🇷🇺Gamaredon
🇷🇺 Gamaredon is a tracked threat actor in the Clankerusecase corpus. Attributed to RU. Primary motivation: State. We map 26 detection use cases to this actor across 89 MITRE ATT&CK techniques, with 2 threat-intel articles citing them. Active in our corpus from 2025-11-06 to 2026-06-09.
crit 2
26Use cases
2Articles
89Techniques
10IOCs
Known aliases
GamaredonPrimitive BearShuckwormAqua BlizzardArmageddonTrident UrsaGamaredon GroupIRON TILDENACTINIUMDEV-0157NastyShrew
Top techniques
All other tracked techniques
T1001 · Data ObfuscationT1005 · Data from Local SystemT1012 · Query RegistryT1016.001 · Internet Connection DiscoveryT1020 · Automated ExfiltrationT1021.002 · SMB/Windows Admin SharesT1021.005 · VNCT1025 · Data from Removable MediaT1027 · Obfuscated Files or InformationT1027.004 · Compile After DeliveryT1027.010 · Command ObfuscationT1027.012 · LNK Icon SmugglingT1027.015 · CompressionT1027.016 · Junk Code InsertionT1033 · System Owner/User DiscoveryT1036.005 · Match Legitimate Resource Name or LocationT1039 · Data from Network Shared DriveT1041 · Exfiltration Over C2 ChannelT1047 · Windows Management InstrumentationT1053.005 · Scheduled TaskT1055 · Process InjectionT1057 · Process DiscoveryT1059.003 · Windows Command ShellT1059.005 · Visual BasicT1070.004 · File DeletionT1071 · Application Layer ProtocolT1071.001 · Web ProtocolsT1071.004 · DNST1080 · Taint Shared ContentT1082 · System Information DiscoveryT1083 · File and Directory DiscoveryT1090 · ProxyT1090.003 · Multi-hop ProxyT1091 · Replication Through Removable MediaT1095 · Non-Application Layer ProtocolT1098.001 · Additional Cloud CredentialsT1102 · Web ServiceT1102.002 · Bidirectional CommunicationT1102.003 · One-Way CommunicationT1105 · Ingress Tool TransferT1106 · Native APIT1112 · Modify RegistryT1113 · Screen CaptureT1119 · Automated CollectionT1120 · Peripheral Device DiscoveryT1137 · Office Application StartupT1140 · Deobfuscate/Decode Files or InformationT1195.002 · Compromise Software Supply ChainT1203 · Exploitation for Client ExecutionT1204.001 · Malicious LinkT1204.002 · Malicious FileT1204.004 · Malicious Copy and PasteT1218 · System Binary Proxy ExecutionT1218.005 · MshtaT1218.011 · Rundll32T1219 · Remote Access ToolsT1221 · Template InjectionT1480 · Execution GuardrailsT1491.001 · Internal DefacementT1497.001 · System ChecksT1518.001 · Security Software DiscoveryT1528 · Steal Application Access TokenT1534 · Internal SpearphishingT1539 · Steal Web Session CookieT1547.001 · Registry Run Keys / Startup FolderT1559.001 · Component Object ModelT1561.001 · Disk Content WipeT1564.003 · Hidden WindowT1566 · PhishingT1566.001 · Spearphishing AttachmentT1566.002 · Spearphishing LinkT1568 · Dynamic ResolutionT1568.001 · Fast Flux DNST1569.002 · Service ExecutionT1571 · Non-Standard PortT1572 · Protocol TunnelingT1574.002 · T1574.002T1574.005 · Executable Installer File Permissions WeaknessT1583.001 · DomainsT1583.003 · Virtual Private ServerT1583.006 · Web ServicesT1587.003 · Digital CertificatesT1588.002 · ToolT1608.001 · Upload MalwareT1620 · Reflective Code LoadingT1685 · Disable or Modify Tools
Detection use cases (26)
Gamaredon dead-drop C2 resolution via Telegram / Telegraph / Cloudflare workers from a LOLBin Gamaredon LitterDrifter USB worm — wscript executing VBS from removable drive + LNK seeding WinRAR CVE-2025-8088 — archive tool writes payload to user Startup folder Startup LNK spawns cmd.exe → PowerShell in-memory DLL loader (GIFTEDCROOK chain) GIFTEDCROOK browser credential and cookie theft — non-browser process reads Chromium/Firefox stores GIFTEDCROOK / Gamaredon C2 callback to article IOCs (IPs + workers.dev / trycloudflare / .ru domains) Earth Dahu / Gamaredon HTA-to-VBScript chain (mshta.exe spawning wscript/cscript) Beaconing — periodic outbound to small set of destinations Network connections to article IPs / domains Asset exposure — vulnerability matches article CVE(s) Phishing-link click correlated to endpoint execution Email attachment opened from external sender Office app spawning script/LOLBin child process OAuth consent / suspicious app grant 1Password activity from Tor exit node Brand-Impersonation Domain Fetch Followed by User-Context Loader Within 10 Minutes Cross-category credential-store enumeration with rapid egress to anonymizing tunnel/CDN Cross-Platform ClickFix Paste-to-Pipe Loader (UI-Parent Shell with Decode-and-Execute Payload) Developer interpreter / package-manager process exfiltrating tokens to public code-hosting / worker domains Developer package install spawning script-host with non-registry C2 within 5 minutes Developer/Data-tooling Daemon Spawns Shell Child Seconds After POST to Runner/Exec Endpoint Internet-Facing Service Process Spawning Unix Shell or Ingress-Tool LOLBin (Edge Zero-Day Post-Exploit) Internet-facing service process spawns shell/LOLBin within minutes of public inbound connection — post-RCE command execution Low-Code / AI Workflow Runtime Sandbox-Escape — Server Process Spawns Shell + Public Egress Non-Browser Process Reads Browser Credential / Cookie SQLite Then Egresses to Public Destination Within 10 Minutes npm/yarn/pnpm Install-Hook Spawn → Credential-Store Read or Worm-Payload Drop in node_modulesThreat-intel articles (2)
crit ESET APT Activity Report Q2 2025–Q3 2025 · 2025-11-06
Tracked indicators
Domains (7)
csxvl00328.workers.dev dayobtvoyu.ru e097.yggjf81487.workers. insight-sweet-drainage-a snterval.selltosell.ru sweet.csxvl00328.workers vids-road-christina-guarIP addresses (3)
144.172.88.24 172.86.72.243 172.86.76.132CVEs (2)
CVE-2024-42009 CVE-2025-8088