惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

IT之家
IT之家
C
CXSECURITY Database RSS Feed - CXSecurity.com
V
Visual Studio Blog
D
Darknet – Hacking Tools, Hacker News & Cyber Security
小众软件
小众软件
L
LangChain Blog
Cyberwarzone
Cyberwarzone
美团技术团队
The Register - Security
The Register - Security
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tor Project blog
V
V2EX
Security Archives - TechRepublic
Security Archives - TechRepublic
Hacker News: Ask HN
Hacker News: Ask HN
L
LINUX DO - 最新话题
Recent Announcements
Recent Announcements
H
Hackread – Cybersecurity News, Data Breaches, AI and More
酷 壳 – CoolShell
酷 壳 – CoolShell
freeCodeCamp Programming Tutorials: Python, JavaScript, Git & More
aimingoo的专栏
aimingoo的专栏
人人都是产品经理
人人都是产品经理
F
Full Disclosure
V2EX - 技术
V2EX - 技术
The Cloudflare Blog
博客园 - 叶小钗
T
Threat Research - Cisco Blogs
阮一峰的网络日志
阮一峰的网络日志
G
GRAHAM CLULEY
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Latest news
Latest news
S
Security @ Cisco Blogs
Spread Privacy
Spread Privacy
Project Zero
Project Zero
K
Kaspersky official blog
MyScale Blog
MyScale Blog
Attack and Defense Labs
Attack and Defense Labs
云风的 BLOG
云风的 BLOG
博客园 - 【当耐特】
Hacker News - Newest:
Hacker News - Newest: "LLM"
大猫的无限游戏
大猫的无限游戏
P
Privacy International News Feed
Google DeepMind News
Google DeepMind News
WordPress大学
WordPress大学
C
Cybersecurity and Infrastructure Security Agency CISA
Webroot Blog
Webroot Blog
罗磊的独立博客
Vercel News
Vercel News
N
News and Events Feed by Topic
A
Arctic Wolf
C
CERT Recently Published Vulnerability Notes

RSS

Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Events and conferences Vietnam-aligned OceanLotus pivots to spy on domestic targets as it takes a more selective approach abroad, ESET Research finds Canon Canada Partners with ESET to Expand Cybersecurity Services ESET releases 2026 SMB Cyber Readiness Index showing growing confidence but also concerns about AI ESET has been named the only Challenger in the 2026 Gartner® Magic Quadrant™ for Endpoint Protection ESET Research APT Report: China-aligned groups spy in Venezuela and the Gulf, target AI robotics in S. Korea Events and conferences ESET uncovers the expanded arsenal of China-aligned Webworm; European governments targeted ESET reaffirms its global market presence with new European and Asian offices ESET supercharges AI innovation with investment to address rapidly expanding attack surface ESET joins the Agentic AI Foundation to help shape safe, human‑led agentic AI ESET’s Tony Anscombe to Co-Chair NetDiligence Cyber Risk Summit Belarus-aligned FrostyNeighbor attacks Ukrainian government, again — ESET Research discovers ESET Research uncovers CallPhantom scam on Google Play: Fake logs for real money North Korea-aligned APT group ScarCruft compromises gaming platform in supply‑chain espionage attack, ESET Research finds ESET Research discovers new China-aligned group, GopherWhisper: It abuses messaging services Discord, Slack, and Outlook to spy ESET Research: New NGate hides in NFC payment app, possibly built with AI ESET finds that SMBs currently leverage cyber insurance to arm against attacks, report incidents and improve resilience ESET previews new AI security features to secure chatbot communications and AI workflows ESET wins four Global InfoSec Awards at RSAC 2026 ESET receives Intel vPro Certified App status – Delivering performance benefits for business customers while advancing threat detection capability ESET launches Cloud Workload Protection and AI enhancements for ESET PROTECT customers ESET presents six sessions at RSAC 2026 to advance cyber resilience ESET Research: A deep dive into EDR killers - a cornerstone of modern ransomware operations ESET sets new integration with Lumu ESET Endpoint Security for Windows v12 achieves Common Criteria certification ESET PRIVATE showcases custom security solutions at RSAC 2026 ESET launches eCrime reports ESET Research: One of Russia’s most notorious groups, Sednit, resurges with spyware in Ukraine ESET Opens 2026 Women in Cybersecurity Scholarship Applications CRN Honors ESET on Security 100 List for MDR and AI Innovations ESET’s Ryan Grant Named a 2026 CRN Channel Chief ESET Research discovers PromptSpy, the first Android threat to use generative AI ESET Named Finalist for Best Security Company in Expert Insights Awards 2026 ESET’s Tony Anscombe to Speak at NetDiligence Cyber Risk Summit Russian Sandworm group attacks energy company in Poland with DynoWiper, ESET Research discovers Fake dating app used as lure in spyware campaign targeting Pakistan, ESET Research discovers ESET is a Customers’ Choice for Endpoint Protection according to Gartner® Peer Insights™ ESET Research analyzed a critical flaw in Windows Imaging Component, which abuses JPG files ESET Wins CRN’s 2025 Gender Parity Award New Chinese group LongNosedGoblin deploys cyberespionage tools in Southeast Asia and Japan, ESET Research discovers ESET Threat Report: AI-driven attacks on the rise; NFC threats increase and evolve in sophistication Iran’s MuddyWater targets critical infrastructure in Israel and Egypt, masquerades as Snake game – ESET Research discovers ESET Research: Chinese PlushDaemon group compromises network devices for adversary-in-the-middle attacks ESET Research APT Report: Russian attacks surge in Ukraine and Europe; Chinese groups target Latin American governments ESET named a Leader in IDC MarketScape for Consumer Digital Life Protection North Korean Lazarus group targets the drone sector in Europe, likely for espionage, ESET Research discovers ESET Research discovers new spyware posing as messaging apps targeting users in the UAE ESET Enhances Free Cybersecurity Awareness Training + CSAM Resources ESET Research’s deep dive into DeceptiveDevelopment, North Korean crypto theft via fake job offers ESET Research: Russian FSB-linked Gamaredon and Turla team up to target high-profile Ukrainian entities SDSU Athletics x ESET: Proud Partnership for Student-Athlete Success ESET Research discovers UEFI-compatible HybridPetya ransomware capable of Secure Boot bypass ESET at MSP Summit 2025: Field CISO Keynote + XDR Partner Events ESET Named a Strong Performer in Independent Evaluation of MDR Services in Europe ESET Research discovers new Chinese threat group: GhostRedirector manipulates Google, poisons Windows servers with backdoors ESET discovers PromptLock, the first AI-powered ransomware" on page ESET Research: Russian RomCom group exploits new vulnerability, targets companies in Europe and Canada ESET PROTECT Elite is a Security Winner of the 2025 CRN Tech Innovators ESET has strengthened its position in the 2025 Gartner® Magic Quadrant™ for Endpoint Protection Platforms ESET Research uncovers variants of AsyncRAT, popular choice of cybercriminals Meet the 2025 Women in Cybersecurity Scholarship Winners ESET Named a 2025 Gartner® Peer Insights™ Customers’ Choice for Endpoint Protection ESET Named a Notable Provider in latest European MDR Landscape Report ESET Wins 2025 SC Award for Ransomware Remediation ESET Research discovers the first UEFI bootkit for Linux ESET Research discovers Mozilla and Windows zero day & zero click vulnerabilities exploited by Russia-aligned RomCom APT group ESET Research discovers WolfsBane, new Linux cyberespionage backdoor by China-aligned Gelsemium Days after takedown, ESET Research releases analysis of RedLine Stealer infostealer empire ESET releases latest APT report: China-aligned groups expand targeting; Iran advances diplomatic espionage ESET Research discovers new China-aligned APT group CeranaKeeper, which targeted the Thai government ESET Threat Report: Infostealers using AI & banking malware creating deepfake videos to steal money ESET Research: Ebury botnet alive & growing; 400k Linux servers compromised for cryptocurrency theft and financial gain ESET Research releases latest APT Activity Report, highlighting cyber warfare of Russia-, China-, and Iran-aligned groups ESET Research joins global operation to disrupt the Grandoreiro banking trojan operating in Latin America and Spain Iran-linked OilRig attacks Israeli organizations with cloud service-powered downloaders, ESET Research discovers ESET Research: Official Python repository served cyberespionage backdoor, gathered 10,000+ downloads Predatory SpyLoan apps — loan sharks expand their range to Android, ESET Research finds ESET Research dives into the onboarding and scamming processes of Telekopye online fraudsters ESET Research: Android malware Kamran spying via news app on residents of the disputed Kashmir region ESET Research: Infamous IoT botnet Mozi taken down via a kill switch ESET APT Activity Report: China-aligned groups campaign against EU targets; prime target of Russia-aligned groups remains Ukraine ESET Research announces comprehensive report on Latin America’s threat landscape titled ‘Looking into TUT’s tomb: The universe of threats in LATAM’ ESET Research discovers Operation Jacana, targeting governmental entity in Guyana, likely by Chinese threat group ESET Research: North Korea-linked Lazarus impersonates Meta on LinkedIn to attack an aerospace company in Spain ESET and Calgary Flames Sign Multi-Year Partnership ESET Celebrates 10 Years in Montreal ESET Business Bundles Launch on Ingram Micro Cloud Marketplace
ESET Research investigates Russian-aligned Gamaredon group – new toolset, alliances, and a reliance on legitimate services
2026-06-25 · via RSS
  • Throughout 2025, the Russia-aligned Gamaredon threat group exclusively targeted governmental and military institutions in Ukraine.
  • Gamaredon operators developed and deployed six new malicious PowerShell tools, which we analyze in our white paper.
  • Its file stealers were upgraded to support exfiltration to cloud storage services (Wasabi, Tebi, and Intercolo), which became the primary exfiltration method.
  • ESET also documented abuse of multiple legitimate messaging, social media, blogging, and paste services as dead drops for resolving C&C servers and distributing payloads.

BRATISLAVAJune 25, 2026 — ESET Research released its latest report on Gamaredon, a Russia-aligned threat actor, and its activity during 2025. The paper analyzes new tools added to its arsenal, significant shifts in how it protects its network infrastructure, and its growing use of legitimate third-party services to hide both command and control (C&C) information and stolen data. Throughout 2025, Gamaredon stayed highly active and remained focused solely on Ukraine. The group’s ultimate goal continues to be the exfiltration of sensitive information and other critical data that could be exploited to support Russian interests in the ongoing war in Ukraine. Gamaredon’s activities appear to be closely aligned with Russia’s geopolitical objectives, targeting Ukrainian governmental and military institutions to gain an intelligence advantage. 

“While the group took a short operational break in January 2025, Gamaredon spent much of its effort in the first half of that year developing and deploying new tools. ESET observed that many updates were made in the lead-up to major holidays in Russia and Crimea. Notably, no updates were observed during or immediately after these holidays, further suggesting that Gamaredon operators are probably government-affiliated employees,” said ESET researcher Zoltán Rusnák, who investigates Gamaredon. The group is attributed by the Security Service of Ukraine to the 18th Center of Information Security of Russia’s FSB and is believed to operate out of occupied Crimea.  

In early 2025, Gamaredon collaborated with Turla, another Russia-aligned threat actor. This cooperation underscores the potential for coordinated cyberespionage campaigns among Russia-aligned groups, likely to amplify their operational impact. In the past, Gamaredon also collaborated with a threat actor that ESET discovered and named InvisiMole. More broadly, 2025 also provided another example of cooperation and task sharing among Russia-aligned actors: ESET observed the Russia-aligned UAC-0099 group conducting initial access operations and subsequently transferring validated targets to Sandworm for follow-up activity. 

In the second half of the year, Gamaredon shifted more toward larger and more frequent spear phishing campaigns. What changed most noticeably was the tempo. The group was much more active in the second half of the year, when campaigns became both more frequent and larger in scale. Beyond spear phishing, Gamaredon also continued using custom weaponizers for lateral movement. These tools weaponize USB drives, mapped network drives, and even software installers, helping the group spread within or across organizations after the initial compromise.

Gamaredon introduced six new tools in 2025, all written in PowerShell: PteroDee, PteroCache, PteroDum, PteroOdd, PteroPaste, and PteroEffigy. The standout among the new tools is PteroPaste, which is considerably more complex than the others. It combines a downloader, a USB weaponizer, and a runner component used for persistence and orchestration. Additionally, it resurrected an old VBScript weaponizer – PteroSetup, which first appeared in 2021.

Additionally, Gamaredon operators sought new ways to protect their network infrastructure, with their C&C servers now hidden behind various third-party services such as tunnels, workers, DDNS (dynamic DNS), and PaaS (platform as a service).

One of the most important aspects of Gamaredon’s 2025 operations was its heavy use of so-called dead-drop services. The term comes from traditional espionage – instead of meeting directly, one operative leaves information in a public or hidden location and another retrieves it later. Online, the principle is similar. Rather than embedding the real malicious server directly in malware, operators place that information on a legitimate website or platform, and the malware retrieves it from there. This means that the malware may first contact a public page on a legitimate service, read a hidden or staged value from it, and only then connect to the actual C&C server. In 2025, Gamaredon abused numerous services in this way: Telegram channels, Dropbox, social networks DEV Community, Mastodon, and others.

The other major infrastructure shift ESET observed was on the data-exfiltration side. Gamaredon upgraded two of its flagship file stealers, PteroPSDoor and PteroVDoor, to upload stolen files to S3-compatible cloud storage services – providers that support the Amazon S3 API ((Wasabi, Tebi, and Intercolo), allowing the same tools and code to work across different storage vendors.  At the same time, PteroBox continued to upload files to Dropbox.

Uploading stolen files to cloud storage reduces the need for Gamaredon to maintain its own infrastructure for receiving large amounts of stolen data. It also helps malicious traffic blend in with access to legitimate storage providers. Essentially, Gamaredon increasingly uses third-party services not only to hide where instructions come from, but also to hide where stolen data goes.

For more details about Gamaredon and its activity in 2025, check out the ESET Research blogpost and white paper “Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances,” on WeLiveSecurity.com. Make sure to follow ESET Research on Twitter (today known as X), BlueSky, and Mastodon for the latest news from ESET Research.

Unique Gamaredon spear phishing samples seen per month

About ESET

ESET® provides cutting-edge cybersecurity to prevent attacks before they happen. By combining the power of AI and human expertise, ESET stays ahead of emerging global cyberthreats, both known and unknown—securing businesses, critical infrastructure, and individuals. Whether it’s endpoint, cloud, or mobile protection, our AI-native, cloud-first solutions and services remain highly effective and easy to use. ESET technology includes robust detection and response, ultra-secure encryption, and multifactor authentication. With 24/7 real-time defense and strong local support, we keep users safe and businesses running without interruption. The ever-evolving digital landscape demands a progressive approach to security: ESET is committed to world-class research and powerful threat intelligence, backed by R&D centers and a strong global partner network. For more information, visit www.eset.com or follow our social media, podcasts, and blogs.