Gamaredon, a Russia-aligned APT group attributed to the FSB, maintained high operational tempo throughout 2025 with 35 spearphishing campaigns exclusively targeting Ukrainian government and military institutions. The group introduced six new PowerShell tools, resurrected the PteroSetup VBScript weaponizer for lateral movement, and began abusing CVE-2025-8088 (WinRAR) for persistence via the Startup folder. A significant infrastructure evolution occurred: C&C servers are now hidden behind tunnel services (Cloudflare tunnels, Cloudflare workers, Microsoft devtunnels, Loophole) and dead-drop resolutions on legitimate platforms (Telegram, Telegra.ph, Rentry, GoFile, Dropbox, and others), while stolen data is exfiltrated to S3-compatible cloud storage (Wasabi, Tebi, Intercolo) rather than attacker-owned servers.