Campaign Summary

Timeframe: February – November 2025
37 analyzed samples
New zero-click infection vector -> CVE-2025-6218
New C2 architecture: DynDNS + Fast-Flux + Telegram + graph.org
Two-stage geo-fencing + header firewall
Pteranodon as the central Stage-2 loader
Server-side registration required for deeper payload access

As the year slowly crawls toward its inevitable end (like certain Russian infrastructure), it’s a good moment to take another detailed look at Gamaredon’s ongoing phishing campaign targeting Ukraine.

I’ve previously published a high-level overview of this campaign, you can check that article out if you want the “lite” version.
Today, however, we’re digging deeper: how to untangle the FSB’s infrastructure for this operation and how we managed to extract additional payloads directly from their servers with varying degrees of cooperation from Microsoft’s RAR parser.

A quick thank-you goes out to my brother Ramon, who assisted especially in retrieving additional payloads from Gamaredon’s backend. Family bonding through state-sponsored malware analysis, truly heartwarming.

Dataset Overview

For this analysis, I organized all samples into a structured table divided into Stage-1 and Stage-2 to Stage-X artifacts.

Stage-1 samples are the actual phishing attachments delivered to victims (HTA, LNK, RAR archives).
Stage-2 to Stage-X samples represent everything the Gamaredon infrastructure subsequently downloads once the initial loader executes or the vulnerability is triggered.

Each entry contains:

Filename: original name taken from the email attachment or payload
Hash: SHA-256 fingerprint for verification
Dropped Files: anything extracted or written by the sample (HTA/PS1 loaders, Pteranodon modules, persistence scripts, etc.)

This allows us to map the infection chain fully, from the very first email to the deeper payload ecosystem sitting behind Gamaredon’s firewall-like C2 logic.

In total, we analyzed 37 samples for this write-up.

Stage 1 Samples (Click to open)

Stage 2-X Samples

Sample	Hash	Drops
Dropper-Sample-1.hta	9b14d367c99b7d9187a58406ad3eb55e2dee12b4b2bc341f9058c622b7b87fa3	Dropper-Sample-1.1.ps
Dropper-Sample-1.1.ps	f1a52573d11b3bee874e7d29c15d952492e2f4a72e2213fdb9274d0555d90978	Lockdown-Script-Sample-1.ps
Lockdown-Script-Sample-1.ps	9627415eafc3be2756d73b4440372fc99e99e25cd53c012ffccdc5d35ce0f70b
Dropper-Sample-2.hta	9fc2a247313b078d795419b7d1c7c0cd907a103a4c64ebab6c96ddb7b958d230	Dropper-Sample-2.1.hta
Dropper-Sample-2.1.hta	7f467084343ca7986a188108390c1de3c98bb211e304cc4bc700125c1ea495f6	Wiper-Sample-1.ps
Wiper-Sample-1.ps	d4b5e0b45eab241ef03b64f0a52929fdd15e8ef783e1c7952ba01b199e4e3932
94298febd57718f0e05e61c9966f95347598e7ba1a05a48b8c9f9151023a839a.base64	94298febd57718f0e05e61c9966f95347598e7ba1a05a48b8c9f9151023a839a	008af94fd04c55582d9d8d6547f1276c04523494b25e7ff8f8f1bdc444abf1e7
aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af.ps	aa572532ab1c8a731e7ba32e97ba180268eee8e6a74a2b9c4dc3efb669edb9af

Operational Objective of the Campaign

The analyzed artifacts make the intention behind this operation painfully clear:
the campaign is aimed squarely at Ukrainian military, governmental, political, and administrative entities.

Based on filenames, document themes, and sender infrastructure, Gamaredon’s operational goals can be summarized as follows:

Military intelligence collection (documents, internal communication, location data, organization charts)
Rapid exfiltration (Pteranodon immediately sends host-, user-, and system-metadata to the C2)
Long-term espionage (stealers, wipers, tasking modules, USB spreaders)
Disruption & anti-forensics (registry cleaning, MRU deletion, startup folder cleanup)
Targeted propagation inside internal networks (USB/NAS/network spread)

This is not an opportunistic campaign. It is a structured, military-oriented espionage and sabotage operation consistent with, and likely coordinated by Russian state intelligence.

Campaign Timeline

Campaign Description

Gamaredon continues to bombard Ukrainian organizations with phishing emails, using a rotating set of attachments and themes.
The filenames of the analyzed samples strongly indicate military and political targeting, and the underlying infrastructure is built on large DynDNS farms and Fast-Flux C2 nodes an architecture that screams “FSB budget optimization,” if you will.

Until early November 2025, the group primarily distributed HTA and LNK attachments.
Then they shifted strategy, adopting a new Windows vulnerability CVE-2025-6218, allowing infections without the victim consciously executing anything.

Their new favorite delivery vector?
RAR archives containing seemingly harmless documents.

What happens?

When a victim opens the RAR archive:

the vulnerability triggers immediately
a hidden HTA is extracted straight into the Windows Startup folder
reboot -> automatic execution -> connection to Gamaredon’s C2
further payloads are downloaded and initial reconnaissance begins

A classic example of Microsoft doing Microsoft things.

Infection Chain (CVE-2025-6218 & CVE-2025-8088)

The multi-stage infection chain used in this campaign is simple, elegant, and annoyingly effective.
A key component is the server-side access control logic, which tightly restricts who is allowed to receive further payloads, ensuring that analysts outside the target region receive nothing but empty responses and existential frustration.

1. Initial Access: Web-based Loaders

Entry points include:

HTA attachments
LNK droppers
RAR archives containing HTA or LNK files
And increasingly:
- RAR archives exploiting CVE-2025-6218 and CVE-2025-8088

CVE-2025-6218

Vulnerability allowing automatic file extraction into privileged directories
HTA placed into Startup without user execution

CVE-2025-8088

MSHTML execution bypass, circumventing Windows 11 hardening

All these delivery formats share one purpose:
download and launch Pteranodon, the central stage-2 loader.

2. Pteranodon Loader

Once the initial dropper executes, it fetches Pteranodon via HTTP(S).
This is where Gamaredon’s C2 firewall kicks in.

Persistence Mechanisms

Pteranodon uses multiple persistence vectors depending on available permissions:

Registry Run keys (HKCU and occasionally HKLM)
Scheduled tasks (5 – 30 minute intervals)
HTA files in the Startup folder
Hidden script copies inside %APPDATA%, %LOCALAPPDATA%, and %PROGRAMDATA%

These ensure the loader survives multiple reboots and can continuously request new tasks and modules.

Communication Structure

Gamaredon’s C2 traffic is distinctive:

XOR + Base64 layering
Pseudo-JSON structures (loose key/value pairs)
Regular tasking requests (download payload, run wiper, USB spread, resend systeminfo)
Operator fingerprints (recurring variable names and patterns)

Pteranodon is intentionally simple, lightweight, and extremely flexible, the malware equivalent of a Russian Lada:
It may look primitive, but you’ll be surprised how long it keeps going.

3. Access Control Logic (C2 Firewall)

Gamaredon uses a multi-layered filtering system that serves as both OPSEC and anti-analysis defense.

Purpose of the Access Control Logic

The C2:

only responds fully to Ukrainian IP ranges
verifies browser headers
requires system registration before delivering deeper payloads

This effectively locks out researchers, sandboxes, cloud instances, and… pretty much everyone except the intended victims.

Stages

Stage 1: IP Validation

Non-Ukrainian IP -> HTTP 200 with empty body
Ukrainian IP -> proceed

Stage 2: Header Validation

Must supply correct:
- Identifier/Token
- User-Agent
- Accept-Language

Invalid -> serve a 0-byte file
Valid -> proceed

Stage 3: Registration & Tasking

Full payload access only after system registration:

hostname
username
local IP
environment
token

Then the C2 provides:

USB/network spread modules
Wipers
Persistence modules
Stealers
Additional droppers

The basic access control logic looks like this:

4. Campaign Characteristics

Strict Ukraine-only geo-fencing
Strong anti-analysis (empty responses instead of errors)
High variation of initial access files
Consistent use of Pteranodon
Increased abuse of RAR + CVE-2025-6218
Multiple drops per day

Analysis

This article focuses more on mapping the infrastructure than on deep reverse-engineering.
If you want in-depth Stage-1 payload analysis, check my previous article.

Once the malicious attachment is executed, it contacts a remote Gamaredon domain and retrieves Pteranodon.

Key observations from sandboxing

Most sandbox environments receive empty responses, expected due to the C2 filtering
Simulating headers alone is insufficient
Regular Ukrainian proxies also fail
Rotating Ukrainian residential proxies do work
However, deeper stages require successful registration, which makes automated extraction time-consuming

After bypassing the filters, we obtained obfuscated HTAs containing Base64-encoded PowerShell.

These loaders then fetch:

Pteranodon
wiper modules
auxiliary droppers
etc.

All files are provided in the sample table for further analysis.

Telegram & graph.org C2 Distribution

Gamaredon uses:

Telegram channels for rotating C2 IPs and cryptographic material
graph.org pages for rotating payload URLs

Both platforms are:

ideal for operations requiring frequent updates
highly resilient
hard to take down

https://graph.org/vryivzphxwc-11-11

I built a tracker that extracts and publishes these rotating IPs, domains, and secrets to GitHub daily, you can access it here.

Fast-Flux Infrastructure (194.67.71.0/24)

One IP stood out: 194.67.71.75, belonging to REG.RU, a well-known high-abuse Russian hosting provider.

Findings:

200+ IPs in the subnet engaged in coordinated port-scanning against Ukrainian targets (April 2025)
44,157 PassiveDNS entries for the 256 hosts
39,903 unique domains
Typical Fast-Flux characteristics:
- extremely short TTL
- rapid IP rotation
- each IP hosting dozens of unrelated domains
- low-quality disposable domain patterns
- consistent abusive behavior

This subnet is:

clearly Russian-controlled
used for offensive operations
structurally similar to GRU-affiliated infrastructure
highly likely to be connected directly or indirectly to the FSB

I built a graph on VirusTotal to visualize the malware distribution by the subnet:

Changes in the 2025 Gamaredon Campaign

Compared to 2021 – 2024, the 2025 operation shows significant evolution:

1. Zero-Click via CVE-2025-6218

RAR-based exploit allows silent execution with no user interaction.

2. RAR-First Delivery

RAR replaced HTA/LNK as the primary attachment format.

3. More complex access control

Geo-fencing, header checks, registration tokens, and multi-stage filtering.

4. Decentralized C2

Heavy reliance on Telegram + graph.org.

5. Expanded Stage-1 variations

HTA, LNK, RAR+LNK, RAR+HTA, RAR exploiting CVE-2025-6218.

6. Stronger persistence & propagation

Better registry/task persistence and more aggressive lateral movement.

Summary

The 2025 Gamaredon campaign is no longer just “phishing with extra steps”
It has evolved into a modular, highly dynamic, multi-infrastructure malware ecosystem, powered by:

Zero-click exploits
Geo-fenced C2 delivery
Fast-Flux DNS
Telegram distribution
graph.org rotation
Persistent Pteranodon loaders

…all wrapped in a design philosophy best described as:
“If it works, ship it, if it breaks, wrap it in Base64 and ship it anyway.”

MITRE ATT&CK Mapping

The current Gamaredon campaign maps to a wide range of relevant MITRE ATT&CK techniques.
Below is a consolidated overview of the most important tactics and techniques observed during the various stages of the operation: (Click To Open)

TA0001 – Initial Access

T1566.001 – Phishing: Spearphishing Attachment
Distribution of HTA, LNK, and RAR attachments using thematically relevant document names.

T1204.002 – User Execution: Malicious File
Execution of HTA/LNK loaders, or automatic execution via CVE-2025-6218.

TA0002 – Execution

T1059.005 – Command and Scripting Interpreter: Visual Basic
Extensive use of HTA and VBScript for initial loader execution.

T1059.001 – Command and Scripting Interpreter: PowerShell
Used to download and run Pteranodon modules.

T1203 – Exploitation for Client Execution
CVE-2025-6218 enabling automatic HTA placement and execution (zero-click).

TA0003 – Persistence

T1547.001 – Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
Persistence achieved via HTA scripts placed in the Startup folder and registry autostarts.

T1053.005 – Scheduled Task/Job
Creation of scheduled tasks that periodically re-execute Pteranodon or supplemental scripts.

TA0004 – Privilege Escalation

(No explicit privilege escalation techniques observed; Gamaredon typically operates under user-level permissions.)

TA0005 – Defense Evasion

T1027 – Obfuscated/Encrypted Files and Information
Heavy use of BASE64 and XOR layers to obfuscate code and communications.

T1497 – Virtualization/Sandbox Evasion
C2 access-control (IP/header validation) to prevent payload delivery to researchers or sandboxes.

T1070 – Indicator Removal on Host
Wiper/cleanup scripts remove MRUs, registry traces, and startup entries.

TA0006 – Credential Access

(Seen in earlier Gamaredon campaigns; less prominent in 2025.)
T1552.001 – Unsecured Credentials: Credentials in Files
Some modules harvest document contents and autocomplete data.

TA0010 – Exfiltration

T1041 – Exfiltration Over C2 Channel
Hostnames, usernames, system metadata, and environment details sent directly to C2.

TA0011 – Command and Control

T1071.001 – Application Layer Protocol: Web Protocols
C2 communication over HTTP/HTTPS.

T1102.002 – Web Service: Telegram
Use of Telegram channels for dynamic IP rotation and distribution of secrets/tokens.

T1102 – Web Service (graph.org)
Use of graph.org pages for periodically rotating payload URLs.

T1568.002 – Dynamic DNS
Frequent use of DynDNS for rotating C2 domains.

T1090 – Proxy
Fast-Flux infrastructure in subnet 194.67.71.0/24 used to proxy malicious infrastructure.

TA0009 – Collection

T1119 – Automated Collection
Immediate collection of system information after Pteranodon’s initial registration.

TA0008 – Lateral Movement / Propagation

T1091 – Replication Through Removable Media
USB-based propagation (a long-standing Gamaredon tactic).

T1021 – Remote Services (limited)
Some modules show capability for internal network spread.

High-Level Indicators for Threat Hunters

This section summarizes the most important behavioral indicators that SOCs, threat hunters, and CERT teams can use to detect Gamaredon activity early.
These are high-level detection patterns rather than sample-specific IOCs

1. Network Indicators

HTTP requests from mshta.exe or powershell.exe to DynDNS domains, graph.org pages, or Ukrainian/Russian subnets
Repeated GET requests resulting in 0-byte responses
Outbound traffic to 194.67.71.0/24 (REG.RU Fast-Flux cluster)
Unexpected connections to Telegram API/channels without active user sessions
Very low DNS TTL values for domains rotating across many IPs

2. File System Indicators

Presence of suspicious script files:

HTA/VBS in the Startup folder:
%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\*.hta
Dropped PowerShell/VBS files in:
- %APPDATA%
- %LOCALAPPDATA%
- %PROGRAMDATA%
Files with pseudo-legitimate names such as Update.hta, Sync.hta, etc.

3. Registry Indicators

New or unusual autostart entries in:

HKCU\Software\Microsoft\Windows\CurrentVersion\Run
HKLM\Software\Microsoft\Windows\CurrentVersion\Run

Suspicious values like:
SystemUpdate, WinService, TaskHost, MSConfigSync

4. Process Indicators

Suspicious execution of:

mshta.exe
wscript.exe
cscript.exe
powershell.exe

Especially when combined with:

obfuscated arguments
Base64-encoded payloads
long XOR/Chr() sequences
inline HTTP URLs

5. Anti-Analysis / Sandbox Indicators

Malware returns completely empty responses when contacted from non-Ukrainian IPs
Stage loaders delivering 0-byte payloads when no registration token is provided
Behavior drastically changes depending on IP region and C2 validation

6. Tactical Patterns

Multiple execution stages within a very short timeframe
Frequent contact with newly generated DynDNS domains
Appearance of new graph.org pages containing short random identifiers
Telegram messages containing random Base64 blobs representing rotating secrets/IPs

7. Runtime Indicators (Sysmon/SOC)

Event ID 11 – file creation within Startup folder

Event ID 1 – mshta.exe -> powershell.exe -> network connection

Event ID 3 – outbound network connections from mshta.exe or powershell.exe

Event ID 7 – unexpected script engine DLL loads

IOCs

In our Analysis we could find the following IOCs used in this campaign:

IOC-Type	IOC-Value
DynDNS Payload Delivery Server	acess-pdf.webhop.me
	creates.webhop.me
	digitall.webhop.me
	dears.serveirc.com
	dilopendos.serveirc.com
	downcraft.serveirc.com
	fixer.serveirc.com
	fixfactors.serveirc.com
	kia-court.serveirc.com
	political-news.serveirc.com
	readers.serveirc.com
	serversftp.serveirc.com
	ssu-procuror.redirectme.net
	yeard.serveirc.com
	papilonos.hopto.org
	diskpart.myddns.me
	selodovo.myddns.me
	document-downloads.ddns.net
	systems-debug.ddns.net
	document-prok.freedynamicdns.org
	downloads-document.freedynamicdns.org
	write-document.freedynamicdns.org
	procurature.freedynamicdns.org
	print-documents.freedynamicdns.net
	google-pdf.redirectme.net
	hosting-redirect.sytes.net
	tillthesunrise.sytes.net
	open-files.systes.net
	open-pdf.serveftp.com
	pasive-host.gotdns.ch
Cloudflare	app-334825a6-4a2b-48bc-be92-e0582d656006.cleverapps.io
	libraries-thus-yale-collaborative.trycloudflare.com
	vacations-mic-games-scale.trycloudflare.com
	incidence-polished-expires-denver.trycloudflare.com
	streams-metallic-regulatory-armor.trycloudflare.com
	divine-water-36e7.5ekz2z6pjk.workers.dev
	long-king-02b7.5ekz2z6pjk.workers.dev
	quietunion.48clhonm1m.workers.dev
	divine-water-5123.svush66274.workers.dev
	blackvoice.lydef24298.workers.dev
	vaporblue.ddnsking.com
Domains	rqzbuwewuvnbbaucfhjl.supabase.co
	For.estaca.ru
	exorcise.me
	andonceagain.online
	gihs.andonceagain.ru
	andonceagain.ru
	antresolle.ru
IP Adresses	5.181.2.158
	5.181.2.161
	95.163.236.162
	185.168.208.228
	194.58.66.5
	194.58.66.132
	194.58.66.192
	194.67.71.75
	194.87.240.141
	194.87.230.166
	194.87.240.215
	194.87.240.217
	185.39.204.82
	45.141.234.234
	5.8.18.46
	103.224.182.251
	144.172.84.70
	45.32.220.217
	65.38.120.43
	64.7.199.177
	172.104.206.42
	107.189.18.173
	107.189.23.61
Telegram URLs	https://www.telegram.me/s/natural_blood
	https://www.telegram.me/s/oberfarir
	https://telegram.me/s/teotori
URLs	/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf
	/gpd_07.11.2025r/disputeqG1/concealedn2N.pdf
	/moss_10.11.2025/futureHtG/accountc7z.pdf
	/SUU_11.11.2025/dicontentedOhr/scoundrelit1.pdf
	/SVrr_12.11.2025/crookoxQ/learningB4J.pdf
	/mmoUU_13.11.2025/evolutionKPm/armourV2P.pdf
	/sss_10.11.2025/dialGsd/horribleNQx.pdf
	/ss_07.11.2025/flashlightsK8Q/pondjsQ.pdf
	/motherrDJ/ssu/flowerbedD6M/dressmakerpvv.pdf
	/sprdvth/tailor.ps1
	/regretxso/GP4/investigationer4/exhibtionLD6.pdf
	/OD/sensationaSL/AprilcWs.jpeg
	/SS/atomN2s/arwardU26.jpeg
	/OD/remisshKY/consentedjtP.jpeg
	/OD/quitzU2/comparativelyNWU.jpeg
	/Gost/pitchedcbY/intenseLKt.jpeg
	/GPuUkr/satALU/eventfulpNq.pdf
	/prosperousd92/allowingclO
	/prosperousd92/allowingclO
Documents	додаток.doc
	дск.doc
	доповідна запискa.doc
	супровід катування.doc
	лист до.doc
	убд.doc
	наказ наряд.doc
	ГУР МОУ.doc
	згвалтування.doc
	супровод.doc
	обезголовлення військовополоненого.jpeg
	обезголовлення українського військовополоненого.jpeg
	згвалтування військових.jpeg
	фото секс.jpeg

Sample	Hash	Dropped Files
e4258bdfa82a1065aa1095ae2c6da4240f6ebe20ba285e56f1e216eec5984510.hta	e4258bdfa82a1065aa1095ae2c6da4240f6ebe20ba285e56f1e216eec5984510
fc249b4686f4cfd98ab016aac32ecccf947012321a321d8e6463c17401b0c700.zip	fc249b4686f4cfd98ab016aac32ecccf947012321a321d8e6463c17401b0c700	2-1180-25_24.06.2025.HTA
eed1ab171c449173059d2c5955e6ddfa73aaf952c612210b82c85137f42e01b8.zip	eed1ab171c449173059d2c5955e6ddfa73aaf952c612210b82c85137f42e01b8	2-1180-25_24.06.2025.HTA
478604b0f9323082b61521045a310b3362f405a0781a735dfe72f8ffed054be7.zip	478604b0f9323082b61521045a310b3362f405a0781a735dfe72f8ffed054be7	2-1180-25_24.06.2025.HTA
68314e93b47d774e378d4c573f08417bf40ead61caaeafbc128c3c6dff96ae0c.rar	68314e93b47d774e378d4c573f08417bf40ead61caaeafbc128c3c6dff96ae0c	Звернення народного депутата Верховної Ради України IX скликання 11-2967-25_23.09.2025.HTA 11-2967-25_23.09.2025.pdf
82e05b396443fcedeb4b165a8e5ee4d85195b4ba0a58a085670525598e46eedd.zip	82e05b396443fcedeb4b165a8e5ee4d85195b4ba0a58a085670525598e46eedd	82e05b396443fcedeb4b165a8e5ee4d85195b4ba0a58a085670525598e46eedd.rar Письмо.pdf Письмо.pdf:.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_run.bat Письмо.pdf:XXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXXX Письмо.pdf:stream_12xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
7b936b2885c3b02243d7cbf751f341840f26cd0de7d4910843159fbc05e1db60.rar	7b936b2885c3b02243d7cbf751f341840f26cd0de7d4910843159fbc05e1db60	Передати засобами АСУ Дніпро_6_3_4_4265_17.11.2025.pdf Передати засобами АСУ Дніпро6_3_4_4265_17.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_6_3_4_4265_17.11.2025.HTA
05f23e5c668c73128b6140b2d7265457ce334072a0b940141a839ec3e7234414.rar	05f23e5c668c73128b6140b2d7265457ce334072a0b940141a839ec3e7234414	Передати засобами АСУ Дніпро_9_5_5_433_17.11.2025.pdf Передати засобами АСУ Дніпро9_5_5_433_17.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_9_5_5_433_17.11.2025.HTA
83141b865be20f01dbb8520577500f57ec26357153ee093c5ba46f787aab7f7c.lnk	83141b865be20f01dbb8520577500f57ec26357153ee093c5ba46f787aab7f7c
331eedee2d5df87c46b93b719ca623aeebafc91157d70ffe381cd1c06ae46841.rar	331eedee2d5df87c46b93b719ca623aeebafc91157d70ffe381cd1c06ae46841	.Довiдка щодо невиконання….lnk Довiдка щодо невиконання….docx
237696ecc370688a8d1894eb2f95af53a3c0f8d42eb540b7f529b4d4f4492bc0.rar	237696ecc370688a8d1894eb2f95af53a3c0f8d42eb540b7f529b4d4f4492bc0	Передати засобами АСУ Дніпро_2_7_4_62_13.11.2025.pdf Передати засобами АСУ Дніпро2_7_4_62_13.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_7_4_62_13.11.2025.HTA
a1832e9c58b9b3d355775ecaa6567d9727f4a39cf372fa9c7c2b42d70e98d0e1.rar	a1832e9c58b9b3d355775ecaa6567d9727f4a39cf372fa9c7c2b42d70e98d0e1	Передати засобами АСУ Дніпро_3_8_2_7442_13.11.2025.pdf Передати засобами АСУ Дніпро3_8_2_7442_13.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_3_8_2_7442_13.11.2025.HTA
d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22.rar	d9fec61a4b1bb0ee158e65a7cea8c8098bf1ea2117289a48c2ae9e373bb50e22	Передати засобами АСУ Дніпро_2_1_1_7755_12.11.2025.pdf Передати засобами АСУ Дніпро2_1_1_7755_12.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_12.11.2025.HTA
95d30188fcc3864a6c8f9c01e27a588ea2b456f55b737c27f4b0cd756b887013.hta	95d30188fcc3864a6c8f9c01e27a588ea2b456f55b737c27f4b0cd756b887013
6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar	6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f	Передати засобами АСУ Дніпро_2_1_1_7755_11.11.2025.pdf Передати засобами АСУ Дніпро2_1_1_7755_11.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2_1_1_7755_11.11.2025.HTA
0cebe68cbe06a390acee24c33155bb1d9910d4edcb660d0d235ce2a4e3c643c5.hta	0cebe68cbe06a390acee24c33155bb1d9910d4edcb660d0d235ce2a4e3c643c5
c7726c166e1947fdbf808a50b75ca7400d56fa6fef2a76cefe314848db22c76c.zip	c7726c166e1947fdbf808a50b75ca7400d56fa6fef2a76cefe314848db22c76c	Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf Щодо надання інформації (військова частина А0135_11-967_11.11.2025).pdf:.........._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_11.11.2025.HTA
5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea.rar	5437c7bc4423b8acb8a6646ac2cd5379101ac73b6011549b25f1cd95bb333cea	Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf Запит на отримання інформації командира військової частини А0135_11-967_10.11.2025.pdf:.........._.._AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_11-967_10.11.2025.HTA
21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1.rar	21ad5d05a43d599b6225cd883b10356f4b8cd465a2fcb2745d90cfa65c6cffa1	Перегляд підходів до призову під час мобілізації_2-3716-25_07.11.2025.pdf Перегляд підходів до призову під час мобілізації2-3716-25_07.11.2025.pdf:............_AppData_Roaming_Microsoft_Windows_Start Menu_Programs_Startup_2-3716-25_07.11.2025.HTA
7a1417492979f569747bf11211bf523d5479c163e717651ebba20ad73834b8bb.hta	7a1417492979f569747bf11211bf523d5479c163e717651ebba20ad73834b8bb
18c4d384f8fef858accb57fff9dc4036bf52a051b249696b657162b1adcbf104.hta	18c4d384f8fef858accb57fff9dc4036bf52a051b249696b657162b1adcbf104
f35a91aa6b720f33fb971deee228e48a07d51df9762de6d616481fad1008b7ea.htm	5a8aada4bbc37d79f93349587a639f322eb4d068dd0c5b8131d3b69cf9c833e0
5a8aada4bbc37d79f93349587a639f322eb4d068dd0c5b8131d3b69cf9c833e0.zip	5a8aada4bbc37d79f93349587a639f322eb4d068dd0c5b8131d3b69cf9c833e0	2-13476-2025_08.09.2025.pdf Повістка про виклик до військового комісаріату 2-13476-2025_08.09.2025.HTA
27bd90199e426719d1c3ef214215a17fae23f257d8bcb7a806e394e8666158f0.hta	27bd90199e426719d1c3ef214215a17fae23f257d8bcb7a806e394e8666158f0
3611035faf63b8bf14c88a9bd02e3783f2bde3128c97f6317d4d4c912463ef39.xhtml	3611035faf63b8bf14c88a9bd02e3783f2bde3128c97f6317d4d4c912463ef39
2-1180-25_03.06.2025.HTA	9ce60dde11c1ad72af22ccd774c0efe9c5a206e9dcfbc2388a1b09cc70747f09
2f3b6223e31562592e86ae4dd4a5d0ceff518cf4feeb98f796febcb66d9148c4.zip	2f3b6223e31562592e86ae4dd4a5d0ceff518cf4feeb98f796febcb66d9148c4	Perelik_dokumentiv.txt.lnk raport-na-otrimannya-dovidki-pro-obstavini-travmi.pdf
2-1180-25_24.06.2025.HTA	ab54862f180b379cb8d612fbb22891402e7d55151dba87e7b11e45c5e45b6d7c

Synaptic Security Blog