Gamaredon: Who They Are, Gamaredon (also known as Armageddon, Shuckworm, Primitive Bear) is a persistent Russian-linked APT group active since 2013. It primarily targets Ukrainian government, defense, and critical infrastructure organizations.
According to ESET, Unit42, and MITRE, the group is linked to Russia’s FSB Center No.18, responsible for cyber-operations.
Gamaredon Group and Their Tactics
Gamaredon conducts large-scale phishing campaigns using infected documents and remote templates.
Their malware ecosystem includes VBScript and PowerShell loaders, lightweight PE agents, and auto-generated code variants for evading antivirus detection.
Why They’re Dangerous
They exploit trusted communication channels — email, documents, and messengers — to steal data and maintain long-term access.
Their objective is intelligence collection, not destruction. They gather files, credentials, and chat data for use in military planning.
How the Hackers Operate
| Stage | Description | Tools |
|---|---|---|
| Attack vector | Phishing, infected attachments | DOC, HTA, LNK |
| Loader | Script-based execution | VBScript, PowerShell |
| Data collection | File and mailbox theft | PowerPunch, PteroLNK |
| Data exfiltration | Transfer via C2 networks | Dead-drop resolver |
| Evasion | Code obfuscation | Dynamic code generation |
Structure and Attack Methods
Ukraine’s SBU identified five FSB officers involved in Gamaredon. Evidence ties the group to operations coordinated from Crimea. Reports from ESET, SecurityWeek, and Recorded Future confirm former Ukrainian IT experts may have joined them after 2014.
Gamaredon: How to Spot Their Attacks
- Scan emails for DOC/RTF/HTA attachments and remote template links.
- Monitor endpoints for PowerShell/WScript abuse.
- Track DNS/HTTP anomalies and short, repetitive C2 calls.
- Correlate indicators across mail, endpoint, and network logs.
Consequences of Inaction
Failure to address Gamaredon’s activity enables espionage, critical infrastructure breaches, and manipulation of stolen intelligence for geopolitical advantage. Rapid detection and cross-agency cooperation are key to defense.