Russia-linked Gamaredon state-sponsored hacker group continued expanding its malware toolkit while carrying out cyberattacks against Ukraine throughout 2025.
Slovakian cybersecurity vendor ESET said it observed 35 spear-phishing campaigns targeting new victims, mostly during the second half of the year. The main targets were Ukrainian government and military organizations. Gamaredon's main goal remains stealing sensitive information that could support Russian interests in the war against Ukraine.
The attacks typically used archive files or XHTML attachments with HTML smuggling to deliver malicious HTA downloaders, which then installed additional malware such as PteroSand. Some campaigns also exploited the patched WinRAR path traversal vulnerability (CVE-2025-8088) to place the HTA downloader in the Windows Startup folder, allowing it to run automatically after the victim logged in.
Gamaredon also continued using tools such as PteroLNK and PteroPaste to spread malware via infected USB and network drives using malicious shortcut (LNK) files. In addition, the group returned to using PteroSetup, a VBScript tool first seen in 2021. PteroSetup searches USB and mapped network drives for legitimate installer files, replaces them with fake 7z self-extracting archives, and runs a malicious downloader alongside the original installer.
ESET also found that Gamaredon developed six new PowerShell tools and upgraded its file-stealing malware set (PteroVDoor and PteroPSDoor) to exfiltrate stolen data through cloud storage services.
The group used third-party services such as tunnel services, serverless workers, dynamic DNS (DDNS), and platform-as-a-service (PaaS) providers to hide its infrastructure. The threat actor also abused legitimate online platforms as dead drops for command-and-control (C&C) communication and payload distribution, including Telegra.ph, Teletype, Rentry.co, Write.as, Dropbox, GoFile, DEV Community (dev.to), Mastodon, Lesma, Nopaste.net, Paste.ee, Wasabi, Tebi, and Intercolo.