A Russian advanced persistent threat group, known as Gamaredon, has been intensifying its cyber attacks on Ukraine by expanding its malware arsenal and exploiting cloud services. Throughout 2025, cybersecurity experts observed a surge in spear-phishing campaigns targeting Ukrainian government and military entities, marking a significant escalation in cyber warfare tactics.
Increasing Spear-Phishing Campaigns
According to Slovakian cybersecurity firm ESET, Gamaredon orchestrated 35 spear-phishing campaigns in 2025, primarily in the latter half of the year. These attacks aimed to extract sensitive information to further Russian interests amid ongoing conflicts. The group utilized various methods, including archive attachments and XHTML files, to deliver malicious payloads.
A notable aspect of these campaigns was the exploitation of a patched WinRAR vulnerability (CVE-2025-8088) to deploy harmful software into victims’ systems. This technique allowed the malware to persistently execute upon the next system login, thereby strengthening the compromise’s foothold.
Enhanced Malware Tactics
Gamaredon’s attacks have become increasingly sophisticated, employing tools like PteroLNK and PteroPaste to spread malware through infected USB and network drives. Additionally, they revived PteroSetup, a Visual Basic Script weaponizer, to replace legitimate installer files with malicious scripts, further complicating detection efforts.
In 2025, the group’s dependency on third-party services grew, integrating tunnel services and serverless platforms to obscure their infrastructure. This shift highlights a strategic evolution in maintaining operational security and resilience against countermeasures.
Expansion of Custom Malware Arsenal
The introduction of six new PowerShell tools demonstrated Gamaredon’s commitment to broadening its custom malware capabilities. These tools included PteroDee and PteroCache for PowerShell payload execution, and PteroDum for VBScript payloads. Furthermore, PteroOdd leveraged the Telegra.ph API, suggesting possible collaboration with other cyber actors like Turla.
Gamaredon’s approach also involved utilizing legitimate services as exfiltration channels and dead drop resolvers, complicating efforts to trace and disrupt their operations. Services like Dropbox, Telegra.ph, and GoFile were among those exploited to facilitate data extraction and command-and-control communication.
ESET researcher Zoltán Rusnák noted that while Gamaredon paused operations around major Russian holidays, their activities were marked by frequent updates and creative use of online services, enhancing their operational flexibility.
As these cyber threats continue to evolve, understanding Gamaredon’s tactics is crucial for developing effective countermeasures and protecting critical infrastructure in Ukraine and beyond.
