OldGremlin: A Stealthy Russian-Speaking Ransomware and Espionage Threat Group Evolving Into a Precision Striking APT

DECEMBER 29, 2025

Introduction

Introduction

OldGremlin is one of the less well-known but more dangerous Russian-speaking criminal organizations to emerge in the last few years. The criminal organization’s activity has been tracked back to at least 2020, and it has achieved a high level of operational discipline as well as a reputation in some quarters for the extended dwell time of their malware on compromised computer networks and systems and a “strategic approach” to infiltrating corporate environments. OldGremlin’s attack methodology differs from most other ransomware groups in that it is a low-volume, very high-impact group that typically take months to execute their operational plans. The way that OldGremlin combines traditional advanced persistent threat (APT) tactics (reconnaissance stage, credential collection, lateral movement) with a very refined method of extorting ransom payments as a result of their infiltration and unauthorized access to corporate networks gives them an opportunity to be a hybrid organization, straddling the line between large-scale cybercriminal operations and APTs (Advanced Persistent Threat).

While their motives are primarily financial, the level of sophistication and planning of OldGremlin’s operational plans place them on par with nation-state units. You can tell that the level of maturity of OldGremlin’s operational environment continues to evolve through 2024-2025 due to the detailed method that they utilize when creating their phishing emails and the amount of effort that they have put into creating their customized toolsets.

OldGremlin APT group profile highlighting threat assessment, motivation, targets, and active timeline
OldGremlin operates as a high-risk hybrid threat combining ransomware and espionage techniques.

Identity & Motivation

OldGremlin has gained a reputation for being an organized cybercriminal group operating out of Russia that employs complex systems of operation and its own custom-built malware families.

OldGremlin is also indicative of the move towards APT-like practices by Russian eCrime syndicine.

Attribution: Russian-speaking attributes, financially motivated, no confirmed links to government; however, practices similar in nature to nation-states.

Active Since: The first campaigns attributed to OldGremlin were identified in early 2020, and have continued through 2025.

Aliases: There are no aliases associated with OldGremlin; however, OldGremlin uses distinct signatures in their various campaign activities.

Motivation: The most significant motivation for OldGremlin is to obtain financial rewards through double-extortion ransomware.

Additionally, OldGremlin seeks to steal confidential information, maintain access to valuable long-term networks, and to sell such access to their on-going affiliate network.

OldGremlin’s operations are based on deep reconnaissance of potential victims prior to activating the encryption, thereby maximizing the ability to use the extortion for maximum damage.

Tactics, Techniques, and Procedures (TTPs)

The different ways OldGremlin uses to hack are a lot more sophisticated than normal ransomware groups.

Initial Access

  • Spear‑phishing emails in Russian, Spanish, or English that are targeted at specific people.t.
  • Fake financial institutions and vendors in the supply chain, including local news media.
  • Documents that contain malicious code that can be executed through the use of macros or trojanized attachments.
  • Theft of VPN and Remote Desktop Protocol (RDP) credentials are also occasionally used to bypass perimeter defense measures.

Execution

  • Installation of OldGremlin’s custom backdoor applications, called TinyNode, TinyShell, and custom implants, on compromised computers.
  • The use of custom-built PowerShell frameworks to assist with automated reconnaissance on compromised environments.
  • The payment of the ransom only occurs after the OldGremlin hackers have mapped out the entire targeted eCommerce business for several weeks.

Persistence

  • Establishment of multiple redundant footholds using:
    • Scheduled tasks
      Registry run keys
      Web shells
    • Compromised VPN sessions

Command & Control (C2)

  • Encrypted communications tunneled through:
    • Cloud providers
      Compromised corporate hosts
    • Proxy networks

OldGremlin’s callback behavior is low volume and is intentionally intermittent.

Lateral Movement

  • Abuse of legitimate administrative tools (LOLbins).
  • Internal RDP pivoting.
  • Credential harvesting with Mimikatz and custom tooling.
  • Discovery of backup servers and domain controllers for maximum impact.

Data Exfiltration & Ransomware Deployment

  • Selective exfiltration of high‑value business data.
  • Deployment of tailored ransomware variants compiled per target.
  • Double extortion: encryption + leak site publication threats.

Notable Operations (2020–2025)

OldGremlin’s documented attacks are distinct in their low volume, targeted approach, and the tendency for long-term infiltration:

2020 – The first wave of attacks targeting medical and logistics companies in Russia

Phishing emails impersonating covid-19 alerts as delivery of malicious TinyNode backdoor with ransom amounts reaching hundreds of thousands of dollars.

2021 – A series of attacks against the manufacturing and retail sectors in Europe

Implementing new tools to preserve remote connection, for a multi-week distance prior to commencing encryption. Expanding into Spain, Poland and Germany.

2022–2023 – Shift to global targets

Targets expanded to North American businesses with expanding multi-language phishing kit capabilities; coordination between intruders and cash-out professionals.

2024 – Increasing adoption of supply‑chain impersonation

Increasing usage of supply-chain impersonation by employing fake invoices and shipping notices as deception techniques; increasing overlap with business email compromise tactics; increasingly in-depth reconnaissance phases identifying internal backup systems.

2025 – Continued hybrid APT–ransomware model

Introduction of a novel build for the ransomware; more elaborate exfiltration methods utilising a cloud storage proxy; increased length of operational cycles providing for total domain ownership.

Get your security score with Threat.watch
Threat.watch encouraging users to check their security score

Recent Developments

In 2024 and 2025 OldGremlin added to its capabilities by using:

  • Multi-stage loader chains – these chains help reduce the chances of detection.
  • Modular implants – these implants allow reconnaissance to be done via plugin(s).
  • Cross-platform components – these components include Linux targeting scripts designed for backup servers.
  • Encrypted SMB tunnels – these tunnels allow lateral movement within a network without detection.

In addition to the above capabilities, OldGremlin’s shift to human-operated ransomware has changed how they operate. The operators are now engaging in manual escalation of privileges and mapping systems. This hands-on approach allows them to change their tactics on the fly, allowing them to circumvent any new defenses that are put in place during the course of their attack.

The publications on OldGremlin’s leak site indicate an increase in the amount of extortion and an increase in the use of psychological pressure on the victims, including efforts to contact the victims’ partners, executives, and customers.

Strategic Impact

The unique blend of APT-level stealth with monetization of cybercrime by OldGremlin creates a threat environment that is difficult for current security programs to manage. Key points of concern are:

  • Serious consequences from the breaches, and long recovery times as they can fully compromise the victim’s domain;
  • Because OldGremlin victimizes organizations across all sectors (finance, logistics, and manufacturing), the attacks have the potential to create a cross-sector risk.
  • Increased operational costs incurred by defenders due to OldGremlin’s long dwell time (the time spent within a network undetected) requiring extensive forensic and remediation work
  • Risk of data leakage due to selective exfiltration of only those items that create the greatest pressure on victims to pay.

OldGremlin’s method of operation resembles that of nation-state actors, leading to concerns that OldGremlin may serve as a model for other groups focused on cybercrime to develop their own long-term intrusion capabilities.

Conclusion

OldGremlin signifies the progressive development of financially motivated, APT-style groups. Rather than focusing purely on numbers, OldGremlin has focused on quality, being methodical, diligent and thorough in its approach to APT activity. As we approach the end of 2025, it is highly likely that we will continue to see increased sophistication of tradecraft, particularly regarding loaders that are more difficult to identify, the use of cloud-based data theft methods, and an even broader range of target geographies.

In order to limit the overall impact of OldGremlin, we recommend organisations increase their monitoring of lateral movement, reinforce behavioural analytics, implement ongoing training regarding phishing resistance, and limit permissions to access and use privileged accounts. As OldGremlin continues to grow in sophistication, it also exemplifies a frighteningly possible future where cybercriminals and ransomware gangs leverage the methods and techniques currently employed by intelligence services in their own activities; leading to adversaries that are more difficult to identify, anticipate and neutralise.

You can download and review the sheet for all the details!

A smartwatch displaying a Brandefense cyber threat alert, showcasing real-time security notifications for instant response.
Brandefense real-time threat notifications delivered directly to your device.

SHARE THIS

Get insight, Analysis &
News Straight to Your
Inbox

By submitting this form, you agree to our Privacy Policy

Latest News