Gamaredon, an FSB-linked threat actor, has deployed a highly evasive, fileless stealer dubbed GammaSteel targeting Ukrainian entities. The malware leverages Windows DPAPI to encrypt and stage payloads within the registry, actively monitoring local, network, and USB drives for sensitive documents to exfiltrate via legitimate cloud services and dynamic C2 infrastructure.