Gamaredon Group

Introduction

Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word “Armageddon,” found in early campaigns. Palo Alto Gamaredon Feb 2017 TrendMicro Gamaredon April 2020 ESET Gamaredon June 2020 Symantec Shuckworm January 2022 Microsoft Actinium February 2022 In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. Bleepingcomputer Gamardeon FSB November 2021 Microsoft Actinium February 2022

Activities and Tactics

Targeted Sectors: Government

Country of Origin: 🇷🇺 Russia

First Seen: 2022

Last Activity: 2022

Suspected Victims: Ukraine, Germany

Notable Campaigns

• OP Armageddon
• Op Gamework

Tactics, Techniques, and Procedures (TTPs)

• T1491.001 Internal Defacement
• T1583.003 Virtual Private Server
• T1001 Data Obfuscation
• T1534 Internal Spearphishing
• T1047 Windows Management Instrumentation
• T1095 Non-Application Layer Protocol
• T1083 File and Directory Discovery
• T1091 Replication Through Removable Media
• T1119 Automated Collection
• T1036.005 Match Legitimate Resource Name or Location
• T1027.004 Compile After Delivery
• T1105 Ingress Tool Transfer
• T1021.005 VNC
• T1027.016 Junk Code Insertion
• T1218.011 Rundll32
• T1566.001 Spearphishing Attachment
• T1082 System Information Discovery
• T1059.005 Visual Basic
• T1113 Screen Capture
• T1518.001 Security Software Discovery
• T1005 Data from Local System
• T1039 Data from Network Shared Drive
• T1608.001 Upload Malware
• T1027.015 Compression
• T1102.003 One-Way Communication
• T1112 Modify Registry
• T1016.001 Internet Connection Discovery
• T1620 Reflective Code Loading
• T1559.001 Component Object Model
• T1012 Query Registry
• T1025 Data from Removable Media
• T1221 Template Injection
• T1685 Disable or Modify Tools
• T1140 Deobfuscate/Decode Files or Information
• T1204.001 Malicious Link
• T1080 Taint Shared Content
• T1106 Native API
• T1583.006 Web Services
• T1561.001 Disk Content Wipe
• T1033 System Owner/User Discovery
• T1587.003 Digital Certificates
• T1564.003 Hidden Window
• T1027.012 LNK Icon Smuggling
• T1070.004 File Deletion
• T1059.001 PowerShell
• T1571 Non-Standard Port
• T1588.002 Tool
• T1020 Automated Exfiltration
• T1071.001 Web Protocols
• T1583.001 Domains
• T1568.001 Fast Flux DNS
• T1055 Process Injection
• T1120 Peripheral Device Discovery
• T1041 Exfiltration Over C2 Channel
• T1090.003 Multi-hop Proxy
• T1053.005 Scheduled Task
• T1027 Obfuscated Files or Information
• T1057 Process Discovery
• T1027.010 Command Obfuscation
• T1204.002 Malicious File
• T1568 Dynamic Resolution
• T1090 Proxy
• T1547.001 Registry Run Keys / Startup Folder
• T1480 Execution Guardrails
• T1102.002 Bidirectional Communication
• T1059.003 Windows Command Shell
• T1218.005 Mshta
• T1137 Office Application Startup
• T1102 Web Service
• T1497.001 System Checks

ATT&CK technique IDs (denormalized)

• T1001
• T1005
• T1012
• T1016.001
• T1020
• T1021.005
• T1025
• T1027
• T1027.004
• T1027.010
• T1027.012
• T1027.015
• T1027.016
• T1033
• T1036.005
• T1039
• T1041
• T1047
• T1053.005
• T1055
• T1057
• T1059.001
• T1059.003
• T1059.005
• T1070.004
• T1071.001
• T1080
• T1082
• T1083
• T1090
• T1090.003
• T1091
• T1095
• T1102
• T1102.002
• T1102.003
• T1105
• T1106
• T1112
• T1113
• T1119
• T1120
• T1137
• T1140
• T1204.001
• T1204.002
• T1218.005
• T1218.011
• T1221
• T1480
• T1491.001
• T1497.001
• T1518.001
• T1534
• T1547.001
• T1559.001
• T1561.001
• T1564.003
• T1566.001
• T1568
• T1568.001
• T1571
• T1583.001
• T1583.003
• T1583.006
• T1587.003
• T1588.002
• T1608.001
• T1620
• T1685

Notable Indicators of Compromise (IOCs)

No atomic indicators are listed in this profile. The APTnotes snapshot indexes 4 public reports that may contain IOCs; see Source Attribution for dataset links.

Malware and Tools

• Archelaus Beta
• Pterodo:
• QuietSieve:
• DessertDown:
• DinoTrain:

MITRE ATT&CK Software

• QuietSieve (S0686) — malware
• Pteranodon (S0147) — malware
• Remcos (S0332) — tool
• Ping (S0097) — tool
• Reg (S0075) — tool
• PowerPunch (S0685) — malware

Russian APT Tool Matrix observations

Attribution and Evidence

Country of Origin: Russia Additional attribution information pending cataloguing.

References

[1] mitre-attack [2] Cloudflare 2026 Threat Report New Threat Actors March 2026 Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026. [12] ESET Gamaredon June 2020 Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. [13] TrendMicro Gamaredon April 2020 Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. [14] Palo Alto Gamaredon Feb 2017 Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. [15] Microsoft Threat Actor Naming July 2023 Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. [16] Microsoft Actinium February 2022 Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. [17] Secureworks IRON TILDEN Profile Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022. [18] Symantec Shuckworm January 2022 Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. [19] Bleepingcomputer Gamardeon FSB November 2021 Toulas, B. (2018, November 4). Ukraine links members of Gamaredon hacker group to Russian FSB. Retrieved April 15, 2022. [20] Unit 42 Gamaredon February 2022 Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.