APT Gamaredon

Gamaredon, also known as Primitive Bear, ACTINIUM, or Aqua Blizzard, is a Russian state-sponsored advanced persistent threat (APT) group active since at least 2013. They primarily target Ukrainian government and military entities, using relentless spear-phishing campaigns and custom malware for cyber espionage. Despite using relatively basic tools, their persistence has made them a big threat to Ukraine’s cybersecurity landscape.

Key Insights

Persistent Espionage Operations

Gamaredon’s ops are high volume and persistence rather than technical sophistication. They use spear-phishing emails with malicious attachments to get initial access, then deploy custom malware for data exfiltration and surveillance. They focus on intel gathering to support Russian strategic interests, particularly Ukraine.

Custom Malware Arsenal

Over the years, Gamaredon has developed and used a range of custom malware families: Pterodo, PowerPunch, ObfuMerry, ObfuBerry, DilongTrash, DinoTrain, and DesertDown. These are for various purposes: backdoors, command execution, and data exfiltration. Their malware often uses obfuscation to evade detection and is regularly updated to get better.

Infrastructure and Attribution

Gamaredon’s infrastructure is a bunch of malicious domains and IP addresses for C2. The Security Service of Ukraine (SSU) has attributed the group to Russia’s Federal Security Service (FSB), specifically Center 18. This attribution is supported by overlapping infrastructure and operational patterns consistent with Russian state-sponsored cyber activities.

Known Variants

Gamaredon’s malware arsenal includes: Pterodo: Backdoor malware for remote access and command execution. PowerPunch: Lightweight downloader executed via PowerShell, for initial access and payload delivery. ObfuMerry and ObfuBerry: Variants with obfuscation to hide malicious activity. DilongTrash and DinoTrain: Malware families for data exfiltration and system reconnaissance. DesertDown: New addition to their toolkit, details still emerging. Also, mobile malware like BoneSpy and PlainGnome have been linked to Gamaredon, targeting Android devices for surveillance.

Mitigation Strategies

Train staff and enforce email controls to stop spear‑phishing—especially Unicode or LNK/XHTML/HTML attachments—and filter suspicious payloads before delivery
Restrict execution of mshta.exe, PowerShell, VBScript/WScript, and LNK‑triggered downloads via application whitelisting/allowlisting to prevent script‑based payload deployment.
Deploy DNS security solutions to detect fast‑flux domains, monitor anomalous DNS behavior (low TTL, IP rotation), and block or sinkhole related infrastructure rapidly.
Enable behavior‑based detection and threat hunting (e.g., Sigma rules or EDR hunts for Run‑key persistence, obfuscated PowerShell, Remcos/Remcos LNK indicators), ingest updated IoCs, and maintain incident response plans

Targeted Industries or Sectors

Gamaredon’s primary targets are the Ukrainian government and military institutions. But they also target other sectors and regions. Defense and Security: Military organizations and defense-related entities. Government Agencies: Various governmental departments and officials. Critical Infrastructure: Energy, transportation, and communication sectors. NATO-Aligned Countries: Occasional campaigns against NATO member states, with broader geopolitical goals.

Associated Threat Actors

Gamaredon is linked to Russia’s Federal Security Service (FSB), Center 18. They are known as Primitive Bear, ACTINIUM, Aqua Blizzard, Shuckworm, and Trident Ursa. They support other Russian APT groups by providing initial access and intel from their campaigns.