Gamaredon in 2025: Russia’s FSB-Linked Hackers Expand Toolset with Cloud Exfiltration, New Alliances, and WinRAR Exploit
ESET research reveals Gamaredon's 2025 evolution: cloud-based dead drops, Turla collaboration, and a CVE-2025-8088 exploit for persistent access in 35+ campaigns against Ukraine.
Russia-aligned APT group Gamaredon, attributed by Ukraine’s Security Service to the FSB’s 18th Center for Information Security, has significantly upgraded its toolset and operational tempo throughout 2025, according to new research from ESET. The group staged 35 distinct spearphishing campaigns exclusively against Ukrainian military and government institutions, with a dramatic acceleration in the second half of the year. Central to the evolution is a shift toward cloud-based dead drops and infrastructure hiding—leveraging tunnels, workers, dynamic DNS, and platform-as-a-service offerings to obscure command-and-control servers and exfiltrate stolen data.
The group deployed six new malicious PowerShell tools, resurrected the old VBScript weaponizer PteroSetup, and upgraded its file stealers PteroVDoor and PteroPSDoor to support exfiltration directly to cloud storage services Wasabi, Tebi, and Intercolo. ESET’s white paper, the third in a series tracking Gamaredon’s TTPs, documents how the attackers also abused multiple legitimate messaging, social media, blogging, and paste services as dead drops for resolving C2 servers and distributing payloads. This cloud-first approach represents a strategic shift, making traditional network-based detection far more difficult.
In a notable development, ESET uncovered a collaboration between Gamaredon and Turla, another Russia-aligned FSB-linked actor, in early 2025. This cooperation, detailed in a separate ESET report, underscores the potential for coordinated cyberespionage campaigns among Russia-aligned groups, which could amplify their operational impact. Historically, Gamaredon has also worked with the InvisiMole threat actor. Separately, ESET observed the Russia-aligned UAC-0099 group conducting initial access operations and subsequently transferring validated targets to Sandworm for follow-up activity.
The second half of 2025 saw a marked increase in campaign size and frequency. Spearphishing attempts primarily used archive attachments or XHTML files employing HTML smuggling to deliver malicious HTA downloaders, which in turn fetched the VBScript downloader PteroSand and additional payloads. Starting September 26, Gamaredon began exploiting CVE-2025-8088, a path traversal vulnerability in WinRAR, to place its HTA downloader into the victim’s Startup folder, achieving persistence that previously relied more heavily on user interaction. This technique aligns with the broader Russian threat-actor trend of weaponizing archive utilities for intrusion.
The group’s targeting remained focused on Ukraine’s governmental and military institutions, aiming to exfiltrate sensitive information supporting Russian war interests. ESET observed that many tool updates were made in lead-up periods to major holidays in Russia and Crimea, with no updates during or immediately after the holidays—further suggesting the operators are likely government-affiliated employees. ESET’s full technical analysis, including indicators of compromise and tool descriptions, is available in its latest white paper.