OTX Bot18h ago

Matryoshka #3/3: Gamaredon's Gammasteel Infostealer

This analysis examines Gamaredon's (UAC-0010, Armagedon) advanced espionage operations targeting Ukrainian government, military, and critical infrastructure. The FSB-operated group deploys GammaSteel, a sophisticated stealer operating almost entirely from memory using Windows DPAPI encryption and storing 71 distinct payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition mechanisms: timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Exfiltration occurs via legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain extensively uses VBScript for evasion, Dead Drop Resolvers on platforms like Telegram and Mastodon for C2 configuration, and includes bidirectional backdoor capabilities enabling arbitrary remote code execution. Infrastructure demonstrates high automation with servers rotated approximately every 24 hours.

Pulse ID: 6a21844636a81843ce1af3cc
Pulse Link: https://otx.alienvault.com/pulse/6a21844636a81843ce1af3cc
Pulse Author: AlienVault
Created: 2026-06-04 13:57:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CyberSecurity #Encryption #Espionage #Gamaredon #Government #InfoSec #InfoStealer #Malware #Military #OTX #OpenThreatExchange #RAT #RemoteCodeExecution #SMS #Telegram #Troll #UK #USB #Ukr #Ukrainian #VBS #Windows #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
securityaffairs1d ago
#Gamaredon Uses #WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets
https://securityaffairs.com/193112/intelligence/gamaredon-uses-winrar-vulnerability-to-launch-modular-spy-campaign-on-ukrainian-targets.html
#securityaffairs #hacking #Russia
Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets

Gamaredon exploits a WinRAR flaw to drop modular, nearly fileless malware on Ukrainian targets, hiding payloads in Windows streams.

Security Affairs
OTX Bot1d ago

FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps unpacking – GammaLoad

Gamaredon, an FSB-operated cyberespionage group, continues targeting Ukrainian government, military, and critical infrastructure through sophisticated multi-stage infection chains. This analysis examines GammaLoad, a collection of VBScript loaders that establish continuous access through three distinct stages. The malware leverages Dead Drop Resolvers on legitimate platforms including Telegram, Telegraph, and Check-Host to maintain persistent C2 communications while storing configurations in Windows registry keys. Each stage employs different techniques: the first fingerprints hosts and uses failover mechanisms, the second writes payloads to Alternate Data Streams and establishes persistence via scheduled tasks, and the third executes obfuscated PowerShell to deliver the final GammaSteel payload. This matryoshka architecture enables operators to deploy arbitrary payloads while remaining largely invisible by abusing trusted Windows features and cloud platforms.

Pulse ID: 6a2029a0dfb4183bb573e8b2
Pulse Link: https://otx.alienvault.com/pulse/6a2029a0dfb4183bb573e8b2
Pulse Author: AlienVault
Created: 2026-06-03 13:18:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Cyberespionage #Espionage #Gamaredon #Government #InfoSec #Malware #Military #OTX #OpenThreatExchange #PowerShell #RAT #Rust #SMS #Telegram #UK #Ukr #Ukrainian #VBS #Windows #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
(in)sicurezza digitale2d ago

Gamaredon sfrutta CVE-2025-8088 in WinRAR per distribuire GammaWorm e GammaSteel contro l’Ucraina

Sekoia documenta una campagna di gennaio 2026 del gruppo APT russo Gamaredon: sfruttando CVE-2025-8088 in WinRAR, gli operatori dell'FSB distribuiscono GammaPhish, GammaLoad, GammaWorm e GammaSteel contro target governativi e militari ucraini. La catena usa Telegram come dead drop resolver per il C2 e NTFS Alternate Data Streams per l'evasione, con esfiltrazione finale verso AWS S3.

https://insicurezzadigitale.com/gamaredon-sfrutta-cve-2025-8088-in-winrar-per-distribuire-gammaworm-e-gammasteel-contro-lucraina/

OTX Bot2d ago

FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps unpacking – GammaPhish and GammaWorm

Pulse ID: 6a1ff4d9c6d389c233aad8b8
Pulse Link: https://otx.alienvault.com/pulse/6a1ff4d9c6d389c233aad8b8
Pulse Author: Tr1sa111
Created: 2026-06-03 09:33:13

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Gamaredon #InfoSec #OTX #OpenThreatExchange #Worm #bot #Tr1sa111

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
OTX Bot2d ago

FSB’s matryoshka #1/3: Inside Gamaredon Cyber Operations

Pulse ID: 6a1fdbcfb454b8bc5e637698
Pulse Link: https://otx.alienvault.com/pulse/6a1fdbcfb454b8bc5e637698
Pulse Author: Tr1sa111
Created: 2026-06-03 07:46:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Gamaredon #InfoSec #OTX #OpenThreatExchange #RAT #bot #Tr1sa111

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
Analyst2073d ago

Gamaredon Exploits WinRAR Flaw to Deliver GammaWorm, GammaSteel Malware

Cyber attackers have cleverly exploited a WinRAR flaw to unleash a potent malware duo, GammaWorm and GammaSteel, with the goal of taking control of infected systems and executing malicious scripts. This sneaky tactic, spotted by French cybersecurity firm Sekoia, allows hackers to fingerprint host systems, manipulate network settings, and…

https://osintsights.com/gamaredon-exploits-winrar-flaw-to-deliver-gammaworm-gammasteel-malware?utm_source=mastodon&utm_medium=social

#Gamaredon #Winrar #Cve20258088 #Gammaworm #Gammasteel

Gamaredon Exploits WinRAR Flaw to Deliver GammaWorm, GammaSteel Malware

Learn how Gamaredon exploits WinRAR flaw CVE-2025-8088 to deliver GammaWorm malware and protect your system now with expert security tips and advice.

OSINTSights
The Threat Codex3d ago
FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps unpacking – GammaPhish and GammaWorm
#Gamaredon #GammaPhish #GammaLoad #GammaWorm #GammaSteel #GammaWipe
https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/
FSB’s matryoshka #1/3 - Gamaredon’s gifts that keeps unpacking - GammaPhish and GammaWorm

Part 1 of our FSB Matryoshka series. Discover the context behind Gamaredon's cyberespionage campaigns, introducing GammaPhish and GammaWorm operations.

Sekoia.io Blog
OTX Bot3d ago

FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps unpacking – GammaPhish and GammaWorm

Gamaredon, a cyberespionage group operated by Russia's FSB, conducts long-term intrusion operations targeting Ukrainian government, military, and critical infrastructure. This analysis documents their 2026 infection chain, which uses HTML smuggling with weaponized xHTML files delivering RAR archives that exploit CVE-2025-8088 to extract HTA files into Windows Startup directories. The chain deploys GammaPhish for initial access, GammaLoad for staging, GammaWorm for propagation via USB and network drives, and GammaSteal for exfiltration. The architecture is nearly fileless, leveraging NTFS Alternate Data Streams to conceal modules and using Dead Drop Resolvers on legitimate platforms like Telegram and Cloudflare for C2 infrastructure. Every stage functions as an independent backdoor capable of executing arbitrary VBScript, representing a shift from their historical Pteranodon framework to a modular ecosystem designed for persistent espionage.

Pulse ID: 6a1dde0927ce7587f79534ee
Pulse Link: https://otx.alienvault.com/pulse/6a1dde0927ce7587f79534ee
Pulse Author: AlienVault
Created: 2026-06-01 19:31:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CyberSecurity #Cyberespionage #Espionage #Gamaredon #Government #HTML #InfoSec #Military #OTX #OpenThreatExchange #RAT #Russia #Telegram #UK #USB #Ukr #Ukrainian #VBS #Windows #Worm #bot #AlienVault

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange
OTX Bot3d ago

FSB’s matryoshka #1/3: Inside Gamaredon Cyber Operations

Pulse ID: 6a1e65e0dbbeb5ee8804848e
Pulse Link: https://otx.alienvault.com/pulse/6a1e65e0dbbeb5ee8804848e
Pulse Author: Tr1sa111
Created: 2026-06-02 05:10:56

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #Gamaredon #InfoSec #OTX #OpenThreatExchange #RAT #bot #Tr1sa111

LevelBlue - Open Threat Exchange

Learn about the latest cyber threats. Research, collaborate, and share threat intelligence in real time. Protect yourself and the community against today's emerging threats.

LevelBlue Open Threat Exchange