
eBook
A Hands-On Guide Using Hunt.io’s Threat Intelligence Platform
Gamaredon, also known as Primitive Bear, ACTINIUM, or Aqua Blizzard, is a Russian state-sponsored advanced persistent threat (APT) group active since at least 2013. They primarily target Ukrainian government and military entities, using relentless spear-phishing campaigns and custom malware for cyber espionage. Despite using relatively basic tools, their persistence has made them a big threat to Ukraine’s cybersecurity landscape.
Persistent Espionage Operations
Gamaredon’s ops are high volume and persistence rather than technical sophistication. They use spear-phishing emails with malicious attachments to get initial access, then deploy custom malware for data exfiltration and surveillance. They focus on intel gathering to support Russian strategic interests, particularly Ukraine.
Custom Malware Arsenal
Over the years, Gamaredon has developed and used a range of custom malware families: Pterodo, PowerPunch, ObfuMerry, ObfuBerry, DilongTrash, DinoTrain, and DesertDown. These are for various purposes: backdoors, command execution, and data exfiltration. Their malware often uses obfuscation to evade detection and is regularly updated to get better.
Infrastructure and Attribution
Gamaredon’s infrastructure is a bunch of malicious domains and IP addresses for C2. The Security Service of Ukraine (SSU) has attributed the group to Russia’s Federal Security Service (FSB), specifically Center 18. This attribution is supported by overlapping infrastructure and operational patterns consistent with Russian state-sponsored cyber activities.
Train staff and enforce email controls to stop spear‑phishing—especially Unicode or LNK/XHTML/HTML attachments—and filter suspicious payloads before delivery
Restrict execution of mshta.exe, PowerShell, VBScript/WScript, and LNK‑triggered downloads via application whitelisting/allowlisting to prevent script‑based payload deployment.
Deploy DNS security solutions to detect fast‑flux domains, monitor anomalous DNS behavior (low TTL, IP rotation), and block or sinkhole related infrastructure rapidly.
Enable behavior‑based detection and threat hunting (e.g., Sigma rules or EDR hunts for Run‑key persistence, obfuscated PowerShell, Remcos/Remcos LNK indicators), ingest updated IoCs, and maintain incident response plans