Gamaredon Expands Malware Arsenal and Cloud-Based C2 Tactics in Sustained Ukraine Espionage Campaign
ESET researchers document Russia's FSB-linked Gamaredon group deploying new malware families and increasingly relying on legitimate cloud services, tunneling platforms, and social media to conceal command-and-control infrastructure in ongoing attacks against Ukraine.
Russia's FSB-linked Gamaredon threat actor has significantly expanded its malware toolkit and refined its infrastructure tactics, according to a new report from ESET researchers. The group, which has been a persistent threat to Ukrainian entities since at least 2014, launched dozens of spear-phishing campaigns targeting government, military, and critical infrastructure organizations in Ukraine. The report details how Gamaredon is now leveraging legitimate cloud services, tunneling platforms, and social media channels to conceal its command-and-control (C2) infrastructure and exfiltrate stolen data.
ESET's analysis reveals that Gamaredon has introduced several new malware families into its arsenal, moving beyond its historically simple toolset. The group's attack chain typically begins with spear-phishing emails containing malicious attachments or links. Once initial access is gained, the attackers deploy a series of custom backdoors and information-stealing payloads. The new malware variants are designed to evade detection by traditional antivirus and endpoint detection systems, using techniques such as encrypted payloads and multi-stage loading.
A key evolution in Gamaredon's operations is its increased reliance on legitimate cloud services for C2 communications. The group has been observed using services like Dropbox, Google Drive, and Microsoft OneDrive to host malicious payloads and receive stolen data. By blending malicious traffic with legitimate cloud traffic, Gamaredon makes it harder for network defenders to distinguish between benign and malicious activity. Additionally, the group uses tunneling platforms and social media sites—including Telegram and Twitter—to issue commands to compromised systems and exfiltrate data in real time.
The report highlights that Gamaredon's campaigns have become more frequent and sophisticated, with dozens of distinct spear-phishing waves detected in recent months. The group targets a wide range of Ukrainian organizations, including government agencies, defense contractors, energy companies, and telecommunications providers. ESET notes that the group's operational tempo has increased significantly since the full-scale invasion of Ukraine in 2022, reflecting the Kremlin's ongoing prioritization of cyber espionage against its neighbor.
Gamaredon's infrastructure tactics have also evolved. The group now employs a distributed network of compromised websites and cloud accounts to host its C2 servers, making takedown efforts more challenging. ESET observed the group using domain generation algorithms (DGAs) and fast-flux DNS techniques to rotate C2 endpoints rapidly. This infrastructure resilience ensures that even if some command nodes are disrupted, the group can continue operations through backup channels.
The ESET report underscores the persistent and adaptive nature of Gamaredon's threat to Ukrainian national security. The group's ability to continuously update its malware and infrastructure tactics demonstrates a long-term commitment to espionage against Ukraine. For defenders, the report emphasizes the importance of monitoring for anomalous use of cloud services and social media platforms within corporate networks, as these are increasingly being exploited by state-sponsored actors like Gamaredon to maintain stealthy, persistent access.