Matryoshka #3/3: Gamaredon's Gammasteel Infostealer

This analysis examines Gamaredon's (UAC-0010, Armagedon) advanced espionage operations targeting Ukrainian government, military, and critical infrastructure. The FSB-operated group deploys GammaSteel, a sophisticated stealer operating almost entirely from memory using Windows DPAPI encryption and storing 71 distinct payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition mechanisms: timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Exfiltration occurs via legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain extensively uses VBScript for evasion, Dead Drop Resolvers on platforms like Telegram and Mastodon for C2 configuration, and includes bidirectional backdoor capabilities enabling arbitrary remote code execution. Infrastructure demonstrates high automation with servers rotated approximately every 24 hours.

Pulse ID: 6a21844636a81843ce1af3cc
Pulse Link: https://otx.alienvault.com/pulse/6a21844636a81843ce1af3cc
Pulse Author: AlienVault
Created: 2026-06-04 13:57:26

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CyberSecurity #Encryption #Espionage #Gamaredon #Government #InfoSec #InfoStealer #Malware #Military #OTX #OpenThreatExchange #RAT #RemoteCodeExecution #SMS #Telegram #Troll #UK #USB #Ukr #Ukrainian #VBS #Windows #bot #AlienVault

The Demon Arrives Later: A Havoc Stager Hides Behind Microsoft Defender DLP

Cybercriminals in Brazil are exploiting the country's electronic invoice system (Nota Fiscal eletrônica) to deliver Havoc framework implants. The campaign surfaced during May 2026, coinciding with tax season when accountants routinely process invoice-related emails. Attackers distribute malicious ZIP files disguised as legitimate invoices, containing VBScript droppers that download MSI installers from Google Cloud Storage. These installers deploy a fake Microsoft Defender DLP module (endpointdlp.dll) alongside a legitimate signed executable. The stager DLL downloads Havoc demon shellcode from command-and-control infrastructure at runtime, never writing the final payload to disk. Analysis reveals nine stager variants originating from a single builder, distributed through multiple channels including Brazilian NF-e-themed lures and Malaysia-registered domains. The implant establishes persistence through the rarely-monitored UserInitMprLogonScript registry key and employs advanced anti-forensic techniques incl...

Pulse ID: 6a20a73fc005e1fc15255876
Pulse Link: https://otx.alienvault.com/pulse/6a20a73fc005e1fc15255876
Pulse Author: AlienVault
Created: 2026-06-03 22:14:23

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Brazil #Cloud #CyberSecurity #Email #Endpoint #Google #InfoSec #Microsoft #MicrosoftDefender #OTX #OpenThreatExchange #ShellCode #VBS #ZIP #bot #AlienVault

FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps unpacking – GammaLoad

Gamaredon, an FSB-operated cyberespionage group, continues targeting Ukrainian government, military, and critical infrastructure through sophisticated multi-stage infection chains. This analysis examines GammaLoad, a collection of VBScript loaders that establish continuous access through three distinct stages. The malware leverages Dead Drop Resolvers on legitimate platforms including Telegram, Telegraph, and Check-Host to maintain persistent C2 communications while storing configurations in Windows registry keys. Each stage employs different techniques: the first fingerprints hosts and uses failover mechanisms, the second writes payloads to Alternate Data Streams and establishes persistence via scheduled tasks, and the third executes obfuscated PowerShell to deliver the final GammaSteel payload. This matryoshka architecture enables operators to deploy arbitrary payloads while remaining largely invisible by abusing trusted Windows features and cloud platforms.

Pulse ID: 6a2029a0dfb4183bb573e8b2
Pulse Link: https://otx.alienvault.com/pulse/6a2029a0dfb4183bb573e8b2
Pulse Author: AlienVault
Created: 2026-06-03 13:18:24

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#Cloud #CyberSecurity #Cyberespionage #Espionage #Gamaredon #Government #InfoSec #Malware #Military #OTX #OpenThreatExchange #PowerShell #RAT #Rust #SMS #Telegram #UK #Ukr #Ukrainian #VBS #Windows #bot #AlienVault

FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps unpacking – GammaPhish and GammaWorm

Gamaredon, a cyberespionage group operated by Russia's FSB, conducts long-term intrusion operations targeting Ukrainian government, military, and critical infrastructure. This analysis documents their 2026 infection chain, which uses HTML smuggling with weaponized xHTML files delivering RAR archives that exploit CVE-2025-8088 to extract HTA files into Windows Startup directories. The chain deploys GammaPhish for initial access, GammaLoad for staging, GammaWorm for propagation via USB and network drives, and GammaSteal for exfiltration. The architecture is nearly fileless, leveraging NTFS Alternate Data Streams to conceal modules and using Dead Drop Resolvers on legitimate platforms like Telegram and Cloudflare for C2 infrastructure. Every stage functions as an independent backdoor capable of executing arbitrary VBScript, representing a shift from their historical Pteranodon framework to a modular ecosystem designed for persistent espionage.

Pulse ID: 6a1dde0927ce7587f79534ee
Pulse Link: https://otx.alienvault.com/pulse/6a1dde0927ce7587f79534ee
Pulse Author: AlienVault
Created: 2026-06-01 19:31:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CyberSecurity #Cyberespionage #Espionage #Gamaredon #Government #HTML #InfoSec #Military #OTX #OpenThreatExchange #RAT #Russia #Telegram #UK #USB #Ukr #Ukrainian #VBS #Windows #Worm #bot #AlienVault

Reloaded in a modern Remcos RAT Infection

Analysts discovered a new Remcos RAT infection chain starting with a batch file executing encoded commands that creates hidden directories and retrieves encrypted payloads. Unlike earlier campaigns relying on PowerShell-hosted .NET loaders, this variant incorporates DonutLoader shellcode and AutoIt-based staging for in-memory payload delivery. The infection begins with a phishing email containing a malicious batch file named Bestellung.CMD. The chain abuses legitimate Windows utilities including cscript.exe and SyncAppvPublishingServer.vbs to execute Base64-encoded payloads. Additional components are downloaded from cloud storage, including 7Zip tools and password-protected archives containing obfuscated JScript. The final payload consists of DonutLoader shellcode that injects Remcos RAT version 7.2.1 Pro into colorcpl.exe, enabling remote control, credential harvesting, keystroke logging, and additional payload deployment.

Pulse ID: 6a1a2dd905d9f8c4474cb45e
Pulse Link: https://otx.alienvault.com/pulse/6a1a2dd905d9f8c4474cb45e
Pulse Author: AlienVault
Created: 2026-05-30 00:22:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#7Zip #Autoit #Cloud #CredentialHarvesting #CyberSecurity #Email #InfoSec #NET #OTX #OpenThreatExchange #Password #Phishing #PowerShell #RAT #Remcos #RemcosRAT #ShellCode #VBS #Windows #Word #ZIP #bot #AlienVault

Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure

A sophisticated spear-phishing campaign designated Operation Dragon Whistle has been identified targeting Changzhou University in China. The threat actor UNG002 leveraged highly contextual social engineering by impersonating official university communications regarding mandatory 2026 National Student Physical Fitness and Health Standards testing, which directly impacts graduation eligibility. The attack chain begins with a weaponized ZIP file containing a malicious LNK file disguised as a PDF document. Upon execution, it triggers a VBScript that simultaneously displays a legitimate-looking decoy document while deploying a multi-stage infection chain involving DLL sideloading via Bandizip.exe, anti-debugging techniques, and ultimately delivering a Cobalt Strike Beacon payload entirely in memory. The campaign demonstrates advanced evasion capabilities and utilizes Chinese cloud infrastructure hosted on Alibaba Cloud for command and control operations.

Pulse ID: 6a0db1f45208b8cf1b2b1571
Pulse Link: https://otx.alienvault.com/pulse/6a0db1f45208b8cf1b2b1571
Pulse Author: AlienVault
Created: 2026-05-20 13:07:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #Chinese #Cloud #CobaltStrike #CyberSecurity #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #RAT #SideLoading #SocialEngineering #SpearPhishing #VBS #ZIP #bot #AlienVault

Analyzing TAX#TRIDENT: Fake Indian Tax Lures Pivot Across ZIP, VBS, Stego and PHP-Wrapped VBS Delivery

Pulse ID: 6a0f1990ade1c88361439eb5
Pulse Link: https://otx.alienvault.com/pulse/6a0f1990ade1c88361439eb5
Pulse Author: CyberHunter_NL
Created: 2026-05-21 14:41:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #India #InfoSec #OTX #OpenThreatExchange #PHP #VBS #ZIP #bot #CyberHunter_NL