Throughout 2025, Russia’s Gamaredon threat group conducted at least 35 distinct spearphishing campaigns targeting Ukrainian governmental and military institutions while fundamentally restructuring how it conceals its command-and-control infrastructure, according to new research from ESET. The shift toward legitimate cloud services as an evasion layer represents a significant operational security upgrade for one of the most active Russia-aligned advanced persistent threat (APT) groups in the conflict zone.

A Sustained and Accelerating Campaign

ESET Research, which has tracked Gamaredon since the group first emerged as a persistent Ukraine-targeting actor, published its third in-depth analysis of the group’s tactics on June 25, 2026. The researchers observed that Gamaredon, attributed by Ukraine’s Security Service (SSU) to the 18th Center of Information Security within Russia’s Federal Security Service (FSB) and believed to operate from occupied Crimea, maintained an aggressive operational tempo throughout 2025 with a notable acceleration in the second half of the year.

The 35 identified spearphishing campaigns represent a significant escalation in volume and scale compared with prior years. Earlier Gamaredon campaigns tended to target single organizations or small sets of individuals. According to ESET’s analysis, the later 2025 campaigns became markedly larger and more frequent, with the group maintaining near-continuous pressure on Ukrainian institutions throughout the year.

Advertisement

300 × 250

New Malware Tools Enter the Arsenal

Alongside the increased operational tempo, Gamaredon introduced six new malicious tools in 2025, all written in PowerShell. ESET researchers note that five of these tools appeared in the first quarter of 2025, suggesting the group used the early months to build new delivery chains before shifting to large-scale spearphishing in the second half of the year. The new tools are primarily delivery-focused, extending the group’s payload distribution capabilities across a wider range of infection scenarios.

The group also resurrected PteroSetup, an older VBScript weaponizer, alongside its established suite of tools. The file stealers PteroVDoor and PteroPSDoor received a significant capability upgrade: both now support exfiltration to commercial cloud storage services including Wasabi, Tebi, and Intercolo. According to ESET, cloud-based exfiltration became the primary method for removing stolen data from compromised systems during 2025.

WinRAR Exploitation Adds Startup-Folder Persistence

From September 26, 2025, Gamaredon began exploiting CVE-2025-8088, a WinRAR vulnerability, to place its malicious HTA downloader directly into the victim’s Startup folder. This technique adds a persistence mechanism to an infection chain that previously relied more heavily on user interaction to maintain access. The change is operationally significant: prior Gamaredon campaigns often required the victim to interact repeatedly with lure documents, while the Startup-folder persistence survives reboots and reduces reliance on continued user engagement.

Campaign delivery has remained consistent with prior years in its broader approach: most spearphishing campaigns use archive attachments or XHTML files employing HTML smuggling to deliver HTA downloaders, which then fetch the VBScript downloader PteroSand and additional payloads. ESET also observed campaigns that appear to use malicious hyperlinks rather than attachments, further broadening the delivery surface.

Infrastructure Concealment via Cloud Services and Dead Drops

The most architecturally significant development in Gamaredon’s 2025 operations is the systematic pivot away from directly exposed C2 servers toward infrastructure hidden behind legitimate third-party services. ESET researchers document the group’s use of tunneling services, cloud workers, dynamic DNS (DDNS), and platform-as-a-service (PaaS) providers to obscure the true location of its command infrastructure. Any of these individually represents a common evasion technique; their combined use reflects a deliberate and layered approach to operational security.

Beyond C2 concealment, Gamaredon also abused multiple legitimate messaging platforms, social media services, blogging services, and paste sites as dead drops for resolving C2 server addresses and distributing payloads. This technique uses trusted, high-reputation domains as an intermediary layer, making network-layer detection significantly more difficult. Security teams that filter purely on IP reputation or domain age will not reliably detect C2 traffic that routes through a legitimate content platform.

The Practical Detection Challenge

The consequence of this infrastructure model is that traditional network detection approaches lose effectiveness. When C2 traffic flows through legitimate cloud providers and trusted domains, endpoint telemetry becomes the more reliable detection surface. Behaviors warranting investigation include PowerShell spawning unusual child processes, unexpected connections from office applications to commercial cloud storage APIs, or HTA files appearing in Startup folders on endpoints with exposure to Ukrainian government contexts or organizations supporting Ukrainian institutions.

Newsletter

Get the week's best tech coverage.

Free. Read by thousands of HR, tech, and business leaders.

Collaboration With Turla and Broader Russian Actor Coordination

ESET’s 2025 report documents a notable development that extends beyond Gamaredon’s own capabilities: in early 2025, the group collaborated with Turla, another Russia-aligned APT also linked to the FSB. This cooperation, which ESET describes in a separate analysis, underscores the potential for coordinated operations among Russia-aligned threat actors that security defenders must account for.

ESET also documents broader task-sharing dynamics: in 2025, the Russia-aligned group UAC-0099 conducted initial access operations and then transferred validated targets to Sandworm for follow-up activity. For security leaders at organizations adjacent to Ukrainian government or defense supply chains, the implication is that a Gamaredon initial access may not remain a Gamaredon intrusion. Hand-offs between FSB, GRU, and other Russia-aligned actors increase the potential scope and severity of any initial foothold.

The collaboration pattern is consistent with findings CyberTech reported on Turla’s STOCKSTAY backdoor, which targeted overlapping sets of Ukrainian and European institutions. As covered in our analysis of Turla’s STOCKSTAY persistent espionage capabilities, the FSB’s operational coordination across its cyber units creates a compound threat for defenders who may correctly identify the initial actor but underestimate the broader campaign scope.

What This Means for Security Leaders

The 2025 Gamaredon evolution reflects a maturing operational security posture that security leaders need to factor into their threat models. The group is no longer a high-volume commodity threat relying on simple, easily-detected C2 channels. The combination of cloud exfiltration paths, infrastructure hidden behind trusted services, a growing PowerShell tool set, active exploitation of known vulnerabilities like CVE-2025-8088, and documented inter-group collaboration makes it a substantially more capable adversary than earlier profiles suggested.

Organizations in or adjacent to the Ukrainian defense sector, European governmental institutions, and NATO member organizations face the highest direct risk. However, the techniques Gamaredon has adopted, particularly the use of commercial cloud storage for exfiltration and legitimate services as dead drops for C2 resolution, represent a broader operational template that other threat actors are also deploying. Defenders building detection capabilities against Gamaredon are also building defenses against the broader class of adversaries using the same cloud-native evasion approach.

Recommended Defender Actions

  • Audit PowerShell execution policies and enable PowerShell Script Block Logging across managed endpoints, with particular attention to unusual PowerShell processes spawned from Office applications or HTA files.
  • Monitor for outbound connections from non-browser endpoints to commercial cloud storage APIs (Wasabi and similar S3-compatible services) outside of expected business use patterns.
  • Verify endpoint hardening includes restrictions on Startup folder writes and logging of any new entries in user Startup folders.
  • Apply available patches for CVE-2025-8088 in any environment where WinRAR is deployed, particularly on endpoints accessing external archives.
  • Where possible, monitor for outbound connections from end-user devices to blogging platforms, paste sites, and consumer messaging services, which Gamaredon uses for C2 resolution rather than for legitimate communication.
  • Treat initial access indicators from any Russia-aligned actor as potentially involving hand-off to a second actor, and scope incident response planning and containment actions accordingly.

Source: ESET Research