Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse

Gamaredon, a Russian APT group, has accelerated its cyber operations against Ukraine by launching 35 distinct spear-phishing campaigns targeting new victims throughout 2025, according to research from Slovak cybersecurity firm ESET.

The threat actor expanded its toolset with previously undocumented malware variants while exploiting legitimate cloud services to evade detection. ESET identified campaigns primarily concentrated in the second half of the year, marking a notable uptick in both volume and sophistication of Gamaredon's operations.

The group's approach reflects standard APT tradecraft. Operators sent targeted phishing emails to victims in Ukrainian government and critical infrastructure sectors. Upon successful compromise, attackers deployed custom malware designed to establish persistence and gather intelligence. Notably, Gamaredon abused legitimate cloud platforms as command-and-control infrastructure, complicating attribution and defense efforts since traffic blends with legitimate cloud usage.

New malware variants delivered in these campaigns include updated information stealers and backdoors that operate under the radar of conventional endpoint detection tools. The group leveraged legitimate cloud services rather than renting dedicated infrastructure, reducing operational footprint and evading network-based defenses reliant on blocking known malicious domains.

Gamaredon maintains one of the longest operational histories of any Russian state-sponsored group, with activity dating back to at least 2013. The group traditionally focuses on espionage operations against Ukrainian government agencies, military personnel, and energy infrastructure. Previous campaigns documented by security researchers have employed similar phishing-first tactics followed by secondary payload deployment.

The expansion of Gamaredon's malware arsenal and increased targeting volume reflects Russia's continued investment in cyber warfare capabilities against Ukraine. Organizations in Ukraine should implement robust email filtering, multi-factor authentication, and endpoint detection solutions. Government and critical infrastructure operators face persistent threat from this group and should assume ongoing compromise operations. Western organizations