Gamaredon

Threat Actor updated 13 days ago (2024-11-08T13:17:59.870Z)
Download STIX
Preview STIX
Gamaredon, a Russia-aligned threat actor, has emerged as one of the most active Advanced Persistent Threat (APT) groups in Ukraine, particularly since Russia's 2022 invasion of the country. Composed of regular officers from the Russian Federal Security Service (FSB) and some former law enforcement officers of Ukraine, Gamaredon has been known to employ malicious tools with innovative modifications to execute its cyber-espionage activities. Notably, in 2021, the group reworked a PowerShell backdoor known as PteroPSDoor, enhancing its stealth capabilities. The group's primary mode of attack involves the use of a USB worm named LitterDrifter, which has been repeatedly used against Ukraine. Additionally, Gamaredon has introduced new tools into its arsenal, such as a PowerShell tool dubbed PteroGraphin by Eset. This tool functions as a downloader that delivers an encrypted payload through the Telegram social media network. The group's persistent approach, while less stealthy, has proven effective in overwhelming Ukraine's defenses due to sheer volume. Gamaredon's activities have significant international implications, notably concerning NATO countries. The group's attempts to target these nations underline the importance of international cybersecurity cooperation. Detailed analyses of Gamaredon's tools and techniques have been published by ESET researchers, providing valuable insights into the group's modus operandi. Gamaredon's toolset typically includes downloaders, droppers, weaponizers, stealers, backdoors, and ad hoc tools, all aimed at furthering their cyber-espionage objectives.
Description last updated: 2024-11-08T00:03:23.373Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Primitive Bear is a possible alias for Gamaredon. Primitive Bear, also known as Gamaredon, UAC-0010, and Shuckworm, is a threat actor associated with Russia that has been actively targeting Ukraine for over a decade. This group has primarily focused on organizations within government, defense, and critical infrastructure sectors. Since our update i
4
Trident Ursa is a possible alias for Gamaredon. Trident Ursa, also known as Gamaredon, Shuckworm, Actinium, Armageddon, Primitive Bear, and UAC-0010, is a threat actor attributed to Russia's Federal Security Service by the Security Service of Ukraine. This group has been active since 2014, primarily focusing on Ukrainian entities such as governme
3
Armageddon is a possible alias for Gamaredon. Armageddon, also known as the Gamaredon Group, is a threat actor that has been operational since around 2013 or 2014. Composed of regular officers from Russia's Federal Security Service (FSB) and some former Ukrainian law enforcement officers, Armageddon is notorious for its cyber-attacks primarily
3
Shuckworm is a possible alias for Gamaredon. Shuckworm, also known as Gamaredon, Primitive Bear, ACTINIUM, and Armageddon, is a threat actor associated with the Russian government. Operational since 2013, it has been primarily targeting Ukrainian entities across multiple sectors, including government, defense, and critical infrastructure. In J
2
ACTINIUM is a possible alias for Gamaredon. Actinium, also known as Primitive Bear or Shuckworm, is a notable threat actor in the realm of cyber espionage, primarily focusing on Ukraine. This group is one of several Russian government Advanced Persistent Threat (APT) hacking teams that have actively engaged in cyber operations against Ukraine
2
Aqua Blizzard is a possible alias for Gamaredon. Aqua Blizzard, previously known as ACTINIUM, is a significant threat actor originating from Russia. Recently, Microsoft revamped its naming convention for threat groups, transitioning from all-cap names based on atomic elements to a two-name scheme inspired by storm terminology. Aqua Blizzard has be
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Russia
Ukraine
Telegram
Worm
Espionage
Backdoor
State Sponso...
Phishing
Downloader
Lateral Move...
Payload
Decoy
Domains
Spearphishing
Ukrainian
Government
PowerShell
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Litterdrifter Malware is associated with Gamaredon. LitterDrifter is a malicious software (malware) that has been identified as a tool of the Russian Advanced Persistent Threat (APT) group, Gamaredon. This malware is particularly insidious as it is spread via USB drives, allowing for both direct and indirect infection of targeted systems. It was inithas used
6
The InvisiMole Malware is associated with Gamaredon. InvisiMole is a sophisticated malware with modular architecture, designed to infiltrate and exploit computer systems undetected. It begins its operation using a wrapper DLL and performs activities through two other modules embedded in its resources. Notably, the malware is capable of scanning enableUnspecified
3
The BlackEnergy Malware is associated with Gamaredon. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks aUnspecified
2
The Stately Taurus Malware is associated with Gamaredon. Stately Taurus, also known as Mustang Panda, Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta, is a sophisticated malware that has been used in cyber-espionage campaigns primarily targeting government entities in Southeast Asia. It is believed to be associated with China's Unspecified
2
The Raspberry Robin Malware is associated with Gamaredon. Raspberry Robin is a sophisticated malware that uses advanced techniques to infiltrate and exploit computer systems. The malicious software is designed to stealthily enter a system through suspicious downloads, emails, or websites, often unbeknownst to the user. Once inside, it can wreak havoc by stUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Gamaredon Group Threat Actor is associated with Gamaredon. The Gamaredon group, a threat actor active since at least 2013, uses sophisticated techniques to execute malicious campaigns. Notably, they employ signed binaries (T1116) in their operations and utilize tools coded in C/C++, C#, batch file, and VBScript. Despite the relative simplicity of their toolUnspecified
4
The APT28 Threat Actor is associated with Gamaredon. APT28, also known as Fancy Bear and Unit 26165 of the Russian Main Intelligence Directorate, is a threat actor linked to Russia with a history of cyber-espionage activities. The group has been involved in several high-profile attacks, including the hacking of the Democratic National Committee (DNC) is related to
4
The Turla Threat Actor is associated with Gamaredon. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
4
The APT29 Threat Actor is associated with Gamaredon. APT29, also known as Midnight Blizzard and linked to Russia's Foreign Intelligence Service (SVR), is a notorious threat actor that has been implicated in several high-profile cyberattacks. The group has demonstrated sophisticated capabilities, exploiting vulnerabilities such as the WinRAR 0day flaw Unspecified
3
The Sandworm Threat Actor is associated with Gamaredon. Sandworm, a threat actor linked to Russia, has been identified as the primary cyber attack unit supporting Russian military activities in Ukraine. This group is notorious for its sophisticated and disruptive cyber attacks, including the compromise of 11 Ukrainian telecommunications providers which cUnspecified
3
The Camaro Dragon Threat Actor is associated with Gamaredon. Camaro Dragon, a Chinese state-sponsored threat actor also known as Mustang Panda, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Stately Taurus, has been identified as a significant cybersecurity concern. The group has been active since at least 2012 and is known for its sophisticated Unspecified
2
Source Document References
Information about the Gamaredon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
ESET
13 days ago
BankInfoSecurity
14 days ago
DARKReading
2 months ago
Securityaffairs
2 months ago
ESET
2 months ago
ESET
2 months ago
Contagio
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
CERT-EU
9 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Flashpoint
6 months ago
Securityaffairs
7 months ago