ESET: Gamaredon deployed six new tools in 2025 Ukraine campaign
ESET Research has published a detailed white paper on Gamaredon, a Russia-aligned advanced persistent threat (APT) group that spent 2025 exclusively targeting Ukrainian governmental and military institutions. The report, released on 25 June 2026, documents six newly developed PowerShell tools, a shift toward cloud-based data exfiltration, and an increasingly sophisticated use of legitimate online services to conceal command-and-control (C&C) infrastructure.
According to ESET, Gamaredon is attributed by Ukraine's Security Service to the 18th Center of Information Security of Russia's FSB, and is believed to operate from occupied Crimea. After a brief operational pause in January 2025, the group accelerated its development cadence in the first half of the year, then shifted toward higher-tempo spear phishing campaigns in the second half. ESET researcher Zoltán Rusnák noted that software updates were consistently observed in the lead-up to Russian and Crimean public holidays, with activity going quiet during the holidays themselves. "This further suggesting that Gamaredon operators are probably government-affiliated employees," Rusnák said.
New toolset and infrastructure
The six new tools introduced in 2025, all written in PowerShell, are PteroDee, PteroCache, PteroDum, PteroOdd, PteroPaste, and PteroEffigy. ESET highlights PteroPaste as the most technically complex of the group, combining downloader, USB weaponiser, and persistence orchestration functions in a single package. The group also revived PteroSetup, a VBScript weaponiser first seen in 2021. Beyond spear phishing, Gamaredon continued to use custom tools to weaponise USB drives, mapped network shares, and software installers for lateral movement after initial compromise.
On the infrastructure side, two flagship file stealers, PteroPSDoor and PteroVDoor, were upgraded to exfiltrate stolen data to S3-compatible cloud storage providers, specifically Wasabi, Tebi, and Intercolo. Because all three support the Amazon S3 API, the same tooling operates across vendors with minimal modification. A third stealer, PteroBox, continued to upload directly to Dropbox. ESET observes that routing exfiltrated data through recognised cloud storage providers makes malicious traffic harder to distinguish from ordinary business use, while also reducing the group's need to maintain its own receiving infrastructure.
Gamaredon also leaned heavily on "dead-drop" techniques, a method borrowed from traditional espionage tradecraft. Rather than hard-coding a C&C address into malware, operators publish that information on legitimate platforms such as Telegram channels, Dropbox shared folders, Mastodon posts, and the DEV Community developer network. The malware retrieves the address at runtime, meaning takedowns of the legitimate platform page are required to disrupt the communication chain. C&C servers themselves are now further obscured behind tunnels, Cloudflare Workers, dynamic DNS services, and platform-as-a-service providers.
Alliances and wider threat landscape
ESET also documented a collaboration between Gamaredon and Turla, a separate and technically sophisticated Russian APT known for supply-chain and satellite-linked intrusion campaigns. The report notes a further example of task-sharing among Russian-aligned actors: the UAC-0099 group conducted initial access operations and then handed validated targets to Sandworm for follow-on exploitation. This division of labour points to a maturing coordination model among Kremlin-aligned threat actors, with specialist groups contributing distinct capabilities to shared objectives.
The pattern documented by ESET reflects a broader trend in state-sponsored espionage: the deliberate blending of malicious activity into the traffic of widely trusted cloud platforms. For defenders, this complicates perimeter-based detection because blocking Telegram, Dropbox, or Wasabi outright is impractical in most enterprise environments. Security teams protecting government or critical infrastructure workloads should audit egress to S3-compatible endpoints from sensitive hosts, and apply behavioural detection to PowerShell execution chains regardless of whether C&C addresses resolve to recognisable providers.
ESET's full white paper, titled "Gamaredon in 2025: Leveraging tunnels, workers, dead drops, and new alliances," is available on WeLiveSecurity.com alongside an accompanying blog post.