Introduction
Gamaredon Group, AKA Shuckworm, Primitive Bear, Trident Ursa or Aqua Blizzard, is one of the most active, politically complex Russian aligned actors associated with advanced persistent threats (APT). Gamaredon has been active at least since 2013, and there is clear and consistent attribution to the Russian Federal Security Service (FSB). Gamaredon has primarily been active in espionage operations on Ukraine but has growing evidence of also expanding its operations against members and Partners of NATO. The Russia-Ukraine conflict representation for Gamaredon represents a high risk threat as we move in to 2025, and the complexity of this group continues to evolve toward long term campaigns.
Identity and Motivation
Gamaredon is a Russia aligned APT Group conducting Military & Political operations consistent with the strategic objectives of Moscow. The primary motivation of Gamaredon is Military and Political Espionage primarily in relation to the Russian-Ukraine conflict. Gamaredon has no shortage of motivations it seeks to collect information about military, government and defence, it is also seeking information from NATO members and other Western alliances. The persistence of this APT underscores it being an intelligence arm of furthering Russia’s geopolitical ambitions.
Aliases include: Shuckworm, IRON TILDEN, BlueAlpha, Blue Otso, Primitive Bear, Trident Ursa, Actinium, Aqua Blizzard, DEV-0157, UAC-0010, G0047, and Winterflounder.
Tactics, Techniques and Procedures (TTPs)
Gamaredon’s campaigns are often considered opportunistic, fast, and sometimes noisy. While they have not historically been as sophisticated and stealthy as other Russian APTs, Gamaredon has improved in speed and obfuscation over time.
Techniques: Utilizes PowerShell, fileless methods, fast deployment cycles, and lateral movement through stolen credentials.
Initial Access: Spear-phishing emails with malicious attachments or hyperlinks. The group also occasionally uses unpatched/dated vulnerabilities in public-facing applications.
Persistence: The group executes persistence through registry entries, scheduled tasks, and custom backdoors.
Command & Control (C2): Utilizes custom malware families while maintaining rotating infrastructure. HTTP-based C2 servers with rotating domains are common.
Malware & Tools: Some notable malware includes Pterodo, PowerPunch, custom downloaders, malicious VBS and BAT scripts, and remote access tools.
Notable Operations
- 2013–2018: Gamaredon focused on Ukrainian government institutions and used crude spear-phishing campaigns.
- 2019–2021: Gamaredon moved towards more sophisticated malware, such as Pterodo. The operation’s focus expanded to include phishing against Ukrainian military and diplomatic networks
- 2022: With Russia’s full-scale invasion of Ukraine, the group escalated their espionage and phishing campaigns to support the invasion
- 2023: The group retained strong interest in Ukraine while opening additional targeting against NATO and European allies.
- 2024–2025: Gamaredon’s operational landscape remains solidly aimed at Ukrainian and NATO-related entities, while also increasing complexity and obfuscation and diversifying their malware toolsets.
Recent Developments
The Gamaredon group is still demonstrating prolific levels of activity through the year 2025. Reports from ESET and other cybersecurity threats indicate that spear-phishing campaigns are still being conducted, and the threat actors are still distributing updated variants of their malware toolset. While still not the most sophisticated among Russian APT groups, the value of Gamaredon’s persistent disruptiveness, quick operational tempo, and targeting on Ukraine should not be underestimated as an emerging threat actor.
The group is targeting, and moving to attack government and military organizations, and is increasingly targeting, and previously attacked, NGOs, media outlets, and critical infrastructure providers. This expansion of targets indicates Moscow’s intent to surveil and disrupt pro-Ukraine supporter networks and information ecosystems that target organizations not strictly military in nature.
Conclusion
The Gamaredon Group demonstrates the endurance and flexible approach of Russian cyber-espionage capabilities. Gamaredon may not be seen as sophisticated like some of its peers (like Sandworm); however, its volume, pace of activity, and purpose align to a consistent agenda with Russian geopolitical goals – there are many reasons why Gamaredon is a valuable adversary. Defenders should be on alert to Gamaredon’s spear-phishing operations, as well as their ever-developing malware and expansion beyond opportunistic targeting of the Ukraine.
Defensive Takeaways
– Enhance phishing defensive and employee education
– Watch for PowerShell, and anomalistic scheduled tasks
– Maintain continued patch management to limit exploitability
– Monitor new rotating domains and potential malware indicators related to Gamaredon’s campaigns
With tensions high and the threat landscape continuing to shift, Gamaredon will remain a reliable asset for intelligence operations serving Russian interests at least to the end of 2025.
You can download and review the sheet for all the details!
