>samit_hota
Back to adversary profiles
G0047HighActive

Gamaredon Group: Russia's Persistent Espionage Arm in Ukraine and Beyond

Samit Hota·
Suspected Origin
Russia
Motivation
Espionage, Data Theft, Geopolitical Influence
Aliases
IRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm, DEV-0157, Aqua Blizzard, NastyShrew
Target Sectors
Government, Military, Law Enforcement, Judiciary, Defense, NGOs, Media, Critical Infrastructure, NATO
Associated Malware
Pterodo, QuietSieve, PowerPunch, GammaDrop, GammaLoad, GammaSteel, PteroSand, Giddome, PteroGraphin, PteroDee, PteroCache, PteroDum, PteroOdd, PteroPaste, PteroEffigy, PteroVDoor, PteroPSDoor, PteroLNK, PteroSetup, Evil Gnome, BoneSpy
#threat-actor#g0047

Overview

The Gamaredon Group, also tracked as Primitive Bear, Shuckworm, and ACTINIUM (MITRE ATT&CK ID: G0047), is a highly active and persistent cyber espionage group with clear and consistent attribution to Russia. Operating since at least 2013, the group is widely believed to be an intelligence arm of Russia’s Federal Security Service (FSB), specifically linked to its 18th Center of Information Security operating out of occupied Crimea. Their primary motivation is military and political cyber espionage, gathering intelligence to support Russia’s geopolitical objectives, particularly in relation to the ongoing conflict with Ukraine.

While Gamaredon’s historical and primary focus has been Ukrainian governmental, military, law enforcement, judiciary, non-profit, and non-governmental organizations, they have shown a growing interest and capability in targeting members and partners of NATO. Reports indicate attempts to compromise entities in NATO countries such as Bulgaria, Latvia, Lithuania, and Poland. Their campaigns are often characterized as opportunistic, fast, and sometimes noisy, but the group has consistently improved its speed, obfuscation, and overall sophistication over time. Gamaredon also engages in collaboration with other Russia-aligned threat actors, notably providing initial access for the Turla APT and having suspected ties with InvisiMole.

Tactics & Techniques

Gamaredon’s operations rely heavily on tried-and-true methods, continuously refined for effectiveness and evasion. Initial access is predominantly achieved through spear-phishing campaigns. These emails often contain malicious attachments, such as weaponized Office documents embedded with macros, or archives (RAR, ZIP, 7z) containing malicious HTA or LNK files. The group has also used HTML smuggling techniques and, on occasion, leveraged unpatched or dated vulnerabilities in public-facing applications. Beyond email, Gamaredon is known to weaponize USB drives and mapped network drives to facilitate lateral movement and further compromises.

For execution and persistence, Gamaredon frequently employs PowerShell and VBScript, often executed in hidden windows, and leverages legitimate Windows binaries like mshta.exe and rundll32 to launch malicious components. They establish persistence through registry entries, scheduled tasks, and custom backdoors. A notable technique involves injecting malicious macros into existing Word and Excel documents found on compromised systems or mapped network drives, essentially weaponizing the victim’s own files to spread further within an organization. Recent activity also indicates abuse of Microsoft Excel add-ins for persistence.

Defense evasion is a core component of Gamaredon’s TTPs. They extensively use obfuscated and encrypted scripts, employ fileless methods, and inject malware into legitimate processes like explorer.exe. To obscure their command-and-control (C2) infrastructure, they utilize fast flux DNS, raw IP C2 with unique URL patterns, and increasingly rely on legitimate third-party services. This includes hiding C2 behind Cloudflare tunnels and using services like Telegram, Dropbox, social media, blogging platforms, and paste sites as “dead drops” to retrieve C2 server information or distribute payloads, making detection and blocking more challenging.

Data collection typically involves gathering sensitive files, especially Office documents, screenshots, and information from email clients, instant messaging applications (like Signal and Telegram), and web browsers. Their file stealers are designed to collect data from both local drives and newly connected logical volumes, including USB drives. Exfiltration initially relied on hardcoded C2 servers but has evolved to frequently use legitimate cloud storage services such as Wasabi, Tebi, and Intercolo to blend in with normal network traffic. The group has also used ad hoc VBScript payloads whose sole purpose was to open pro-Russian propaganda channels on Telegram.

Notable Campaigns

Gamaredon has maintained a consistently high operational tempo since its inception. From 2013 to 2018, the group primarily focused on Ukrainian government institutions with relatively crude spear-phishing campaigns. Between 2019 and 2021, they began employing more sophisticated malware, such as Pterodo, and were responsible for over 5,000 cyberattacks and attempts to infect more than 1,500 Ukrainian government systems by late 2021.

With Russia’s full-scale invasion of Ukraine in 2022, Gamaredon escalated its espionage and phishing activities to directly support the conflict. This period saw their first documented attempts to target government entities outside Ukraine, including a Western government entity located in Ukraine. In 2023, while maintaining a strong focus on Ukraine, Gamaredon also actively targeted NATO member states, deploying campaigns with malware families like GammaLoad and GammaSteel.

Throughout 2024, the group refocused exclusively on Ukrainian governmental institutions, significantly increasing the scale and frequency of their spear-phishing campaigns and introducing new delivery methods. This year also saw the development of six new PowerShell and VBScript tools, alongside the unusual use of a propaganda payload to open a pro-Russian Telegram channel. In 2025, Gamaredon maintained this high tempo, exclusively targeting Ukrainian governmental and military institutions. They continued to refine their toolset, collaborating with Turla to provide initial access and upgrading their file stealers to exfiltrate to cloud storage services. Some campaigns in 2025 also exploited a now-patched WinRAR flaw (CVE-2025-8088).

Associated Malware & Tools

Gamaredon has a dynamic and evolving arsenal of custom-developed malware and tools, moving away from relying heavily on off-the-shelf tools, which indicates improved technical capabilities. Key components of their toolkit include:

  • Pterodo: A constantly evolving custom backdoor used for persistent access and control.
  • QuietSieve: An infostealer designed to exfiltrate sensitive information from compromised systems.
  • PowerPunch: A PowerShell-based beacon used to download and execute additional malware.
  • GammaDrop, GammaLoad, GammaSteel: A family of tools consistently used in their campaigns for various stages of intrusion.
  • Giddome: Malware deployed for long-term access to victim environments.
  • PteroGraphin: A PowerShell persistence tool observed in 2024, which abuses Microsoft Excel add-ins, scheduled tasks, and the Telegraph API for C2.
  • PteroSand: A VBScript downloader utilized in spear-phishing campaigns.
  • BoneSpy: An Android spyware, first observed in 2021, targeting Russian-speaking individuals.
  • Evil Gnome: A Linux malware implicated in their operations as early as 2019.
  • Recent PowerShell tools (2025): The group introduced six new PowerShell-based tools: PteroDee, PteroCache, PteroDum, PteroOdd, PteroPaste, and PteroEffigy. PteroPaste is particularly noted for its increased complexity and features, including checking for USB drive presence.
  • Upgraded File Stealers (2025): PteroVDoor and PteroPSDoor were enhanced to support exfiltration to cloud storage services.
  • Lateral Movement Tools (2025): PteroLNK and PteroSetup are used for weaponizing USB and network drives, and replacing legitimate installer files with malicious archives.

The consistent development and iteration of these tools highlight Gamaredon’s commitment to maintaining their operational effectiveness and evading detection.

Current Status

The Gamaredon Group remains unequivocally active and is one of the most prolific Russia-aligned APTs. Throughout 2025 and into the current period of 2026, the group has sustained a high operational tempo, demonstrating a continuous evolution in its tactics, techniques, and procedures (TTPs).

Their operations are solidly and consistently aimed at Ukrainian governmental and military organizations, aligning directly with Russia’s geopolitical objectives in the region. While some previous years showed a limited expansion of targeting to NATO members, recent reporting suggests a return to an exclusive focus on Ukrainian institutions for some of their campaigns, although their demonstrated capability against NATO targets remains a concern.

Gamaredon continues to refine its C2 infrastructure protection, heavily utilizing tunnel services, serverless worker platforms, dynamic DNS, and various legitimate online services as dead drops to enhance stealth and resilience against disruption. The group’s consistent development and deployment of new malware variants, coupled with an aggressive spear-phishing methodology and sophisticated evasion techniques, underscore its enduring threat. Security professionals should anticipate Gamaredon to remain a reliable and evolving asset for Russian intelligence operations, continuing its relentless cyber espionage against Ukraine and maintaining potential threats to broader European interests.

Worried this actor targets your sector?

Let's map your exposure before they find it themselves.

Book an advisory call