Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances
Gamaredon, a Russia-aligned APT group attributed to the FSB, maintained high operational tempo throughout 2025 with 35 spearphishing campaigns exclusively targeting Ukrainian government and military institutions. The group introduced six new PowerShell tools, resurrected the PteroSetup VBScript weaponizer for lateral movement, and began abusing CVE-2025-8088 (WinRAR) for persistence via the Startup folder. A significant infrastructure evolution occurred: C&C servers are now hidden behind tunnel services (Cloudflare tunnels, Cloudflare workers, Microsoft devtunnels, Loophole) and dead-drop resolutions on legitimate platforms (Telegram, Telegra.ph, Rentry, GoFile, Dropbox, and others), while stolen data is exfiltrated to S3-compatible cloud storage (Wasabi, Tebi, Intercolo) rather than attacker-owned servers.
Detection / Hunteropenrouter
What Happened
A state-sponsored hacking group called Gamaredon, linked to Russia's security service (FSB), continued to spy on Ukrainian government and military organizations throughout 2025. They sent 35 waves of phishing emails and developed new tools to break into computers, spread across networks via USB drives, and steal files. To avoid being blocked, they hid their command servers behind legitimate internet services like Cloudflare tunnels and Microsoft developer tunnels, and used public platforms like Telegram, blogging sites, and paste services as hidden message drops where their malware could find instructions. They also started uploading stolen files to commercial cloud storage providers instead of their own servers, making the stolen-data traffic look like normal internet activity. In September 2025, they began exploiting a known WinRAR software vulnerability (CVE-2025-8088) to make their malware start automatically when victims log in. Organizations should ensure WinRAR is patched, monitor for unusual PowerShell and VBScript activity, and consider whether connections to the listed legitimate services from scripting processes warrant investigation.
Key Takeaways
- Gamaredon conducted 35 spearphishing campaigns in 2025 exclusively targeting Ukrainian governmental and military institutions, with significantly increased tempo in the second half of the year.
- From September 26, 2025, the group began abusing CVE-2025-8088 (WinRAR vulnerability) to place HTA downloaders directly into the victim's Startup folder, adding persistence to chains that previously relied on user interaction.
- Six new PowerShell tools were introduced (PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy, PteroPaste), along with the resurrection of the VBScript weaponizer PteroSetup for lateral movement via USB, network drives, and installer replacement.
- Gamaredon heavily adopted dead-drop techniques using legitimate services (Telegram, Telegra.ph, Teletype, Rentry, Write.as, GoFile, Dropbox, DEV Community, Mastodon, Lesma, NoPaste, Paste.ee) to stage C&C information and payloads, making blocking significantly harder.
- File stealers PteroVDoor and PteroPSDoor were upgraded to exfiltrate to S3-compatible cloud storage (Wasabi, Tebi, Intercolo), shifting exfiltration away from attacker-owned infrastructure to legitimate cloud providers.
Affected Systems
- Windows systems (HTA downloaders, VBScript, PowerShell tooling, WinRAR CVE-2025-8088 exploitation)
- USB removable drives and mapped network drives (lateral movement weaponizers)
- Software installer executables on fixed drives (PteroSetup installer replacement)
Vulnerabilities (CVEs)
- CVE-2025-8088 (WinRAR vulnerability; abused from September 26, 2025 to place malicious HTA downloaders into the victim's Startup folder for persistence)
Attack Chain
Initial access is achieved via spearphishing campaigns delivering archive attachments or XHTML files using HTML smuggling to deploy HTA downloaders, which fetch the VBScript downloader PteroSand. From September 2025, CVE-2025-8088 (WinRAR) is exploited to place HTA downloaders directly into the Startup folder for persistence. Lateral movement is facilitated by PteroSetup (replacing legitimate installer executables with malicious self-extracting archives on USB, network, and fixed drives) and PteroPaste (USB weaponizer). C&C resolution uses dead-drop techniques on legitimate services (Telegram, Telegra.ph, Rentry, GoFile, Dropbox, etc.) to retrieve encrypted C&C hostnames, which resolve to infrastructure hidden behind Cloudflare tunnels, Cloudflare workers, Microsoft devtunnels, or Loophole. Stolen data is exfiltrated via PteroVDoor/PteroPSDoor to S3-compatible cloud storage (Wasabi, Tebi, Intercolo) or via PteroBox to Dropbox using rclone.
Detection Availability
- YARA Rules: No
- Sigma Rules: No
- Snort/Suricata Rules: No
- KQL Queries: No
- Splunk SPL Queries: No
- EQL Queries: No
- Other Detection Logic: No
- Platforms: ESET GitHub repository, ESET Gamaredon white paper
The article references a comprehensive IOC list available in ESET's GitHub repository and the full Gamaredon white paper, but no detection rules or queries are reproduced in the blog post itself.
Detection Engineering Assessment
EDR Visibility: Medium — PowerShell and VBScript execution are generally visible to EDR, and process ancestry (HTA -> script -> PowerShell) provides useful correlation. However, the use of legitimate cloud services and tunnel platforms for C&C resolution and exfiltration makes network-level attribution difficult, and in-memory PowerShell execution reduces file-based detection opportunities. Network Visibility: Low — Gamaredon's heavy use of legitimate services (Cloudflare, Microsoft devtunnels, Telegram, Telegra.ph, Dropbox, S3-compatible storage) means malicious traffic closely resembles normal user activity. TLS encryption further limits payload inspection. Defenders would need DNS logging and SNI analysis to identify connections to tunnel services and dead-drop platforms from unusual processes. Detection Difficulty: Hard — The core challenge is that Gamaredon blends malicious activity with legitimate service usage. Connections to Cloudflare, Microsoft, Telegram, and cloud storage providers are common in enterprise environments. Detection requires correlating process context (PowerShell/VBScript/HTA parent processes) with network destinations, rather than relying on IP/domain blocklists alone.
Required Log Sources
- Windows Event Logs (Process creation - Sysmon Event ID 1, PowerShell Script Block Logging - Event ID 4104)
- DNS query logs
- Proxy/NGFW logs with TLS SNI visibility
- EDR process telemetry with command-line capture
- File system monitoring for Startup folder writes
- USB device mount logs
Hunting Hypotheses
| Hypothesis | Telemetry | ATT&CK Stage | FP Risk |
|---|---|---|---|
| Consider hunting for PowerShell or VBScript processes making network connections to paste, blogging, or messaging platforms (Telegra.ph, teletype.in, rentry.co, write.as, dev.to, mastodon.social, lesma.eu, nopaste.net, pastee.dev), as these may indicate dead-drop C&C resolution activity. | EDR process telemetry with network connection correlation; DNS logs; proxy logs | Command and Control | Medium — legitimate automation scripts or development tools may access some of these platforms; focus on script interpreters as the connecting process. |
| Consider hunting for processes connecting to multiple tunnel service domains (trycloudflare.com, workers.dev, devtunnels.ms, loophole.site, loca.lt, bore.pub) within a short time window, as Gamaredon uses these as primary and fallback C&C paths. | DNS logs, proxy/NGFW logs with SNI, EDR network connection events | Command and Control | Medium — developers may legitimately use Cloudflare tunnels or devtunnels; correlate with script process ancestry and look for multiple tunnel services contacted by the same host. |
| Consider hunting for file writes to the Windows Startup folder originating from archive extraction processes (especially WinRAR), which may indicate CVE-2025-8088 exploitation for persistence. | Sysmon Event ID 11 (FileCreate), EDR file write telemetry with process lineage | Persistence | Low — legitimate software rarely writes executables or scripts to the Startup folder via archive extraction. |
| Consider hunting for rclone execution from non-standard paths or with configurations pointing to Dropbox or S3-compatible storage endpoints (wasabisys.com, tebi.io, i3storage.com), as Gamaredon uses rclone for exfiltration via PteroBox. | EDR process telemetry, command-line logging, network connection logs | Exfiltration | Medium — rclone is a legitimate tool used by administrators; focus on unexpected execution contexts, non-standard binary paths, or connections to less common S3 providers. |
| Consider hunting for VBScript or PowerShell processes that create or modify executable files on removable drives or network shares, as PteroSetup and PteroPaste weaponize these for lateral movement. | EDR file operation telemetry with process context, USB mount events, Sysmon Event ID 11 | Lateral Movement | Low to Medium — legitimate software deployment tools may write to network shares, but script interpreters writing executables to USB drives is unusual. |
Control Gaps
- Domain/IP blocklists will not catch C&C traffic routed through legitimate Cloudflare, Microsoft, or PaaS infrastructure
- DLP solutions may not flag exfiltration to S3-compatible cloud storage providers that are not pre-classified as data exfiltration destinations
- Signature-based AV may miss in-memory PowerShell payloads fetched by PteroDee and PteroCache
- Network security controls may not distinguish dead-drop resolution traffic (e.g., PowerShell reading a Telegra.ph post) from legitimate browsing
- USB device controls may not prevent weaponization of already-mounted drives by script processes
Key Behavioral Indicators
- HTA files (mshta.exe) spawning script interpreters (powershell.exe, cscript.exe, wscript.exe) — unusual process ancestry
- PowerShell or VBScript processes making HTTP/HTTPS connections to paste, blogging, or social media platforms
- File writes to the Startup folder by archive extraction tools (WinRAR/rundll32)
- Script processes (powershell.exe, cscript.exe) writing executable files to removable or network drives
- rclone.exe or similar tools executing from non-standard paths with connections to non-AWS S3 endpoints
- Multiple tunnel service domains (trycloudflare.com, workers.dev, devtunnels.ms, loophole.site) resolved by the same host within a short timeframe
- Self-extracting archive execution that spawns both an installer process and a script interpreter simultaneously (PteroSetup behavior)
- PowerShell downloading and executing content in memory without writing to disk (PteroDee, PteroCache behavior)
False Positive Assessment
- Medium — Gamaredon's deliberate use of legitimate cloud, tunnel, and social platforms means that simple domain-based detections will generate significant false positives. Effective detection requires correlating process context (script interpreters, HTA execution) with network destinations, rather than blocking infrastructure outright. Organizations with developers using Cloudflare tunnels, devtunnels, or paste services for legitimate purposes will need to tune rules carefully.
Recommendations
Immediate Mitigation
- Verify against your organization's incident response runbook and team escalation paths before acting. Consider patching WinRAR to address CVE-2025-8088 on all Windows endpoints, particularly those in roles likely to be targeted by spearphishing.
- Consider blocking or alerting on script interpreter processes (powershell.exe, cscript.exe, wscript.exe, mshta.exe) making outbound connections to the dead-drop and tunnel services identified in the article, if your proxy or EDR supports process-aware network rules.
- If applicable to your environment, consider monitoring and restricting writes to the Windows Startup folder, especially from archive extraction processes.
- Evaluate whether your EDR can detect and block in-memory PowerShell execution patterns where scripts are downloaded and executed without touching disk.
Infrastructure Hardening
- Consider implementing DNS filtering or alerting for connections from endpoint systems to the tunnel service domains (trycloudflare.com, workers.dev, devtunnels.ms, loophole.site, loca.lt, bore.pub) when initiated by non-browser processes.
- Evaluate whether your DLP or cloud access security broker (CASB) can monitor and alert on uploads to S3-compatible storage providers (wasabisys.com, tebi.io, i3storage.com) and Dropbox, especially from non-standard processes like rclone.
- Consider implementing application allowlisting for rclone and similar file synchronization utilities, restricting execution to approved paths and users.
- If your network architecture supports it, consider segmenting systems that handle sensitive information to limit lateral movement opportunities via network drives.
User Protection
- Consider deploying enhanced email filtering for archive attachments and XHTML files, particularly those containing HTA content, targeting government or military personnel.
- Evaluate whether your endpoint protection can detect USB drive weaponization — specifically, script processes writing executable files to removable media.
- Consider disabling or restricting AutoRun/AutoPlay on all Windows systems to reduce the risk of lateral movement via weaponized USB drives.
- If supported by your EDR, consider enabling behavioral detection rules for self-extracting archives that execute both legitimate installers and additional script payloads simultaneously.
Security Awareness
- Consider incorporating warnings about spearphishing emails with archive attachments into existing awareness programs, emphasizing that attackers may use Ukraine-themed lures.
- If your organization operates in or alongside Ukrainian government or military sectors, consider briefing relevant personnel on the elevated threat from Gamaredon and the group's use of legitimate services for C&C.
- Consider reminding users not to insert untrusted USB drives and to report any unexpected USB devices found on premises.
- Where applicable, consider educating users about the risks of executing files from archive attachments, even when the files appear to be legitimate installers.
MITRE ATT&CK Mapping
- T1566.001 - Spearphishing Attachment
- T1566.002 - Spearphishing Link
- T1027.006 - HTML Smuggling
- T1059.001 - PowerShell
- T1059.005 - Visual Basic
- T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
- T1091 - Replication Through Removable Media
- T1210 - Exploitation of Remote Services
- T1105 - Ingress Tool Transfer
- T1568 - Dynamic Resolution
- T1090 - Proxy
- T1567.002 - Exfiltration to Cloud Storage
- T1027.002 - Software Packing
- T1036 - Masquerading
Additional IOCs
- Other:
de-fra.i3storage.com- Intercolo S3-compatible cloud storage endpoint used as primary exfiltration destination by December 2025; legitimate service abused for data exfiltration by PteroVDoor and PteroPSDoor