Researchers Uncovered Gamaredon's PteroLNK VBScript Malware Infrastructure & TTP's

“The scripts are designed to allow flexibility for their operators, enabling easy modification of parameters such as file names and paths, persistence mechanisms, and detection logic for security solutions on the target system,” the report states. The Ukrainian decoy filenames used by the malware include military themes such as “Casualties information,” “Sample monthly report,” and “Support of the Main Intelligence Directorate”. A sophisticated malware campaign attributed to the Russia-linked Gamaredon threat group has been actively targeting Ukrainian entities since late 2024, according to new research published on April 16, 2025. Samples of the Pterodo malware family were identified on public malware analysis platforms between December 2024 and mid-March 2025, with active command and control infrastructure still being maintained. The campaign’s targeting of Ukrainian entities with military-themed lures aligns with Russia’s strategic interests in the ongoing conflict, making this discovery particularly significant for understanding cyber operations in the region. The malware creates deceptive shortcuts that mimic legitimate documents, allowing it to propagate across networks and execute malicious code when users interact with these seemingly benign files. The malware, known as PteroLNK, utilizes heavily obfuscated VBScript files that construct additional payloads during execution. It drops copies of itself to paths like “%PUBLIC% \NTUSER.DAT.TMContainer” and “%APPDATA%~.drv” while deploying the downloader and LNK dropper payloads to separate locations. The LNK dropper component focuses on propagation, replacing existing files with deceptive shortcuts that execute the malware. HarfangLab researchers identified that the main PteroLNK VBScript dynamically constructs two additional VBScript payloads during execution: a downloader and an LNK dropper. Cyber Security News is a Dedicated News Platform For Cyber News, Cyber Attack News, Hacking News & Vulnerability Analysis. With years of experience under his belt in Cyber Security, he is covering Cyber Security News, technology and other news. The malware establishes persistence through scheduled tasks and hides its activities by modifying Windows Explorer settings to hide files. The campaign primarily targets Ukrainian government, military, and critical infrastructure organizations through spearphishing operations with military-themed lures. Attribution to Russia’s Federal Security Service (FSB) is supported by evidence from Ukrainian authorities and multiple independent researchers.

This Cyber News was published on cybersecuritynews.com. Publication date: Thu, 17 Apr 2025 09:20:06 +0000