Security Experts:

Connect with us

Hi, what are you looking for?



“Gamaredon” Group Uses Custom Malware in Ukraine Attacks

A Russia-linked threat group tracked as “Gamaredon” has been using custom-developed malware in attacks aimed at Ukraine, Palo Alto Networks reported on Monday.

A Russia-linked threat group tracked as “Gamaredon” has been using custom-developed malware in attacks aimed at Ukraine, Palo Alto Networks reported on Monday.

The group has been active since at least mid-2013, but its activities were first detailed in April 2015 by LookingGlass. The security firm’s analysis focused on Operation Armageddon, a cyber espionage campaign targeting Ukrainian government, military and law enforcement officials.

The Security Service of Ukraine (SBU) issued a statement at the time attributing the attacks to branches of Russia’s Federal Security Service (FSB). Furthermore, evidence found by researchers suggested that the malware used by the threat actor had been built on a Russian operating system.

In the attacks analyzed by LookingGlass in 2015, the Gamaredon group used spear-phishing emails to deliver common remote access tools (RATs), such as Remote Manipulator System (RMS) and UltraVNC.

According to Palo Alto Networks, Gamaredon has started using new, custom-built malware instead of the widely available RATs. However, it’s unclear if the latest attacks are also part of Operation Armageddon or if they represent a new campaign.

The new pieces of malware used by the group are capable of downloading and executing additional payloads, scanning infected systems for specific files, capturing screenshots, and executing remote commands. While the actor’s older tools were easily identified by antimalware products (e.g. TROJ_GAMAREDON, Trojan.Gamaredon), its new creations often go undetected or unrecognized.

“We believe this is likely due to the modular nature of the malware, the malware’s heavy use of batch scripts, and the abuse of legitimate applications and tools (such as wget) for malicious purposes,” said Palo Alto Networks researchers.

One of the custom backdoors used by Gamaredon is Pteranodon, which can capture screenshots, download and execute files, and execute commands on the system.

While Gamaredon has started using new malware, it still relies on self-extracting archives (SFX) and much of the same infrastructure as when its activities were first analyzed.

Russia-linked threat groups have been blamed for several campaigns targeting Ukrainian organizations, including damaging attacks on the country’s energy sector.

Related: Experts Doubt Russia Used Malware to Track Ukrainian Troops

Related: Ukrainian Group Claims Hack of Putin Advisor’s Email

Related: Ukraine Power Grid Attacks Part of a 2-Year Campaign

Written By

Eduard Kovacs (@EduardKovacs) is a contributing editor at SecurityWeek. He worked as a high school IT teacher for two years before starting a career in journalism as Softpedia’s security news reporter. Eduard holds a bachelor’s degree in industrial informatics and a master’s degree in computer techniques applied in electrical engineering.

Click to comment

Expert Insights

Related Content


Websites of German airports, administration bodies and banks were hit by DDoS attacks attributed to Russian hacker group Killnet

Malware & Threats

Microsoft plans to improve the protection of Office users by blocking XLL add-ins from the internet.


Iranian APT Moses Staff is leaking data stolen from Saudi Arabia government ministries under the recently created Abraham's Ax persona


CISA, NSA, and MS-ISAC issued an alert on the malicious use of RMM software to steal money from bank accounts.


Artificial intelligence is competing in another endeavor once limited to humans — creating propaganda and disinformation.


Chinese threat actor DragonSpark has been using the SparkRAT open source backdoor in attacks targeting East Asian organizations.


The UK’s NCSC has issued a security advisory to warn about spearphishing campaigns conducted by two unrelated Russian and Iranian hacker groups.

Application Security

Electric car maker Tesla is using the annual Pwn2Own hacker contest to incentivize security researchers to showcase complex exploit chains that can lead to...