ESET Research#ESETresearch has published a technical analysis of new malicious tools and major infrastructure changes observed in 2025 in the arsenal of the Russia-aligned #Gamaredon #APTgroup targeting Ukraine 🇺🇦. Blogpost: https://www.welivesecurity.com/en/eset-research/gamaredon-2025-leveraging-tunnels-workers-dead-drops-new-alliances
In 2025, #Gamaredon exclusively targeted Ukrainian governmental and military institutions. We observed 35 distinct #spearphishing campaigns, with activity significantly increasing in the second half of the year, as shown in the graph.
Gamaredon developed six new PowerShell tools in 2025: #PteroDee, #PteroDum, #PteroPaste, #PteroOdd, #PteroEffigy, and #PteroCache. It also resurrected the old #PteroSetup weaponizer. Most of the tools are simple downloaders built for fast deployment and flexible chaining.
#PteroPaste stands out; it combines a downloader, a USB weaponizer, and (for persistence) a runner. Early versions used rentry.co as a dead drop for encrypted payloads; later ones retrieved an encrypted C&C hostname from Dropbox and connected via tunnel services.
In 2025, #Gamaredon significantly expanded how it hides its network infrastructure. Besides #Cloudflare tunnels, it started using Cloudflare workers, Microsoft devtunnels, and Loophole, often combining several of these services as primary and fallback communication paths.
Gamaredon also heavily abused legitimate online services as dead drops for resolving C&C servers and distributing payloads, including t.me, telegra.ph, teletype.in, rentry.co, write.as, gofile.io, dev.to, mastodon.social, lesma.eu, nopaste.net, and pastee.dev. It also returned to No-IP #DDNS and abused PaaS services such as Clever Cloud and Supabase.
Our full technical analysis of #Gamaredon’s 2025 tools, infrastructure, and TTPs is available in the white paper: https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2025.pdf
IoCs are included in the white paper and also in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/gamaredon
In 2025, #Gamaredon exclusively targeted Ukrainian governmental and military institutions. We observed 35 distinct #spearphishing campaigns, with activity significantly increasing in the second half of the year, as shown in the graph.
Gamaredon developed six new PowerShell tools in 2025: #PteroDee, #PteroDum, #PteroPaste, #PteroOdd, #PteroEffigy, and #PteroCache. It also resurrected the old #PteroSetup weaponizer. Most of the tools are simple downloaders built for fast deployment and flexible chaining.
#PteroPaste stands out; it combines a downloader, a USB weaponizer, and (for persistence) a runner. Early versions used rentry.co as a dead drop for encrypted payloads; later ones retrieved an encrypted C&C hostname from Dropbox and connected via tunnel services.
In 2025, #Gamaredon significantly expanded how it hides its network infrastructure. Besides #Cloudflare tunnels, it started using Cloudflare workers, Microsoft devtunnels, and Loophole, often combining several of these services as primary and fallback communication paths.
Gamaredon also heavily abused legitimate online services as dead drops for resolving C&C servers and distributing payloads, including t.me, telegra.ph, teletype.in, rentry.co, write.as, gofile.io, dev.to, mastodon.social, lesma.eu, nopaste.net, and pastee.dev. It also returned to No-IP #DDNS and abused PaaS services such as Clever Cloud and Supabase.
Our full technical analysis of #Gamaredon’s 2025 tools, infrastructure, and TTPs is available in the white paper: https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2025.pdf
IoCs are included in the white paper and also in our GitHub repo: https://github.com/eset/malware-ioc/tree/master/gamaredon
Analyst207
The DefendOps Diaries
Thomas Fricke (he/his)
NetSec.news
ITSEC News