G0047: Gamaredon Group
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]
In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]
Analyst context for executives and security teams
Gamaredon Group matters as an espionage-focused intrusion set with long-running reporting against Ukrainian military, law enforcement, judiciary, nonprofit, and NGO organizations. For leaders, the value of this ATT&CK object is not a single indicator list; it is a behavioral profile that highlights information theft, persistence of operations over time, use of legitimate utilities, and alias sprawl across vendors. Organizations with Ukraine-related operations, partners, missions, or regulatory evidence needs should use this profile to validate whether SOC and IR teams can recognize collection, command-and-control, and exfiltration behaviors rather than relying only on malware names.
Executive priority
Prioritize this as a resilience and intelligence-driven readiness issue when the organization has Ukraine exposure, government/NGO/legal-sector dependencies, or sensitive information that would be valuable in espionage. Executives should ask whether threat intelligence aliases are normalized, whether incident response can quickly assess data access and exfiltration, and whether logging exists for Windows-heavy behaviors reflected in the relationships, including registry activity, WMI, remote access, file collection, and outbound C2-like traffic. Because MITRE provides no official detection text for this group, assurance should come from validated telemetry and tested analytic coverage, not from the presence of a named threat feed alone.
Technical view
ATT&CK relationships associate Gamaredon Group with utilities and malware including Reg, Ping, Pteranodon, Remcos, PowerPunch, and QuietSieve, and with techniques spanning discovery, collection, stealth, command-and-control, lateral movement, execution, and exfiltration. SOC and detection teams should validate behavior-based coverage for registry querying, internet connectivity checks, WMI execution, VNC use, obfuscated commands/files, LNK icon smuggling, compression, data collection from local systems/removable media/network shares, automated exfiltration, and exfiltration over C2 channels. Treat Reg, Ping, WMI, and VNC as high false-positive areas: useful detections will need baselines, parent/child process context, user and host role context, network destination context, and correlation with suspicious file or data-access activity.
Likely telemetry
- Endpoint process creation with command-line arguments and parent/child process context
- Windows Registry access and command-line use of Reg where available
- WMI execution and remote management logs on Windows systems
- Network connection, proxy, firewall, DNS, and egress metadata for C2-like or obfuscated traffic patterns
- Authentication and remote access telemetry for VNC or similar remote-control activity
Detection direction
- Normalize threat intelligence aliases including Gamaredon Group, IRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm, DEV-0157, Aqua Blizzard, and NastyShrew so investigations are not fragmented by vendor naming.
- Build detections around behavior chains rather than single tools: discovery activity followed by file collection, obfuscation, outbound C2, or exfiltration is higher value than isolated Ping or Reg execution.
- Tune legitimate-administration noise for Reg, Ping, WMI, and VNC by host role, administrator identity, maintenance windows, and expected destinations.
- Validate coverage for collection paths called out by related techniques: local systems, removable media, and network shared drives.
- Test whether SOC workflows can pivot from suspected C2 or exfiltration to user, host, file-access, and data-sensitivity context quickly enough for incident response decisions.
Mitigation priorities
- Start with exposure scoping: identify business units, partners, missions, or data sets where Ukraine-related espionage risk is relevant.
- Ensure endpoint, identity, network, and file-access logs are retained and searchable for the related behaviors before relying on detections.
- Harden and monitor administrative paths reflected in the relationships, including WMI, registry tooling, and remote access such as VNC.
- Limit unnecessary access to sensitive network shares and removable media use, and validate that access is auditable.
- Apply egress controls and monitoring that can support investigation of automated exfiltration and exfiltration over C2 channels.
Analyst notes and limits
The supplied ATT&CK object is a group profile, not a procedure-level detection specification. Its strongest decision value comes from the relationship context: Windows-associated tooling, custom and commodity remote-access or downloader/stealer software, and techniques covering discovery, stealth, collection, C2, and exfiltration. The official description supports suspected Russian cyber espionage activity against Ukrainian sectors since at least 2013 and notes public Ukrainian attribution to Russia’s FSB Center 18, later supported by independent researchers.
MITRE provides no official detection guidance, no platforms on the group object itself, and no tactics directly on the group object. Platform and tactic observations in this take are derived only from the supplied related software and technique records. Local telemetry, business exposure, and environment baselines are required before judging risk, coverage, or likely activity in any specific organization.
Gamaredon Group
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.[1][2][3][4][5]
In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. [6][5]
How security teams should use this page
Treat this object as behavior context, not an attribution claim. Validate the related groups, software, data sources, and mitigations against official ATT&CK relationships and your own telemetry before making control-coverage decisions.
Techniques used
This mirrors the MITRE pattern of making group, software, campaign, and technique relationships scannable. Relationship notes come from mirrored ATT&CK relationship text when available.
| Domain | ID | Name | Relationship / procedure |
|---|---|---|---|
| Enterprise | T1491.001 | Internal Defacement Sub-technique | Gamaredon Group has left taunting images and messages on the victims' desktops as proof of system access.CitationCERT-EE Gamaredon January 2021 |
| Enterprise | T1583.003 | Virtual Private Server Sub-technique | Gamaredon Group has used VPS hosting providers for infrastructure outside of Russia.Citationunit42_gamaredon_dec2022CitationESET Gamaredon Sept2024CitationHuntio_GamaredonFlux_Apr2025 |
| Enterprise | T1001 | Data Obfuscation | Gamaredon Group has used obfuscated VBScripts with randomly generated variable names and concatenated strings.Citationunit42_gamaredon_dec2022 |
| Enterprise | T1534 | Internal Spearphishing | Gamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.CitationESET Gamaredon June 2020 |
| Enterprise | T1047 | Windows Management Instrumentation | Gamaredon Group has used WMI to execute scripts used for discovery and for determining the C2 IP address.CitationCERT-EE Gamaredon January 2021Citationunit42_gamaredon_dec2022CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025CitationESET Gamaredon Sept2024 Gamaredon Group has used the following WMI query to search for a ping record: `Select * From Win32_PingStatus where Address = 'mil.gov.ua'`.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1095 | Non-Application Layer Protocol | Gamaredon Group has used SOCKS5 over port 9050 for C2 communication.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1083 | File and Directory Discovery | Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.CitationESET Gamaredon June 2020CitationUnit 42 Gamaredon February 2022CitationESET Gamaredon Sept2024 Gamaredon Group has also identified directory trees, folders and files on the compromised host.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1091 | Replication Through Removable Media | Gamaredon Group has replicated to removable media by leveraging the User Assist Reg Key and creating LNKs on all network and removable drives available on the infected host.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1119 | Automated Collection | Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents.CitationESET Gamaredon June 2020 |
| Enterprise | T1036.005 | Match Legitimate Resource Name or Location Sub-technique | Gamaredon Group has used legitimate process names to hide malware including |
| Enterprise | T1027.004 | Compile After Delivery Sub-technique | Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in |
| Enterprise | T1105 | Ingress Tool Transfer | Gamaredon Group has downloaded additional malware and tools onto a compromised host.CitationPalo Alto Gamaredon Feb 2017CitationTrendMicro Gamaredon April 2020CitationESET Gamaredon June 2020CitationMicrosoft Actinium February 2022CitationESET Gamaredon Sept2024CitationVenereCiscoTalos_Gamaredon_Mar2025 For example, Gamaredon Group uses a backdoor script to retrieve and decode additional payloads once in victim environments.Citationunit42_gamaredon_dec2022 |
| Enterprise | T1021.005 | VNC Sub-technique | Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.CitationSymantec Shuckworm January 2022CitationMicrosoft Actinium February 2022CitationUnit 42 Gamaredon February 2022 |
| Enterprise | T1027.016 | Junk Code Insertion Sub-technique | Gamaredon Group has obfuscated .NET executables by inserting junk code.CitationESET Gamaredon June 2020 |
| Enterprise | T1218.011 | Rundll32 Sub-technique | Gamaredon Group malware has used rundll32 to launch additional malicious components.CitationESET Gamaredon June 2020 |
| Enterprise | T1566.001 | Spearphishing Attachment Sub-technique | Gamaredon Group has delivered spearphishing emails with malicious attachments to targets.CitationTrendMicro Gamaredon April 2020CitationESET Gamaredon June 2020CitationCERT-EE Gamaredon January 2021CitationMicrosoft Actinium February 2022CitationUnit 42 Gamaredon February 2022CitationSecureworks IRON TILDEN ProfileCitationunit42_gamaredon_dec2022CitationESET Gamaredon Sept2024CitationSilentPush_GamaredonFastFlux_Sept2023 Additionally, Gamaredon Group has distributed malicious LNK files compressed in ZIP archives.CitationVenereCiscoTalos_Gamaredon_Mar2025 |
| Enterprise | T1082 | System Information Discovery | A Gamaredon Group file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.CitationPalo Alto Gamaredon Feb 2017CitationTrendMicro Gamaredon April 2020CitationCERT-EE Gamaredon January 2021CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025CitationESET Gamaredon Sept2024 |
| Enterprise | T1059.005 | Visual Basic Sub-technique | Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.CitationTrendMicro Gamaredon April 2020CitationESET Gamaredon June 2020CitationCERT-EE Gamaredon January 2021CitationMicrosoft Actinium February 2022CitationSecureworks IRON TILDEN ProfileCitationESET Gamaredon Sept2024 Additionally, Gamaredon Group has executed VBScript files using wscript.exe.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1113 | Screen Capture | Gamaredon Group's malware can take screenshots of the compromised computer every minute.CitationESET Gamaredon June 2020CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025CitationESET Gamaredon Sept2024 |
| Enterprise | T1518.001 | Security Software Discovery Sub-technique | Gamaredon Group has used PowerShell scripts to identify security software on the victim machine.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1005 | Data from Local System | Gamaredon Group has collected files from infected systems and uploaded them to a C2 server.CitationESET Gamaredon June 2020CitationESET Gamaredon Sept2024 |
| Enterprise | T1039 | Data from Network Shared Drive | Gamaredon Group malware has collected Microsoft Office documents from mapped network drives.CitationESET Gamaredon June 2020CitationESET Gamaredon Sept2024 |
| Enterprise | T1608.001 | Upload Malware Sub-technique | Gamaredon Group has registered domains to stage payloads.CitationMicrosoft Actinium February 2022CitationUnit 42 Gamaredon February 2022 |
| Enterprise | T1027.015 | Compression Sub-technique | Gamaredon Group has delivered malicious payloads within compressed archives and zip files. CitationVenereCiscoTalos_Gamaredon_Mar2025 |
| Enterprise | T1102.003 | One-Way Communication Sub-technique | Gamaredon Group has used Telegram Messenger content to discover the IP address for C2 communications.Citationunit42_gamaredon_dec2022 |
| Enterprise | T1112 | Modify Registry | Gamaredon Group has removed security settings for VBA macro execution by changing registry values |
| Enterprise | T1016.001 | Internet Connection Discovery Sub-technique | Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as `CSIDL_SYSTEM\cmd.exe /c ping -n 1`.CitationSymantec Shuckworm January 2022 Gamaredon Group has searched the ping records to obtain the C2 address and has used ping to search for the C2’s status.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1620 | Reflective Code Loading | Gamaredon Group has used an obfuscated PowerShell script that used `System.Reflection.Assembly` to gather and send victim information to the C2.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1559.001 | Component Object Model Sub-technique | Gamaredon Group malware can insert malicious macros into documents using a |
| Enterprise | T1012 | Query Registry | Gamaredon Group has queried ` HKEY_CURRENT_USER\\Console\\WindowsUpdates` to obtain the C2 addresses.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 Gamaredon Group has queried ` HKEY_CURRENT_USER\\Console\\WindowsUpdates` to obtain the C2 addresses.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1025 | Data from Removable Media | A Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.CitationPalo Alto Gamaredon Feb 2017CitationESET Gamaredon June 2020CitationESET Gamaredon Sept2024 |
| Enterprise | T1221 | Template Injection | Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.CitationProofpoint RTF Injection Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.CitationTrendMicro Gamaredon April 2020CitationESET Gamaredon June 2020CitationCERT-EE Gamaredon January 2021CitationMicrosoft Actinium February 2022CitationUnit 42 Gamaredon February 2022CitationSecureworks IRON TILDEN ProfileCitationESET Gamaredon Sept2024 |
| Enterprise | T1685 | Disable or Modify Tools | Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.CitationESET Gamaredon June 2020CitationESET Gamaredon Sept2024 |
| Enterprise | T1140 | Deobfuscate/Decode Files or Information | Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded Base64-encoded source code of a downloader.CitationTrendMicro Gamaredon April 2020CitationESET Gamaredon June 2020CitationESET Gamaredon Sept2024 Additionally, Gamaredon Group has decoded Telegram content to reveal the IP address for C2 communications.Citationunit42_gamaredon_dec2022 |
| Enterprise | T1204.001 | Malicious Link Sub-technique | Gamaredon Group has attempted to get users to click on a link pointing to a malicious HTML file leading to follow-on malicious content.Citationunit42_gamaredon_dec2022CitationESET Gamaredon Sept2024 |
| Enterprise | T1080 | Taint Shared Content | Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives.CitationESET Gamaredon June 2020 |
| Enterprise | T1106 | Native API | Gamaredon Group malware has used |
| Enterprise | T1583.006 | Web Services Sub-technique | Gamaredon Group has used Cloudflare’s TryClouldflare service to obtain C2 nodes.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1561.001 | Disk Content Wipe Sub-technique | Gamaredon Group has used tools to delete files and folders from victims' desktops and profiles.CitationCERT-EE Gamaredon January 2021 |
| Enterprise | T1033 | System Owner/User Discovery | A Gamaredon Group file stealer can gather the victim's username to send to a C2 server.CitationPalo Alto Gamaredon Feb 2017 |
| Enterprise | T1587.003 | Digital Certificates Sub-technique | Gamaredon Group has used the same TLS certificate across its infrastructure.CitationHuntio_GamaredonFlux_Apr2025 |
| Enterprise | T1564.003 | Hidden Window Sub-technique | Gamaredon Group has used |
| Enterprise | T1027.012 | LNK Icon Smuggling Sub-technique | Gamaredon Group has used LNK files to hide malicious scripts for execution.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025CitationVenereCiscoTalos_Gamaredon_Mar2025 |
| Enterprise | T1070.004 | File Deletion Sub-technique | Gamaredon Group tools can delete files used during an operation.CitationTrendMicro Gamaredon April 2020CitationSymantec Shuckworm January 2022CitationCERT-EE Gamaredon January 2021CitationESET Gamaredon Sept2024 |
| Enterprise | T1059.001 | PowerShell Sub-technique | Gamaredon Group has used obfuscated PowerShell scripts for staging.CitationMicrosoft Actinium February 2022CitationESET Gamaredon Sept2024 Additionally, (LinkById : G0047) has used PowerShell based tools later in its attack chain.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 Additionally, Gamaredon Group has used the PowerShell cmdlet `Get-Command` to download and execute the next stage payload.CitationVenereCiscoTalos_Gamaredon_Mar2025 |
| Enterprise | T1571 | Non-Standard Port | Gamaredon Group has used port 6856 for C2 communications.CitationVenereCiscoTalos_Gamaredon_Mar2025 |
| Enterprise | T1588.002 | Tool Sub-technique | Gamaredon Group has used various legitimate tools, such as `mshta.exe` and Reg, and services during operations.Citationunit42_gamaredon_dec2022CitationESET Gamaredon Sept2024 |
| Enterprise | T1020 | Automated Exfiltration | Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.CitationESET Gamaredon June 2020 |
| Enterprise | T1071.001 | Web Protocols Sub-technique | Gamaredon Group has used HTTP and HTTPS for C2 communications.CitationPalo Alto Gamaredon Feb 2017CitationTrendMicro Gamaredon April 2020CitationESET Gamaredon June 2020CitationSymantec Shuckworm January 2022CitationCERT-EE Gamaredon January 2021CitationUnit 42 Gamaredon February 2022Citationunit42_gamaredon_dec2022CitationESET Gamaredon Sept2024CitationVenereCiscoTalos_Gamaredon_Mar2025 |
| Enterprise | T1583.001 | Domains Sub-technique | Gamaredon Group has registered multiple domains to facilitate payload staging and C2.CitationMicrosoft Actinium February 2022CitationUnit 42 Gamaredon February 2022CitationESET Gamaredon Sept2024CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1568.001 | Fast Flux DNS Sub-technique | Gamaredon Group has used fast flux DNS to mask their command and control channel behind rotating IP addresses.Citationunit42_gamaredon_dec2022CitationESET Gamaredon Sept2024CitationSilentPush_GamaredonFastFlux_Sept2023 Additionally, Gamaredon Group has used a low-frequency variant of the single-flux method.CitationHuntio_GamaredonFlux_Apr2025 |
| Enterprise | T1055 | Process Injection | Gamaredon Group has injected Remcos into explorer.exe.CitationVenereCiscoTalos_Gamaredon_Mar2025 |
| Enterprise | T1120 | Peripheral Device Discovery | Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives.CitationPalo Alto Gamaredon Feb 2017CitationESET Gamaredon June 2020CitationESET Gamaredon Sept2024 |
| Enterprise | T1041 | Exfiltration Over C2 Channel | A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.CitationPalo Alto Gamaredon Feb 2017CitationESET Gamaredon Sept2024CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1090.003 | Multi-hop Proxy Sub-technique | Gamaredon Group has used Tor for C2 traffic.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1053.005 | Scheduled Task Sub-technique | Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.CitationESET Gamaredon June 2020CitationCERT-EE Gamaredon January 2021CitationMicrosoft Actinium February 2022Citationunit42_gamaredon_dec2022 |
| Enterprise | T1027 | Obfuscated Files or Information | Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments.CitationESET Gamaredon June 2020 Additionally, Gamaredon Group has used an obfuscated .drv file.CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1057 | Process Discovery | Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer.CitationSymantec Shuckworm January 2022CitationUnit 42 Gamaredon February 2022CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1027.010 | Command Obfuscation Sub-technique | Gamaredon Group has used obfuscated or encrypted scripts.CitationESET Gamaredon June 2020CitationMicrosoft Actinium February 2022CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025CitationESET Gamaredon Sept2024 |
| Enterprise | T1204.002 | Malicious File Sub-technique | Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.CitationTrendMicro Gamaredon April 2020CitationESET Gamaredon June 2020CitationSymantec Shuckworm January 2022CitationCERT-EE Gamaredon January 2021CitationMicrosoft Actinium February 2022CitationUnit 42 Gamaredon February 2022CitationSecureworks IRON TILDEN ProfileCitationunit42_gamaredon_dec2022 Gamaredon Group has also attempted to get users to click on thematically named files.CitationVenereCiscoTalos_Gamaredon_Mar2025 |
| Enterprise | T1568 | Dynamic Resolution | Gamaredon Group has incorporated dynamic DNS domains in its infrastructure.CitationUnit 42 Gamaredon February 2022 |
| Enterprise | T1090 | Proxy | Gamaredon Group has used the Cloudflare Tunnel client to proxy C2 traffic.CitationESET Gamaredon Sept2024 |
| Enterprise | T1547.001 | Registry Run Keys / Startup Folder Sub-technique | Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.CitationTrendMicro Gamaredon April 2020CitationESET Gamaredon June 2020CitationCERT-EE Gamaredon January 2021Citationunit42_gamaredon_dec2022CitationESET Gamaredon Sept2024 |
| Enterprise | T1480 | Execution Guardrails | Gamaredon Group has used geoblocking to limit downloads of the malicious file to specific geographic locations.Citationunit42_gamaredon_dec2022CitationVenereCiscoTalos_Gamaredon_Mar2025 |
| Enterprise | T1102.002 | Bidirectional Communication Sub-technique | Gamaredon Group has used several ways to try to resolve the C2 server, including: public third-party websites, an adversary-operated Telegraph channel, the ngrok utility and the TXT record of a hardcoded C2 domain.CitationESET Gamaredon Sept2024CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1059.003 | Windows Command Shell Sub-technique | Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group's backdoor malware has also been written to a batch file.CitationPalo Alto Gamaredon Feb 2017CitationESET Gamaredon June 2020CitationCERT-EE Gamaredon January 2021CitationUnit 42 Gamaredon February 2022 |
| Enterprise | T1218.005 | Mshta Sub-technique | Gamaredon Group has used `mshta.exe` to execute malicious files.CitationSymantec Shuckworm January 2022Citationunit42_gamaredon_dec2022CitationESET Gamaredon Sept2024CitationSymantecCarbonBlack_ShuckwormUSB_Apr2025 |
| Enterprise | T1137 | Office Application Startup | Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the |
| Enterprise | T1102 | Web Service | Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.CitationESET Gamaredon June 2020 |
| Enterprise | T1497.001 | System Checks Sub-technique | Gamaredon Group has checked existing conditions, such as geographic location, device type, or system specification, before the victim is sent a malicious Word document.CitationSilentPush_GamaredonFastFlux_Sept2023 |
Groups, software, and campaigns
S0686: QuietSieve
QuietSieve is an information stealer that has been used by Gamaredon Group since at least 2021.[1]
S0147: Pteranodon
Pteranodon is a custom backdoor used by Gamaredon Group. [1]
S0332: Remcos
S0097: Ping
S0075: Reg
S0685: PowerPunch
PowerPunch is a lightweight downloader that has been used by Gamaredon Group since at least 2021.[1]
All related ATT&CK context
Object version and sync metadata
The fields below describe the current mirrored snapshot. When Glexia retains multiple ATT&CK source imports, you can open the table to compare the same object across releases (hashes and MITRE timestamps). For MITRE’s own release notes and roadmap, see ATT&CK resources — Updates .
Imported snapshots across ATT&CK releases (1)
| Release | Bundle imported | Object version | Modified | Status | Raw hash |
|---|---|---|---|---|---|
| 19.1 | 3.3 | Current bundle | 8c11fc21b137… |
Mirrored ATT&CK source object
The raw object is retained through the mirrored ATT&CK source bundle and object hash. The raw endpoint returns the exact object from the mirrored bundle when available.
External references and citations
MITRE external references are preserved separately from Glexia analysis so citations remain traceable to their original source records.
-
[1]
Palo Alto Gamaredon Feb 2017
Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017.
Open source URL -
[2]
TrendMicro Gamaredon April 2020
Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020.
Open source URL -
[3]
ESET Gamaredon June 2020
Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020.
Open source URL -
[4]
Symantec Shuckworm January 2022
Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022.
Open source URL -
[5]
Microsoft Actinium February 2022
Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022.
Open source URL -
[6]
Bleepingcomputer Gamardeon FSB November 2021
Toulas, B. (2018, November 4). Ukraine links members of Gamaredon hacker group to Russian FSB. Retrieved April 15, 2022.
Open source URL -
[7]
ACTINIUM
(Citation: Microsoft Actinium February 2022)
-
[8]
Aqua Blizzard
(Citation: Microsoft Threat Actor Naming July 2023)
-
[9]
Armageddon
(Citation: Symantec Shuckworm January 2022)
-
[10]
Cloudflare 2026 Threat Report New Threat Actors March 2026
Cloudflare. (2026, March 3). Introducing the 2026 Cloudflare Threat Report. Retrieved April 18, 2026.
Open source URL -
[11]
DEV-0157
(Citation: Microsoft Actinium February 2022)
-
[12]
Gamaredon Group
(Citation: Palo Alto Gamaredon Feb 2017)
-
[13]
IRON TILDEN
(Citation: Secureworks IRON TILDEN Profile)
-
[14]
Microsoft Threat Actor Naming July 2023
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023.
Open source URL -
[15]
NastyShrew
(Citation: Cloudflare 2026 Threat Report New Threat Actors March 2026)
-
[16]
Primitive Bear
(Citation: Unit 42 Gamaredon February 2022)
-
[17]
Secureworks IRON TILDEN Profile
Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022.
Open source URL -
[18]
Shuckworm
(Citation: Symantec Shuckworm January 2022)
-
[19]
Unit 42 Gamaredon February 2022
Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022.
Open source URL -
[20]
mitre-attack G0047Open source URL
Source: MITRE ATT&CK®. © 2026 The MITRE Corporation. This work is reproduced and distributed with the permission of The MITRE Corporation. MITRE ATT&CK and ATT&CK are registered trademarks of The MITRE Corporation. Glexia is not affiliated with or endorsed by MITRE.