024. The detailed results and technical insights are available in our latest white paper.

Our research shows that the group remains highly active, consistently targeting Ukraine, but has notably adapted its tactics and tools.

Targeting Ukraine exclusively

Gamaredon, attributed by the Security Service of Ukraine (SSU) to the 18th Center of Information Security of Russia’s Federal Security Service (FSB), has targeted Ukrainian governmental institutions since at least 2013. While previous years saw occasional attempts against targets in other NATO countries, during 2024 Gamaredon operators returned their focus exclusively to Ukrainian institutions.

This strongly aligns with the group’s historical objective as a cyberespionage actor aligned with Russian geopolitical interests. Given the ongoing war and geopolitical tensions, we expect Gamaredon’s targeting of Ukraine to continue unchanged in the foreseeable future.

Spearphishing campaigns grow larger and more frequent

Gamaredon’s spearphishing activities significantly intensified during the second half of 2024. Campaigns typically lasted one to five consecutive days, with emails containing malicious archives (RAR, ZIP, 7z) or XHTML files employing HTML smuggling techniques. These files delivered malicious HTA or LNK files that executed embedded VBScript downloaders such as PteroSand. Figure 1 depicts the number of unique samples of those HTA and LNK files delivered per month in Gamaredon spearphishing campaigns in 2024.

Surprisingly, in October 2024, we observed a rare case where spearphishing emails included malicious hyperlinks rather than attachments – a deviation from Gamaredon’s usual tactics. Furthermore, Gamaredon introduced another novel technique: using malicious LNK files to execute PowerShell commands directly from Cloudflare-generated domains, bypassing some traditional detection mechanisms.

Toolset evolution: New tools and significant improvements

Gamaredon’s toolset underwent notable updates. While fewer new tools were introduced (six compared to eight in 2022 and nine in 2023), substantial resources went into updating and improving existing tools:

New tools introduced in 2024 include:

• PteroDespair: A short-lived PowerShell reconnaissance tool discovered in January 2024, developed to collect diagnostic data on previously deployed malware.
• PteroTickle: A PowerShell weaponizer discovered in March 2024, targeting Python applications converted into executables on fixed and removable drives, facilitating lateral movement. It weaponizes Tcl scripts typically found in Python GUI apps using Tkinter and built with PyInstaller.
• PteroGraphin: Discovered in August 2024, this PowerShell tool initially used an uncommon persistence method involving Microsoft Excel add-ins. It creates an encrypted communication channel for payload delivery, through the Telegraph API. Later versions simplified persistence by using scheduled tasks instead.
• PteroStew: A new general-purpose VBScript downloader discovered in October 2024, similar to previously known downloaders (e.g., PteroSand, PteroRisk), but that notably stores its code in alternate data streams associated with benign files on the victim’s system.
• PteroQuark: Another VBScript downloader discovered in October 2024, introduced as a new component within the VBScript version of the PteroLNK weaponizer.
• PteroBox: A PowerShell file stealer discovered in November 2024, closely resembling PteroPSDoor but exfiltrating stolen files to Dropbox. It leverages WMI event subscriptions to detect newly inserted USB drives and exfiltrates selected files using the Dropbox API. The stolen files are meticulously tracked to avoid redundant uploads, highlighting Gamaredon’s increasing attention to stealth and efficiency.

Major updates to existing tools in 2024

In addition to new tools, Gamaredon operators significantly upgraded existing tools in their arsenal:

• PteroPSDoor: A major upgrade introduced advanced stealth techniques, such as monitoring file changes via the IO.FileSystemWatcher object rather than continuously scanning directories, significantly reducing visibility. It also implemented WMI event subscriptions to detect new USB insertions, making file exfiltration more targeted and stealthier. Additionally, the latest versions store code exclusively in registry keys instead of in files, further complicating detection.
• PteroLNK (VBScript version): This tool was enhanced in early 2024 to weaponize not only USB drives but also mapped network drives, expanding its lateral movement capabilities. Throughout the second half of 2024, it received multiple incremental updates, including improved obfuscation, more complex methods for LNK file creation, and registry-based techniques to hide files and file extensions from victims. This weaponizer has become one of Gamaredon’s most frequently updated and actively maintained tools.
• PteroVDoor: This VBScript file stealer continued to be used in two variants (obfuscated and unobfuscated). Throughout 2024, Gamaredon operators repeatedly updated the tool, introducing new external platforms such as Codeberg repositories to dynamically distribute command and control (C&C) server information, complicating defensive measures.
• PteroPSLoad: Gamaredon notably transitioned back to using Cloudflare tunnels instead of ngrok for its C&C infrastructure. This marked the beginning of Gamaredon hiding almost its entire C&C infrastructure behind Cloudflare-generated domains, significantly enhancing its operational security.

Unusual payloads: Russian propaganda via malware?

A particularly intriguing finding was the discovery in July 2024 of a unique ad hoc VBScript payload, delivered by Gamaredon downloaders. This payload had no espionage functionality; rather, its sole purpose was to automatically open a Telegram propaganda channel named Guardians of Odessa, which spreads pro-Russian messaging targeting the Odessa region. While unusual for Gamaredon’s typical operations, we attribute this payload to Gamaredon with high confidence.

Network infrastructure and evasion techniques

Throughout 2024, Gamaredon showed persistent dedication to evading network-based defenses:

• The group continued, albeit at a reduced scale, to leverage fast-flux DNS techniques, frequently rotating IP addresses behind its domains. However, the number of domains that it registered declined notably from over 500 in 2023 to about 200 in 2024.
• Gamaredon increasingly relied on third-party services such as Telegram, Telegraph, Codeberg, and Cloudflare tunnels to obfuscate and dynamically distribute its C&C infrastructure. Cloudflare-generated subdomains became the group’s primary communication endpoints, with traditional domains relegated mostly to fallback use.
• Multiple DoH services (Google and Cloudflare) and third-party resolver websites (such as nslookup.io, who.is, dnswatch.info, and check-host.net) were regularly leveraged to bypass domain-based blocking.
• Gamaredon also introduced new techniques such as dropping embedded HTA and VBScript files into temporary directories and executing them separately to resolve C&C domains, further complicating automated detection efforts.

Despite observable capacity limitations and abandoning older tools, Gamaredon remains a significant threat actor due to its continuous innovation, aggressive spearphishing campaigns, and persistent efforts to evade detections. As long as the Russia’s war against Ukraine continues, we anticipate Gamaredon will persistently evolve its tactics and intensify its cyberespionage operations against Ukrainian institutions.

For a detailed technical breakdown of Gamaredon’s 2024 activities, updates, and malware analyses, read our full white paper.

A comprehensive list of indicators of compromise (IoCs) can be found in our GitHub repository and the Gamaredon white paper.

For any inquiries about our research published on WeLiveSecurity, please contact us at threatintel@eset.com. 

ESET Research offers private APT intelligence reports and data feeds. For any inquiries about this service, visit the ESET Threat Intelligence page.