“Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine.” — ESET
Scope and targets of the 2025 campaign
Slovakian cybersecurity firm ESET reported that Gamaredon mounted 35 distinct spear‑phishing campaigns during 2025, with most activity concentrated in the second half of the year. Primary targets were Ukrainian governmental and military institutions. According to ESET, the threat actor’s stated objective remained the exfiltration of sensitive information and other critical data "that could be exploited to support Russian interests in the ongoing war in Ukraine."
Delivery methods and persistence techniques
Gamaredon’s phishing messages used archive attachments or XHTML files that employed HTML smuggling to deliver malicious HTA downloaders. Those HTA downloaders dropped additional payloads such as PteroSand. In some attacks the group weaponized a now‑patched WinRAR vulnerability, CVE‑2025‑8088, to place the malicious HTA downloader into a victim’s Windows Startup folder so the downloader would execute automatically on the next user login.
The actor continued to rely on established lateral‑movement weaponizers. PteroLNK and PteroPaste were used to infect USB drives and mapped network drives with malicious LNK files that, when opened, triggered retrieval of downloader malware. ESET also observed PteroSetup, a Visual Basic Script (VBScript) weaponizer first detected in January 2021 and thought to be discontinued; that tool scans USB and mapped drives for legitimate installer files and, if found, replaces them with 7z self‑extracting archives that contain the original installer plus a malicious VBScript downloader.
New tools and expanded malware arsenal
ESET documented six new PowerShell‑oriented tools that broaden Gamaredon’s custom arsenal and enable in‑memory execution and remote fetching of payloads:
- PteroDee and PteroCache — for fetching and executing PowerShell payloads in memory.
- PteroDum — for fetching and executing VBScript payloads in memory.
- PteroOdd — fetches a single PowerShell payload using the Telegra.ph API; ESET notes it was likely used in campaigns where Gamaredon collaborated with Turla.
- PteroEffigy — fetches the command‑and‑control server using the GoFile cloud storage service.
- PteroPaste — weaponizes USB drives and downloads additional PowerShell payloads via an encrypted channel.
These additions augment previously observed components such as PteroSand and the older VBScript toolset, increasing the options for staged execution and covert delivery.
Creative abuse of cloud hosting, dead drops, tunnels, and serverless workers
ESET highlighted a marked increase in Gamaredon’s reliance on third‑party services to hide back‑end infrastructure. "In 2025, the group's reliance on third‑party services grew significantly, with tunnel services and serverless worker platforms becoming an increasingly important part of how it hid its real back‑end infrastructure," ESET said.
The group used a wide range of legitimate services as dead‑drop resolvers and exfiltration channels, including Telegra.ph, Teletype, Rentry.co, Write.as, Dropbox, GoFile, DEV Community (dev.to), Mastodon, Lesma, Nopaste.net, Paste.ee, Wasabi, Tebi, and Intercolo. ESET concluded that Gamaredon "further expanded its use of dead drops, tunnels, workers, dynamic DNS, and cloud storage, making its operations more flexible and harder to disrupt."
What this means for Ukrainian governmental and military institutions, security teams, and cloud providers
- Ukrainian governmental and military institutions: As primary targets, they must treat HTA downloaders, LNK‑based propagation, and the exploitation vector CVE‑2025‑8088 as immediate operational concerns and monitor for USB and mapped drive tampering and unexpected Startup folder entries.
- Security teams and incident responders: The growth in in‑memory PowerShell and VBScript tools, plus the use of many cloud platforms and dead drops, means defenders should look beyond single‑host indicators and correlate activity across cloud service access patterns, dynamic DNS changes, and tunnel/serverless worker usage.
- Cloud and hosting providers: Services named in ESET’s list — including GoFile, Dropbox, Wasabi, and the various paste and blogging platforms — are being used as dead drops and C2 resolvers and may need focused abuse detection and takedown coordination to disrupt these channels.
ESET’s reporting paints a picture of a persistent operator compensating for relatively simple malware with frequent updates and operational flexibility. The group’s November‑style proliferation of custom PowerShell tools and its adoption of tunnels, serverless workers, and an array of public hosting and paste services make the campaign harder to trace and interrupt. As ESET notes, activity patterns tied to Russian and Crimean holidays — and a pause in updates around those dates — "further suggest that Gamaredon operators are probably government‑affiliated employees."
The practical question the reporting leaves to defenders is precise and urgent: can monitoring and cooperative controls across the many legitimate services Gamaredon abuses be scaled quickly enough to sever the actor’s blend of simple on‑host loaders and sophisticated, cloud‑based concealment? ESET’s findings make clear that disrupting the chain will require attention to both the small binaries and the public services that point them to hidden infrastructure.
