Summary:
Gamaredon, also known as Shuckworm, a Russian state-linked threat actor, has been linked to a cyber attack targeting a foreign military mission operating in Ukraine, with the goal of deploying an updated version of its GammaSteel information-stealing malware. According to Symantec’s Threat Hunter team, the campaign began on February 26, 2025, with the initial infection believed to have occurred through an infected removable drive reflecting the group’s known tactics of leveraging physical media for access.

The attackers initiated a multi-stage infection process by modifying system registry settings and triggering malicious scripts through legitimate Windows processes. Once inside, the malware established communication with command-and-control (C2) infrastructure using URLs tied to legitimate platforms such as Telegram, Teletype, and Telegraph—an approach meant to help the malicious traffic blend in and avoid detection. The malware also spread by infecting any connected removable or network drives, creating deceptive shortcuts that automatically executed hidden malicious commands when accessed.

By March 1, the malware began actively contacting its C2 servers, exfiltrating system metadata and receiving encoded payloads that delivered a more obfuscated version of the same script. This version reached out to hardcoded infrastructure to download two additional PowerShell components. The first was a reconnaissance tool that could capture screenshots, gather system information, detect installed security software, and enumerate files and processes. The second component was an enhanced version of GammaSteel, capable of selectively exfiltrating files from the Desktop and Documents folders based on an extension allowlist.


Security Officer Comments:
Symantec assessed this campaign as evidence of Gamaredon’s evolving sophistication. While traditionally viewed as a lower-tier actor compared to other Russian advanced persistent threats, the group appears to be compensating through persistence, frequent code modifications, the addition of obfuscation layers, and the use of widely trusted web services to mask activity. This operation underscores Gamaredon’s continued focus on Ukrainian targets and its growing capability to conduct stealthy, data-focused cyber operations against high-value entities.



Suggested Corrections:
IOCs:
https://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel

Defense-in-depth strategy: A comprehensive defense-in-depth strategy is crucial to combat APTs. This includes implementing multiple layers of security controls, such as strong perimeter defenses, network segmentation, endpoint protection, intrusion detection systems, data encryption, access controls, and continuous monitoring for anomalies.


Threat intelligence and sharing: Ideally, organizations should actively participate in threat intelligence sharing communities and collaborate with industry peers, government agencies, and security vendors. Sharing information about APTs and their techniques can help detect and mitigate attacks more effectively.


Employee education and awareness: Regular security awareness programs, phishing simulations, and training sessions can educate employees about the latest threats, social engineering techniques, and safe computing practices.


Incident response and recovery: Regardless of preventive measures, organizations should have a well-defined incident response plan. This includes incident detection, containment, eradication, and recovery procedures to minimize the impact of APT attacks and restore normal operations.


Link(s):
https://thehackernews.com/2025/04/gamaredon-uses-infected-removable.html

https://www.security.com/threat-intelligence/shuckworm-ukraine-gammasteel