The Russia-aligned advanced persistent threat (APT) known as Gamaredon has ramped up its spear-phishing attacks on Ukrainian government entities, marking a return to its initial focus after a brief expansion into NATO countries. Research from ESET’s Zoltán Rusnák revealed that Gamaredon’s latest operations showcase a marked increase in sophistication, employing advanced obfuscation techniques and a new toolset.
According to a recent white paper, Gamaredon has been active since at least 2013 and is believed to operate under the auspices of Russia’s Federal Security Service (FSB) in the annexed territory of Crimea. Researchers at ESET have tracked the group for several years and suggest that it collaborates with another threat actor known as InvisiMole.
While traditionally known for its crude and noisy cyberespionage techniques, analysts indicate that Gamaredon has significantly upgraded its tools to incorporate stealthier operational capabilities. This evolution includes the employment of a peculiar persistence method using an Excel add-in and enhancements to reduce file system operations when searching for sensitive data.
Over the course of 2024, Gamaredon has primarily utilized spear-phishing as its main attack vector. These campaigns often involve emails that mislead recipients—claiming, for instance, that they have been subpoenaed—and include attachments in various formats. These archives typically contain malicious executables designed to penetrate defense systems quickly and stealthily. Furthermore, the actor has incorporated mechanisms that allow its malware to maximize its chances of success, including the use of spear phishing tactics.
The report highlights that Gamaredon’s continued reliance on these tactics, despite their low-effort nature, indicates a level of effectiveness in reaching their intended targets. ESET’s analysts express concern over the persistent nature of these threats, suggesting that Gamaredon’s operations are not expected to wane any time soon.