Gamaredon’s Cyberespionage Activities in 2025: A Strategic Threat Perspective
TL;DR
ESET Research highlights that the Gamaredon group has maintained a high level of cyberespionage activities against Ukrainian governmental and military institutions throughout 2025. Notable advancements in their tools and tactics, including collaborative efforts with other threat actors, have made these operations significantly more sophisticated.
Main Analysis
Gamaredon, identified as a Russia-aligned advanced persistent threat group, has consistently targeted Ukrainian institutions since the outset of the conflict. In 2025, their operational tempo increased, particularly in the latter half of the year, marked by 35 distinct spearphishing campaigns. These campaigns saw a notable shift in delivery methods, incorporating malicious HTML attachments and leveraging the CVE-2025-8088 WinRAR vulnerability for maintaining persistence within compromised systems.
ESET’s research reveals the deployment of six new PowerShell-based tools aimed at enhancing delivery mechanisms for payloads. These tools are designed to execute PowerShell and VBScript payloads in memory, enhancing the group’s capability for stealthy operations. Furthermore, the group’s old tool, PteroSetup, has been resurrected, indicating an ongoing strategy to evolve rather than abandon existing capabilities. The adaptation of their toolset reflects a focus on increasing operational efficiency and flexibility, rather than developing complex malware.
Attackers have also intensified their use of cloud storage services for data exfiltration, favoring platforms like Wasabi, Tebi, and Intercolo to mitigate the need for maintaining their own infrastructures. This novel approach to data exfiltration not only helps blend malicious traffic with regular service use but also complicates detection efforts for defenders. Additionally, Gamaredon’s increasing reliance on dead drops—legitimate services to directly deliver commands and payloads—adds further layers of obfuscation.
Defensive Context
Organizations with operations or interests in Ukraine, particularly governmental and military sectors, should remain vigilant given Gamaredon’s ongoing cyberespionage focus. The group’s tactics targeting sensitive information within these sectors pose significant risks to national security and operational integrity. Conversely, industries unrelated to governmental or military functions may experience a lower risk profile from Gamaredon’s activities.
The changes in Gamaredon’s operational tactics denote a concerning trend in state-sponsored cyber warfare, highlighting the need for vigilance in environments potentially affected by geopolitical tensions. They indicate a shift towards employing more advanced, collaborative techniques that can enhance the speed and efficacy of their operations.
Why This Matters
The activities of Gamaredon represent a continued threat to Ukraine’s national security. With its focus on sensitive data acquisition, Ukrainian entities are particularly vulnerable, facing persistent risks that can compromise critical infrastructures.
Defender Considerations
Defenders must adapt to the evolving landscape by closely monitoring for spearphishing attempts and analyzing network traffic for connections to newly identified cloud services. Awareness of the CVE-2025-8088 could be crucial as it enables Gamaredon to establish persistence within compromised environments.
Indicators of Compromise (IOCs)
A comprehensive list of indicators of compromise related to Gamaredon’s operations is available through ESET’s GitHub repository and the accompanying white paper. This resource offers critical insights for organizations seeking to bolster defenses against this persistent threat.
