SOC Prime Bias: Critical

30 Jun 2026 07:05 UTC

Gamaredon in 2025: Tunnels, Workers, Dead Drops, and New Alliances

Author Photo
SOC Prime Team linkedin icon Follow
Gamaredon in 2025: Tunnels, Workers, Dead Drops, and New Alliances
shield icon

Detection stack

  • AIDR
  • Alert
  • ETL
  • Query

Summary

Gamaredon, a Russia-aligned APT group, has further adapted its operations in 2025 by abusing legitimate third-party services to conceal command-and-control infrastructure and data theft activity. The group relies on tunnels, workers, and dead-drop platforms such as Telegram and Dropbox to obscure malicious traffic. It has also introduced new PowerShell-based tooling and updated its file stealers to support exfiltration to S3-compatible cloud storage.

Investigation

ESET Research reviewed Gamaredon’s 2025 operations and observed a shift toward larger spearphishing campaigns combined with HTML smuggling techniques. The investigation identified new delivery tools, heavier use of Cloudflare workers and tunnels, and continued reliance on dead-drop resolvers. Researchers also documented cooperation with other Russia-aligned actors, including Turla.

Mitigation

Defenders should watch for unusual outbound connections to legitimate cloud storage platforms and serverless services. Enforcing strict controls over HTA and VBScript execution can help block the early stages of infection. Monitoring for abuse of dynamic DNS services and commonly used dead-drop platforms is also recommended.

Response

If Gamaredon activity is detected, affected systems should be isolated immediately to prevent further movement through weaponized USB devices or network shares. Investigators should conduct a full review of any unauthorized access to cloud storage accounts. Telemetry should also be checked for connections to known tunnel and worker services associated with the group.

"flowchart TD step_initial_access["Initial Access: T1566.001 u2013 Phishing: Spearphishing Attachment & T1566.002 u2013 Phishing: Spearphishing Link using SVG Smuggling to deliver HTA downloaders"] step_execution["Execution: T1218.005 u2013 System Binary Proxy Execution: Mshta and T1204.002 u2013 User Execution: Malicious File via WinRAR vulnerability (CVE-2025-8088)"] step_persistence_privesc["Persistence & Privilege Escalation: T1068 u2013 Exploitation for Privilege Escalation and T1548.004 u2013 Abuse Elevation Control Mechanism via Startup folder placement"] step_c2["Command and Control: T1578 u2013 Modify Cloud Compute Infrastructure and T1102.001 u2013 Web Service: Dead Drop Resolver using Telegram, Dropbox, and paste services"] rules_for_step_c2("<b>Rule Name</b>: Possible Telegram Abuse As Command And Control Channel (via dns_query)<br/><b>Rule ID</b>: 522ef400-eefb-4924-bfcf-6f5f25b56008") step_exfiltration["Collection & Exfiltration: T1530 u2013 Data from Cloud Storage and T1567.002 u2013 Exfiltration Over Web Service using PteroPSDoor/PteroVDoor to S3-compatible providers"] step_initial_access –>|leads_to| step_execution step_execution –>|enables| step_persistence_privesc step_persistence_privesc –>|leads_to| step_c2 step_c2 –>|enables| step_exfiltration step_c2 -.->|detected_by| rules_for_step_c2 "

Attack Flow

Simulation Execution

Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.

Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.

  • Attack Narrative & Commands: The adversary aims to establish a foothold by downloading a secondary stage payload. To avoid detection by basic signature-based tools, they typically use specific downloader modules. In this simulation, we will first execute the “detectable” version to confirm the rule works, and then execute an “obfuscated” version to demonstrate the rule’s weakness. The goal is to simulate the execution of the PteroDee module which fetches C2 instructions from a cloud-hosted file.

  • Regression Test Script:

    # --- PART 1: SUCCESSFUL DETECTION (The "Loud" Attack) ---
    Write-Host "[+] Executing detectable command..."
    powershell.exe -ExecutionPolicy Bypass -Command "& {Write-Host 'Initializing PteroDee downloader...'; Start-Sleep -s 2}"
    
    # --- PART 2: EVASION TEST (The "Stealthy" Attack) ---
    # This demonstrates how an adversary bypasses the rule using string concatenation
    Write-Host "[+] Executing obfuscated command (Evasion)..."
    $part1 = "Ptero"
    $part2 = "Dee"
    $cmd = "& {Write-Host 'Initializing ' + '$part1' + '$part2' + ' downloader...'; Start-Sleep -s 2}"
    powershell.exe -ExecutionPolicy Bypass -Command $cmd
    
    Write-Host "[+] Simulation Complete."
  • Cleanup Commands:

    # No permanent changes made to the system. 
    # Simply clear the PowerShell history for the current session.
    Clear-History