Russian hackers attack Western military mission using malicious drive

The Russian state-backed hacking group Gamaredon (aka “Shuckworm”) has been targeting a military mission of a Western country in Ukraine in attacks likely deployed from removable drives.

Symantec threat researchers say the campaign started in February 2025 and continued until March, with hackers deploying an updated version of the GammaSteel info-stealing malware to exfiltrate data.

According to the report, initial access to the infected systems was probably achieved via removable drives containing malicious .LNK files, a vector that Gamaredon has used in the past.

The researchers note a change in the threat actor's tactics, including a shift from VBS scripts to PowerShell-based tools, more obfuscation for payloads, and increased use of legitimate services for evasion.

Latest Gamaredon attacks in Ukraine

During the investigation, the researchers noticed in the Windows Registry of the compromised system a new value under the UserAssist key, indicating that the infection started from an external drive from a shortcut file named files.lnk.

Next, a heavily obfuscated script creates and runs two files. The first handles command and control (C2) communications, resolving the server address using legitimate services, and connecting to Cloudflare-protected URLs.

The second file handles the spreading mechanism to infect other removable and network drives using LNK files, while also hiding certain folders and system files to hide the compromise.

Next, Gamaredon used a reconnaissance PowerShell script that can capture and exfiltrate screenshots of the infected device and gather information about installed antivirus tools, files, and running processes.

The final payload used in the observed attacks is a PowerShell-based version of GammaSteel that is stored in Windows Registry.

The malware can steal documents (.DOC, .PDF, .XLS, .TXT) from various locations like Desktop, Documents, and Downloads, confirming Gamaredon’s continuing interest in espionage.

Ultimately, the malware uses ‘certutil.exe’ to hash the files and exfiltrates them using PowerShell web requests. If the exfiltration fails, Gamaredon uses cURL over Tor to transfer the stolen data.

Finally, a new key is added to ‘HKCU\Software\Microsoft\Windows\CurrentVersion\Run’ to establish persistence on the target computer.

The recent Gamaredon campaign reflects an effort to increase operational stealth and effectiveness despite the threat group’s limited sophistication compared to other Russian state actors.

Symantec comments that various incremental but meaningful improvements in the threat group’s TTPs (tactics, techniques, and procedures) elevate the risks it poses to Western networks, especially considering Gamaredon’s unwavering tenacity.

Claude copies ChatGPT with $200 Max plan, but users aren't happy

Incomplete Patch in NVIDIA Toolkit Leaves CVE-2024-0132 Open to Container Escapes

Free online web security scanner