Russia's 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses
Russia's FSB-linked APT group Gamaredon (aka Aqua Blizzard, Armageddon) significantly upgraded its offensive capabilities in 2025. ESET tracked 35 spear-phishing campaigns against Ukrainian government and military targets. The group developed six new PowerShell-based downloaders, including PteroPaste — a tool that spreads malware via USB drives by disguising loaders as Word documents. Gamaredon also improved its C2 concealment by leveraging Microsoft and Cloudflare tunneling services, Cloudflare Workers, and dead-drop techniques to hide infrastructure behind legitimate domains. Stolen data is now exfiltrated to cloud services like AWS S3 and Dropbox. In the second half of 2025, Gamaredon collaborated with fellow Russian APT Turla, providing initial access for Turla's Kazuar exploitation framework. Defenders are advised to restrict PowerShell access for non-admin users, scan USB drives, and implement identity-aware microsegmentation to detect anomalous traffic to trusted platforms.