Gamaredon: Same Goal, Fewer Fingerprints

by Robin Dost

In malware analysis, it is tempting to describe change as innovation.
New tricks, new tooling, new malware families.
What is far more revealing, however, is how little actually changes and what changes anyway.

Between late November and the end of December 2025, several Gamaredon-related VBScript loaders surfaced that are, functionally, almost identical. They all execute the same mechanism, rely on the same execution primitive, and ultimately aim for the same outcome.

And yet, something does change, quietly, incrementally, and very deliberately.

This article focuses strictly on observable, concrete shifts in obfuscation, not assumptions, not intent inferred from tooling, and not architectural leaps that are not supported by the samples themselves.

For this analysis, I used the following samples:

Date of SampleHashDownload
19.12.20256de9f436ba393744a3966b35ea2254dde2f84f5b796c6f7bee4b67ccf96ccf0aDownload
22.12.20259218528a40a48a3c96df3b49a7498f6ea2a961f43249081b17880709f73392c1Download
25.12.20252c69fd052bfaa03cd0e956af0f638f82bc53f23ee8d0c273e688e257dac8c550Download
30.12.2025846748912aa6e86b9d11f6779af6aae26b7258f8610d5e28eff0083779737824Download

25 November 2025 – Noise Without Structure

The earliest sample is dominated by volume.

Characteristics:

  • Hundreds of variables that are written to once and never read again
  • Repeated arithmetic mutations (x = x + 14) without semantic relevance
  • Long linear execution flow
  • No variable declarations (Dim entirely absent)

The obfuscation here serves one purpose only: syntactic noise.

There is no attempt to:

  • Hide control flow
  • Delay string resolution
  • Reconstruct logic conditionally

Everything is present in the source, just buried under irrelevant assignments.

From an analyst’s perspective, this sample is noisy but predictable.
Once dead code is ignored, execution logic collapses into a short, linear sequence.

19 December 2025 – Indicator overload

The mid-December sample introduces a clear and measurable change: indicator density.

New observations:

  • A significant increase in hard-coded URLs
  • URLs pointing to unrelated, legitimate, and state-adjacent domains
  • No execution dependency on most of these URLs

Crucially, these URLs are not obfuscated. They are placed in plain sight.

This is not string hiding it is indicator flooding.

The obfuscation shift here is not technical complexity, but analytical friction:

  • Automated extraction produces dozens of false leads
  • IOC-based clustering becomes unreliable
  • Manual triage cost increases without changing execution logic

The loader still behaves linearly. What changes is the signal-to-noise ratio.

22 December 2025 – Defensive Reaction at the Payload Layer

The December 22 sample is not an obfuscation milestone, but it is a defensive one.

From a loader perspective, almost nothing changes:

  • The download URL is fully present and statically recoverable
  • No additional string hiding or control-flow manipulation is introduced
  • Execution remains linear and transparent

However, focusing solely on loader complexity misses the actual shift.

The real change happens at the payload layer

For the first time in this series, the loader delivers GamaWiper instead of Pterodo for Analysis environments.

This is not a neutral substitution.

As outlined in my earlier analysis of GamaWipers behavior, this payload is explicitly designed to:

In other words:
Gamaredon reacts defensively, just not in the loader yet.

Why obfuscation does not increase here

The absence of additional loader obfuscation is not a contradiction, but a signal.

At this stage:

  • The defensive burden is shifted entirely onto the payload
  • The loader acts as a transparent delivery mechanism
  • Analysis deterrence is achieved through destructive behavior, not concealment

This suggests a deliberate sequencing:

  1. Introduce a hostile payload to counter analysis
  2. Observe detection and response
  3. Only then begin hardening the delivery mechanism itself

Why this sample matters

~ December 22 marks the point where Gamaredon stops merely being observed and starts actively responding.

Not by hiding better, but by ensuring that seeing the payload has consequences.

The subsequent increase in loader obfuscation after this date does not replace this strategy.
It complements it.

Payload hostility first.
Delivery hardening second.

Notably, this change occurs almost exactly four weeks after my article outlining practical approaches to tracking Gamaredon infrastructure went public.
Whether coincidence or feedback loop, the timing aligns remarkably well with the first observed deployment of GamaWiper as an anti-analysis response.

25 December 2025 – Control-Flow Noise Appears

The Christmas sample does not introduce new primitives, but it does introduce execution ambiguity.

Concrete changes:

  • Multiple .Run invocations exist
  • Not all of them result in meaningful execution
  • Several objects and variables are constructed but never used
  • Execution order is less visually obvious

This is not branching logic, but control-flow camouflage.

The analyst can still reconstruct execution, but:

  • Dead paths look plausible
  • Execution sinks are no longer unique
  • Automated heuristics struggle to identify the real one

The obfuscation no longer targets strings, it targets execution clarity.

30 December 2025 – Fragmented Runtime Assembly

The final sample introduces the most tangible structural changes.

Observed differences:

  • Systematic use of Dim declarations
  • Extensive use of short, non-semantic string fragments
  • Assembly of execution-relevant strings via repeated concatenation across distant code sections
  • No complete execution string exists statically
  • Domains are just random invalid Domains

At no point does the full execution command exist as a contiguous value in the source.

Instead:

  • Fragments are combined
  • Recombined
  • Passed through intermediate variables
  • Finalized immediately before execution

This directly degrades:

  • Static string extraction
  • Signature-based detection
  • Regex-driven tooling

No encryption is added.
The shift is purely architectural.

05 January 2026 – Added Datetime Parameter to URL

EDIT 07.01.2026: I added this part as new findings appeared

Since early January, another small but relevant change appeared in the loader logic.

The scripts now generate a date value at runtime:

This value is then embedded directly into the download path, resulting in URLs like:

.../UkrNet_02.01.2026/cutting/02.01.2026/hannah8342.pdf

From a detection standpoint, this is subtle but effective

This means:

  • payload paths change daily
  • static URL signatures age out immediately
  • and IOC reuse across campaigns becomes unreliable

Relation to Prior Observations

This behavior aligns closely with patterns discussed in my earlier article on GamaWiper and Gamaredon’s anti-analysis strategies, where delivery behavior adapts based on perceived execution context.

https://blog.synapticsystems.de/gamawiper-explained-gamaredon-anti-analysis/

What Actually Changed and What Did Not

What did not change:

  • Execution primitive
  • Loader purpose
  • Overall delivery mechanism

What did change:

  • When execution-relevant strings become complete
  • How many false execution paths exist
  • How much irrelevant context surrounds the real logic

This is not a rewrite.
It is iterative hardening.

Conclusion

These samples do not demonstrate innovation.
They demonstrate attention.

Each iteration removes one assumption analysts rely on:

  • “The string will exist somewhere”
  • “The execution path is obvious”
  • “Dead code looks dead”

Gamaredon did not add complexity for its own sake.
They added just enough friction to slow analysis and then stopped.

And that restraint is, in itself, the most telling signal.

Upload Response

Your data will be stored in the mainframe. Required fields are marked *