Matryoshka #3/3: Gamaredon's Gammasteel Infostealer

This analysis examines Gamaredon's (UAC-0010, Armagedon) advanced espionage operations targeting Ukrainian government, military, and critical infrastructure. The FSB-operated group deploys GammaSteel, a sophisticated stealer operating almost entirely from memory using Windows DPAPI encryption and storing 71 distinct payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition mechanisms: timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Exfiltration occurs via legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain extensively uses VBScript for evasion, Dead Drop Resolvers on platforms like Telegram and Mastodon for C2 configuration, and includes bidirectional backdoor capabilities enabling arbitrary remote code execution. Infrastructure demonstrates high automation with servers rotated approximately every 24 hours.

Pulse ID: 6a21844636a81843ce1af3cc
Pulse Link: https://otx.alienvault.com/pulse/6a21844636a81843ce1af3cc
Pulse Author: AlienVault
Created: 2026-06-04 13:57:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CyberSecurity #Encryption #Espionage #Gamaredon #Government #InfoSec #InfoStealer #Malware #Military #OTX #OpenThreatExchange #RAT #RemoteCodeExecution #SMS #Telegram #Troll #UK #USB #Ukr #Ukrainian #VBS #Windows #bot #AlienVault

Sophos scopre il laboratorio AI per testare l’evasione degli EDR: così il ransomware si evolve

https://insicurezzadigitale.com/sophos-scopre-il-laboratorio-ai-per-testare-levasione-degli-edr-cosi-il-ransomware-si-evolve/

Malvertising Campaign Spreads FlutterShell Backdoor to macOS Users

macOS users beware: a sneaky malware called FlutterShell is spreading through malicious ads and infected desktop apps, allowing hackers to take control of your device and steal sensitive data. This stealthy backdoor can execute commands, access files, and even siphon off browser session info - all while masquerading as legitimate software.

https://osintsights.com/malvertising-campaign-spreads-fluttershell-backdoor-to-macos-users?utm_source=mastodon&utm_medium=social

#Macos #Fluttershell #Backdoor #Malware #Malvertising

Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor

Pulse ID: 6a2105954034647e83ac7c6c
Pulse Link: https://otx.alienvault.com/pulse/6a2105954034647e83ac7c6c
Pulse Author: Tr1sa111
Created: 2026-06-04 04:56:53

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #Mac #MacOS #Malvertising #OTX #OpenThreatExchange #RAT #bot #Tr1sa111

Gamaredon sfrutta CVE-2025-8088 in WinRAR per distribuire GammaWorm e GammaSteel contro l’Ucraina

https://insicurezzadigitale.com/gamaredon-sfrutta-cve-2025-8088-in-winrar-per-distribuire-gammaworm-e-gammasteel-contro-lucraina/

Laravel Lang Compromised with RCE Backdoor Across 700+ Versions

Pulse ID: 6a1ff457aeb1fa8d1d2cbaae
Pulse Link: https://otx.alienvault.com/pulse/6a1ff457aeb1fa8d1d2cbaae
Pulse Author: Tr1sa111
Created: 2026-06-03 09:31:03

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #CyberSecurity #InfoSec #OTX #OpenThreatExchange #RCE #bot #Tr1sa111

Operation FlutterBridge: macOS Malvertising Campaign Spreads New FlutterShell Backdoor

A financially-motivated cybercrime cluster designated CL-CRI-1089 has launched Operation FlutterBridge, deploying FlutterShell backdoor malware targeting macOS systems through malvertising. Built with the Flutter framework, FlutterShell masquerades as legitimate applications including podcast players and PDF viewers, delivering adware with full backdoor capabilities such as shell command execution and file system manipulation. The malware uses a WebView-based architecture with JavaScript-to-native bridge, allowing attackers to dynamically modify behavior without recompiling. Distribution occurs through hundreds of Google-verified advertisements controlled by shell companies including AdsParkPro LTD and Advantage Web Marketing LLC. The campaign primarily targets Anglophone and Western European markets. All samples were signed with valid Apple Developer IDs and successfully passed notarization, achieving zero detections on VirusTotal initially. The malware hijacks Google Chrome browsers, redirecting traffic ...

Pulse ID: 6a1ee9cdd897e06c7cac14d9
Pulse Link: https://otx.alienvault.com/pulse/6a1ee9cdd897e06c7cac14d9
Pulse Author: AlienVault
Created: 2026-06-02 14:33:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Browser #Chrome #CyberCrime #CyberSecurity #Europe #Google #InfoSec #Java #JavaScript #Mac #MacOS #Malvertising #Malware #OTX #OpenThreatExchange #PDF #RAT #Rust #Troll #VirusTotal #WesternEurope #bot #AlienVault

Miasma colpisce Red Hat: 33 pacchetti npm avvelenati per rubare credenziali cloud e segreti CI/CD

https://insicurezzadigitale.com/miasma-colpisce-red-hat-33-pacchetti-npm-avvelenati-per-rubare-credenziali-cloud-e-segreti-ci-cd/

These supply chain attacks are getting out of hand.

Dozens of Red Hat packages backdoored through its official NPM channel

https://arstechnica.com/security/2026/06/dozens-of-red-hat-packages-backdoored-through-its-offical-npm-channel/

#RedHat #BackDoor #NPM #SupplyChain #Exploits #Tech

FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps unpacking – GammaPhish and GammaWorm

Gamaredon, a cyberespionage group operated by Russia's FSB, conducts long-term intrusion operations targeting Ukrainian government, military, and critical infrastructure. This analysis documents their 2026 infection chain, which uses HTML smuggling with weaponized xHTML files delivering RAR archives that exploit CVE-2025-8088 to extract HTA files into Windows Startup directories. The chain deploys GammaPhish for initial access, GammaLoad for staging, GammaWorm for propagation via USB and network drives, and GammaSteal for exfiltration. The architecture is nearly fileless, leveraging NTFS Alternate Data Streams to conceal modules and using Dead Drop Resolvers on legitimate platforms like Telegram and Cloudflare for C2 infrastructure. Every stage functions as an independent backdoor capable of executing arbitrary VBScript, representing a shift from their historical Pteranodon framework to a modular ecosystem designed for persistent espionage.

Pulse ID: 6a1dde0927ce7587f79534ee
Pulse Link: https://otx.alienvault.com/pulse/6a1dde0927ce7587f79534ee
Pulse Author: AlienVault
Created: 2026-06-01 19:31:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CyberSecurity #Cyberespionage #Espionage #Gamaredon #Government #HTML #InfoSec #Military #OTX #OpenThreatExchange #RAT #Russia #Telegram #UK #USB #Ukr #Ukrainian #VBS #Windows #Worm #bot #AlienVault