In the ever-evolving world of cyber warfare, 2024 saw Russia-linked APT group Gamaredon double down on its focus: targeting Ukrainian government institutions with relentless precision and an expanded toolset. Their tactics are getting bolder, their techniques more evasive, and their infrastructure—smarter.
As I dug through ESET’s latest whitepaper and supporting coverage from sources like Dark Reading and WeLiveSecurity, it became clear: Gamaredon is no longer just “noisy and crude.” It’s still sloppy in places, sure—but parts of its toolkit now show a level of stealth that demands attention.
Let’s break down what changed this year and what it means for defenders.
A Refocused Campaign
First, Gamaredon isn’t wasting time with NATO countries anymore. They’ve fully recommitted to their original mission—compromising Ukrainian government infrastructure. Their campaigns in 2024 were larger, more frequent (monthly, minus March), and packed with new delivery methods and payloads.
The most notable technique: spearphishing with malicious attachments (ZIPs, HTAs, and LNKs) and, more recently, weaponized links posing as court documents. These emails often led to PowerShell or VBScript-based payloads that pull in more malware once executed.
Tool Evolution: New Malware, Old Habits
Gamaredon introduced six new tools this year, with names like PteroDespair, PteroBox, and PteroGraphin—all part of a naming convention built around their long-standing “Ptero” toolkit lineage.
- PteroDespair is a reconnaissance tool designed to audit the success of other implants.
- PteroGraphin used a persistent Excel macro add-in to load PowerShell scripts—a new stealth tactic that was later swapped for scheduled tasks.
- PteroBox leveraged Dropbox for file exfiltration—monitoring USB insertions and scraping files of interest.
- PteroTickle took a weird turn, targeting Python GUI applications built with Tkinter by injecting downloader code into Tcl initialization scripts. Definitely niche, but very creative.
Despite these new tools, Gamaredon also retired several older ones—likely signaling operational limits or a shift toward more efficient deployment strategies.
Weaponization: LNKs + USBs + Network Drives
They’ve refined their lateral movement techniques too. The VBScript version of PteroLNK can now weaponize both USB drives and mapped network drives, making it easier for infections to spread inside targeted environments—especially in air-gapped setups where sneakernet remains king.
The PowerShell version of PteroLNK got a v5 update, hiding itself in the registry and creating LNKs named after real desktop documents, increasing the chance of clicks.
One update even disables Windows settings that show hidden files or file extensions—reducing the chances that a curious user spots anything suspicious.
Command & Control Cloaking
Probably the most dangerous development? Gamaredon’s almost full migration to Cloudflare tunnels. By hiding their command-and-control (C2) servers behind Cloudflare-generated subdomains, they’ve made it much harder for defenders to block traffic at the network level.
And if that fails, they’re using Telegram pages, Codeberg-hosted text files, and third-party DNS resolvers like nslookup.io to dynamically update fallback C2 addresses.
This is a solid example of why relying solely on IP/domain-based blocking isn’t enough anymore. Gamaredon is actively playing the cat-and-mouse game—anticipating countermeasures and moving faster than some defenders can adapt.
Key Takeaways
- Focus: Gamaredon is all-in on Ukraine again—targeting government entities with tailored spearphishing and lateral movement.
- Adaptation: Fewer new tools in 2024, but smarter, more evasive ones with stealthier persistence and C2 communication.
- Infrastructure: Cloudflare tunnels and Telegram-hosted instructions mean traditional network defenses aren’t cutting it.
This isn’t just about watching what one APT group is doing—it’s about recognizing that the bar for cyber defense keeps rising. The techniques Gamaredon is using today might be tomorrow’s blueprint for ransomware groups or hacktivist cells.
