Gamaredon

Threat Actor updated 3 days ago (2024-10-15T10:02:28.383Z)
Download STIX
Preview STIX
Gamaredon, a Russian Advanced Persistent Threat (APT) group, has been identified as one of the most active threat actors in Ukraine, particularly since Russia's invasion of Ukraine in 2022. The group has been known to employ a variety of tools and techniques for cyberespionage, including downloaders, droppers, weaponizers, stealers, backdoors, and ad hoc tools. Gamaredon's activities have been meticulously tracked and analyzed by cybersecurity researchers, providing valuable insights into their evolving tactics and strategies. Recently, Gamaredon has launched a series of attacks using a USB worm named LitterDrifter against Ukraine. This represents a shift towards more direct, less stealthy approaches which, while potentially easier to detect, can be highly effective in overwhelming defenses through sheer volume. This persistent approach is indicative of Gamaredon's aggressive strategy, showcasing their capacity to adapt and innovate in response to changing cybersecurity landscapes. Gamaredon's activities are not limited to Ukraine, as they have also attempted to target NATO countries, posing significant implications for international cybersecurity cooperation. The group's actions underscore the need for robust, coordinated responses to state-sponsored cyber threats. Detailed analysis and technical breakdowns of Gamaredon’s tools and activities, such as those provided by ESET Research, are crucial in developing effective countermeasures and strengthening global cybersecurity infrastructure.
Description last updated: 2024-10-15T09:28:07.858Z
What's your take? (Question 1 of 5)
Help tune the shared Cybergeist dataset, assist your peers, and earn karma. Expand the panel to get started.
Possible Aliases / Cluster overlaps
It's hard to track cluster overlaps and naming conventions between vendors, so here are some possible overlapping names / profiles you also may want to look at. Create a free account to see the source evidence for each alias, and help fix any errors.
Alias DescriptionVotes
Primitive Bear is a possible alias for Gamaredon. Primitive Bear, also known as Gamaredon, UAC-0010, and Shuckworm, is a threat actor associated with Russia that has been actively targeting Ukraine for over a decade. This group has primarily focused on organizations within government, defense, and critical infrastructure sectors. Since our update i
4
Armageddon is a possible alias for Gamaredon. Armageddon, also known as the Gamaredon Group, is a threat actor that has been active since around 2013 or 2014. Composed of regular officers from Russia's FSB and some former law enforcement officers from Ukraine, this group has become one of the most dangerous cyber threats to Ukraine amidst its o
3
Trident Ursa is a possible alias for Gamaredon. Trident Ursa, also known as Gamaredon, Shuckworm, Actinium, Armageddon, Primitive Bear, and UAC-0010, is a threat actor attributed to Russia's Federal Security Service by the Security Service of Ukraine. This group has been active since 2014, primarily focusing on Ukrainian entities such as governme
3
ACTINIUM is a possible alias for Gamaredon. Actinium, also known as Primitive Bear or Shuckworm, is a notable threat actor in the realm of cyber espionage, primarily focusing on Ukraine. This group is one of several Russian government Advanced Persistent Threat (APT) hacking teams that have actively engaged in cyber operations against Ukraine
2
Shuckworm is a possible alias for Gamaredon. Shuckworm, also known as Gamaredon, Primitive Bear, ACTINIUM, and Armageddon, is a threat actor associated with the Russian government. Operational since 2013, it has been primarily targeting Ukrainian entities across multiple sectors, including government, defense, and critical infrastructure. In J
2
Aqua Blizzard is a possible alias for Gamaredon. Aqua Blizzard, previously known as ACTINIUM, is a significant threat actor originating from Russia. Recently, Microsoft revamped its naming convention for threat groups, transitioning from all-cap names based on atomic elements to a two-name scheme inspired by storm terminology. Aqua Blizzard has be
2
Miscellaneous Associations
Other elements of context that could aid in the identification of relevance
Apt
Malware
Ukraine
Russia
Worm
Espionage
Telegram
Phishing
Backdoor
State Sponso...
Spearphishing
Government
Domains
Decoy
Lateral Move...
Ukrainian
Analyst Notes & Discussion
Be the first to leave your mark here! Log in to share your views and vote.
Associated Malware
To see the evidence that has resulted in these malware associations, create a free account
Alias DescriptionAssociation TypeVotes
The Litterdrifter Malware is associated with Gamaredon. LitterDrifter is a malicious software (malware) that has been identified as a tool of the Russian Advanced Persistent Threat (APT) group, Gamaredon. This malware is particularly insidious as it is spread via USB drives, allowing for both direct and indirect infection of targeted systems. It was inithas used
6
The InvisiMole Malware is associated with Gamaredon. InvisiMole is a sophisticated malware with modular architecture, designed to infiltrate and exploit computer systems undetected. It begins its operation using a wrapper DLL and performs activities through two other modules embedded in its resources. Notably, the malware is capable of scanning enableUnspecified
3
The BlackEnergy Malware is associated with Gamaredon. BlackEnergy is a potent malware toolkit that has been utilized by criminal and Advanced Persistent Threat (APT) actors since 2007. Its destructive capabilities were notably demonstrated in Ukraine where it was used for cyber-espionage, compromising industrial control systems, and launching attacks aUnspecified
2
The Stately Taurus Malware is associated with Gamaredon. Stately Taurus, also known as Mustang Panda, Bronze President, Camaro Dragon, Earth Preta, Luminous Moth, and Red Delta, is a sophisticated malware that has been used in cyber-espionage campaigns primarily targeting government entities in Southeast Asia. It is believed to be associated with China's Unspecified
2
The Raspberry Robin Malware is associated with Gamaredon. Raspberry Robin is a sophisticated piece of malware that uses a variety of tactics to infiltrate and exploit computer systems. It employs the CPUID instruction to conduct several checks, enabling it to assess the system's characteristics and vulnerabilities. Furthermore, Raspberry Robin has been obsUnspecified
2
Associated Threat Actors
To see the evidence that has resulted in these threatActor associations, create a free account
Alias DescriptionAssociation TypeVotes
The Turla Threat Actor is associated with Gamaredon. Turla, a threat actor linked to Russia, is known for its sophisticated cyber espionage operations. The group has been associated with numerous high-profile attacks, often utilizing advanced backdoors and fileless malware for infiltration and persistence. Turla's tactics, techniques, and procedures (Unspecified
4
The APT28 Threat Actor is associated with Gamaredon. APT28, also known as Fancy Bear, Forest Blizzard, and Unit 26165 of the Russian Main Intelligence Directorate, is a Russia-linked threat actor that has been active since at least 2007. This group has targeted governments, militaries, and security organizations worldwide with a particular focus on this related to
4
The Gamaredon Group Threat Actor is associated with Gamaredon. The Gamaredon group, a threat actor active since at least 2013, uses sophisticated techniques to execute malicious campaigns. Notably, they employ signed binaries (T1116) in their operations and utilize tools coded in C/C++, C#, batch file, and VBScript. Despite the relative simplicity of their toolUnspecified
4
The Sandworm Threat Actor is associated with Gamaredon. Sandworm, also known as APT44, is a Russia-linked threat actor that has been implicated in several major cyberattacks. This group has been particularly active against targets in Ukraine and Poland, with significant operations including the compromise of 11 Ukrainian telecommunications providers, whiUnspecified
3
The APT29 Threat Actor is associated with Gamaredon. APT29, also known as Cozy Bear, Midnight Blizzard, Nobelium, and the Dukes, is a Russia-linked threat actor associated with SVR. This group is notorious for its sophisticated cyber espionage tactics, techniques, and procedures. APT29 often uses The Onion Router (TOR) network, leased and compromised Unspecified
3
The Camaro Dragon Threat Actor is associated with Gamaredon. Camaro Dragon, a Chinese state-sponsored threat actor also known as Mustang Panda, Bronze President, RedDelta, Luminous Moth, Earth Preta, and Stately Taurus, has been identified as a significant cybersecurity concern. The group has been active since at least 2012 and is known for its sophisticated Unspecified
2
Source Document References
Information about the Gamaredon Threat Actor was read from the documents corpus below. This display is limited to 20 results, create a free account to see more
PreviewSource LinkCreatedAtTitle
DARKReading
14 days ago
Securityaffairs
18 days ago
ESET
19 days ago
ESET
20 days ago
Contagio
a month ago
Securityaffairs
2 months ago
Securityaffairs
2 months ago
CERT-EU
8 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
3 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
4 months ago
Securityaffairs
5 months ago
Flashpoint
5 months ago
Securityaffairs
5 months ago
Securityaffairs
6 months ago
Securityaffairs
6 months ago