Gamaredon

Search IOCs, vulnerabilities, APT…

216.73.217.98

← Back to intrusion sets

· Published 20/12/2025 20:11 · Modified 20/12/2025 20:11 · Source: AlienVault

Essential information

Confidence: 100/100
Published: 20/12/2025 20:11
Modified: 20/12/2025 20:11
Updated at: 20/12/2025 20:11
Revoked: No
Author / Source: AlienVault
Resource level: —
Primary motivation: —
Related entities: 7 reports, 63 attack patterns (mitre), 47 malware, 4 sectors, 15 countries, 100 indicators, 5 vulnerabilities (cve)

Description

No description.

Marking (TLP)

TLP:CLEAR

Related entities

Attack patterns, malware, vulnerabilities, indicators and other entities linked to this intrusion set.

Reports (7)

Matryoshka #3/3: Gamaredon's Gammasteel Infostealer

18 MITREs 5 Malwares 2 Observables 1 APT
FSB’s matryoshka #2/3 – Gamaredon’s gifts that keeps …

19 MITREs 5 Malwares 1 Observable 1 APT
FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps …

2 CVEs 19 MITREs 6 Malwares 4 Observables 1 APT
Gamaredon in 2024: Cranking out spearphishing campaigns against …

12 Malwares 53 Observables 1 APT
Gamaredon campaign abuses LNK files to distribute Remcos …

8 MITREs 1 Malware 1 APT
PlainGnome and Bonespy Russian Android spyware discovered | …

5 MITREs 2 Malwares 31 Observables 1 APT
Cyberespionage the Gamaredon way: Analysis of toolset used …

8 MITREs 23 Malwares 50 Observables 1 APT

Attack patterns (MITRE) (63)

T1070.006 uses

Timestomp MITRE
T1595 uses

Active Scanning MITRE
T1573.001 uses

Symmetric Cryptography MITRE
T1020 uses

Automated Exfiltration MITRE
T1113 uses

Screen Capture MITRE
T1219 uses

Remote Access Tools MITRE
T1059 uses

Command and Scripting Interpreter MITRE
T1218.010 uses

Regsvr32 MITRE
T1041 uses

Exfiltration Over C2 Channel MITRE
T1566 uses

Phishing MITRE
T1025 uses

Data from Removable Media MITRE
T1059.005 uses

Visual Basic MITRE

← Previous

Page / 6

1–12 of 63

PlainGnome uses

Family
PteroPShell uses

Family
GammaWipe uses

Family
PteroSig uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
PteroGram uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
Pteranodon - S0147 uses

Family
PteroDoc uses

Family
PteroTemplate uses

Family
PteroScout uses

Family
PteroBox uses

Family
BoneSpy uses

AlienVault Confidence 100

First seen 01/01/1970 · Last seen 16/11/5138 ·
LitterDrifter uses

← Previous

Page / 4

1–12 of 47

Chemical targets
Defense targets
Government targets
Defense ministries (including the military) targets

Countries (15)

Chile targets
Kazakhstan targets
Hong Kong targets
Germany targets
Uzbekistan targets
Tajikistan targets
Kyrgyzstan targets
Bulgaria targets
Latvia targets
Viet Nam targets
Poland targets
Ukraine targets

← Previous

Page / 2

1–12 of 15

936b70e0babe7708eda22055db6021aed965083d5bc18aad36bedca993d1442a indicates
7ea77f4746f21e89df52c9a54c12135f3f45f7a342e8b1dba09abf2a7e8c4f15 indicates
365cd7e5f43152fa5cd5fbba18674d354b31290285bc496357dfa6150416b78c indicates
c4d4213ff3b737fe20248362687a0cd3008b630a65b230b06fba282379665c83 indicates
tolofa.ru indicates

stix 100/100 Revoked

· Valid until 24/07/2025 · Source: AlienVault
decorous.ru indicates
c6f415f1fbb957ddcf7b68951f309871ff34fb30a904290875e5db9997cb7ae0 indicates
brudimar.ru indicates
fbd030b53088a536d7e6b6a80e4767c097fbfcb11a921dd7c0fa938322f96842 indicates
rieturc.ru indicates

stix 100/100 Revoked

· Valid until 24/07/2025 · Source: AlienVault
email-smtp.online indicates
undesirable.ru indicates

← Previous

Page / 9

25–36 of 100

Vulnerabilities (CVE) (5)

CVE-2024-4577 KEV targets

9.8 Critical

In PHP versions 8.1.* before 8.1.29, 8.2.* before 8.2.20, 8.3.* before 8.3.8, when using Apache and PHP-CGI on Windows, if the system …

Attack vector: Network
Published: 12/06/2024
Modified: 21/12/2025

Received

CVE-2021-4034 KEV targets

The Red Hat polkit pkexec utility contains an out-of-bounds read and write vulnerability that allows for privilege escalation with administrative rights.

Published: 27/06/2022
Modified: 20/12/2025

CVE-2017-0199 KEV targets

7.8 High

Microsoft Office and WordPad contain an unspecified vulnerability due to the way the applications parse specially crafted files. Successful exploitation allows for …

Attack vector: LOCAL
Complexity: LOW
Published: 12/04/2017
Modified: 22/04/2026

CVE-2018-20250 KEV targets

WinRAR Absolute Path Traversal vulnerability leads to Remote Code Execution

Published: 15/02/2022
Modified: 02/06/2026

CVE-2025-8088 KEV targets

8.8 High

RARLAB WinRAR contains a path traversal vulnerability affecting the Windows version of WinRAR. This vulnerability could allow an attacker to execute arbitrary …

Attack vector: Network
Published: 12/08/2025
Modified: 27/05/2026

Contact About Legal notice Privacy policy Terms of use

Gamaredon

Essential information

Description

Marking (TLP)

Related entities

Reports (7)

Attack patterns (MITRE) (63)

Malware (47)

Sectors (4)

Countries (15)

Indicators (100)

Vulnerabilities (CVE) (5)