In early 2025, cybersecurity researchers uncovered a new wave of cyber espionage attacks orchestrated by Gamaredon, a Russian state-linked hacking group also known as Shuckworm. These attacks targeted a Western military mission in Ukraine, highlighting the group’s ongoing cyber activities in the region. The operation, active between February and March 2025, demonstrated not only persistence but also evolution in their tactics, raising serious concerns within the cybersecurity community.
Initial Access: Malicious Use of Removable Drives
One of the most notable aspects of this campaign was the attack vector used by Gamaredon—removable drives. The group leveraged malicious .LNKshortcut files stored on USB drives to initiate infections. Once inserted into a target system, these LNK files executed a series of hidden commands, granting attackers initial access.
This approach isn’t new for Gamaredon; they have a documented history of exploiting removable drives for propagation. However, what makes this campaign noteworthy is the improved stealth and complexity in how these files delivered the payload, avoiding detection by conventional antivirus solutions.
Deployment of GammaSteel: A Potent Info-Stealing Malware
Upon successful infiltration, Gamaredon deployed a refined version of their custom info-stealing malware, GammaSteel. This malware is designed to exfiltrate sensitive data, including files, screenshots, running processes, and information about installed security tools.
What sets this version apart is its updated delivery mechanism, which includes the use of heavily obfuscated scripts and PowerShell-based payloads. This shift marks a departure from their older reliance on VBS (Visual Basic Script), a change that suggests a deliberate move to evade modern detection mechanisms and enhance compatibility with newer Windows environments.
Traces in the Windows Registry: Evidence of External Infection
During forensic analysis, researchers discovered a new entry under the UserAssist key in the Windows Registry—a clear indication that the infection stemmed from an external drive. This digital footprint provided crucial evidence linking the attack to removable media and allowed investigators to reconstruct the attack timeline.
The malware chain consisted of two core components: one for command and control (C2) communication and another to propagate the infection across additional removable and network drives. This dual-function strategy not only maintained persistence but also helped the malware spread laterally, expanding its reach within connected environments.
Reconnaissance and Data Collection Tactics
Gamaredon’s use of a PowerShell reconnaissance script further illustrates their intent to gather valuable intelligence. This script captured screenshots, surveyed files and directories, listed active processes, and identified installed antivirus software. Such detailed reconnaissance allowed the attackers to tailor their follow-up actions and maximize the value of the stolen data.
Evolving Threat Tactics Despite Limited Sophistication
Although Gamaredon is often viewed as less sophisticated compared to other Russian APT groups like APT29 or Sandworm, this campaign illustrates their growing capabilities. According to Symantec, the group is continuously making incremental but meaningful improvements in its tactics, techniques, and procedures (TTPs).
These improvements include enhanced obfuscation, increased use of legitimate services to mask activities, and better scripting techniques. Combined with their tenacity and strategic targeting, these changes pose a significant threat, especially to Western organizations with assets or personnel in high-risk regions like Ukraine.
Discover more from CyberAwareHub
Subscribe to get the latest posts sent to your email.