Live Training | What's New in Lumu Defender

Already have an account? Sign in

Sign in

Group

G0047

Gamaredon Group

Aliases

Primitive Bear, Shuckworm, Armageddon, Iron Tilden, Earth Dahu, Aqua Blizzard

Type

State intelligence cyberespionage group

Target

Government, Law Enforcement, Military, NGOs

Malware

Pterodo, custom VBS/PowerShell scripts, USB Stealers, GammaDrop

Country

Russia Russia

IoCs on Maltiverse

Maltiverse provides updated IoCs for easy SIEM/SOAR/Firewall/EDR integration.

Background and Attribution

Gamaredon Group is a relentless and high-volume threat actor that the Security Service of Ukraine (SBU) has publicly attributed to officers of the Russian Federal Security Service (FSB) operating from Crimea. Active since at least 2013, the group is a digital spearhead for Russian intelligence operations.

While the group’s operational priority is intelligence gathering within Ukraine, their campaign scope extends internationally. They frequently target foreign diplomatic missions, NATO allies, and global supply chains connected to the region. Their attacks are not traditionally stealthy or complex. Instead, they rely on speed, sheer volume, and aggressive persistence to overwhelm defenders and maintain access

Common Tactics and Tools

Gamaredon’s primary method of initial access is large-scale spear-phishing. They send waves of emails with malicious Office attachments, LNK files, or exploiting unmanaged software vulnerabilities (such as historical WinRAR flaws). The lures often relate to Ukrainian government documents or current events. These documents use macros to initiate the infection chain.

Their toolkit is effective due to its simplicity and wide deployment.

  • Pterodo (Pteranodon): The group’s main custom backdoor. This simple tool is the workhorse of their attacks. They use it to download more malware, run commands, and exfiltrate documents.
  • Custom Scripts (VBS/PowerShell): Gamaredon relies heavily on rapidly altered, heavily obfuscated scripts for persistence, discovery, lateral movement, and communicating with their command-and-control infrastructure.
  • USB Stealers & Internal Phishing: The group deploys malware designed to weaponize USB drives and inject malicious VBA code into Microsoft Outlook. This creates a worm-like effect, automatically sending phishing lures to external contacts and causing accidental spillover into global networks.
  • Dynamic infrastructure: Gamaredon utilizes rapid domain rotation, fast-flux DNS, and a shift toward dedicated command-and-control servers to bypass traditional domain blocking.

How to Defend Against Gamaredon Group

Defending against Gamaredon requires strong endpoint controls and security habits. This stops their high-volume script and macro attacks.

  • Restrict script execution: Enforce application control policies to block or strictly log execution of unauthorized .vbs, .ps1, and .hta files. Pay attention to scripts launched from emails or Office.
  • Harden Microsoft Office: Set a policy to block all macros in Office files from the internet. Train users to never enable content from untrusted sources.
  • Control removable media use: Enforce strict policies for USB drive use. Disable autorun and require that all removable media be scanned by endpoint security software when plugged in.
  • Deploy Network Defenses: Gamaredon uses fast-flux DNS to outrun traditional blocklists. Leverage Lumu Defender to continuously analyze network metadata for active C2 callbacks and automate perimeter blocking before data exfiltration occurs.
  • Proactive Threat Hunting: Hunt for IoCs globally, regardless of your organization’s physical location, as Gamaredon infrastructure and automated phishing frequently impact trusted third-party partners. Use high-quality, up-to-date threat intelligence feeds to block network connections to their newly registered malicious domains and IP addresses.

Join our pre-day 
workshop waitlist

By clicking “Submit Request” you agree to the Lumu Terms of Service and Privacy Policy.