{
  "name": "Analysis of APT-C-53 (Gamaredon) Attack on Ukrainian Government Agencies",
  "slug": "analysis-of-apt-c-53-gamaredon-attack-on-ukrainian-government-agencies",
  "description": "APT-C-53, also known as Gamaredon, is a Russian state-sponsored threat group active since 2013, targeting Ukrainian government and military entities. The group has upgraded its attack techniques, focusing on dynamic cloud-based C2 infrastructure and targeted delivery of cloud storage tools. In 2025, they conducted high-density intelligence theft activities against Ukrainian government agencies. The attack chain involves dynamic changes in infrastructure, abuse of Microsoft Dev Tunnels, and sophisticated data exfiltration techniques. The group employs white-listed domain camouflage, domain shadowing, and weaponization of cloud tunnel services to evade detection. Their data theft process includes registry-based persistence, multi-stage payload delivery via Cloudflare Workers, and exfiltration through legitimate cloud tools like Dropbox.",
  "published": "2025-09-01T07:55:21+00:00",
  "created_at": "2025-09-01T07:55:21+00:00",
  "modified_at": "2025-09-01T08:32:04+00:00",
  "created_at_opencti": "2025-09-01T07:55:21+00:00",
  "author": "",
  "confidence": null,
  "report_types": [],
  "labels": [],
  "tags": [
    "2025-09-01",
    "apt",
    "cloudflareworkers",
    "cyberespionage",
    "devtunnels",
    "dropbox",
    "powershell",
    "russia",
    "ukraine",
    "vbscript"
  ],
  "related_entities": {
    "observables": [
      {
        "id": "",
        "name": "31.129.22.156"
      },
      {
        "id": "",
        "name": "194.67.71.128"
      },
      {
        "id": "",
        "name": "http://nandayo.ru/srgssdfsf"
      },
      {
        "id": "",
        "name": "euw.devtunnels.ms"
      },
      {
        "id": "",
        "name": "80.euw.devtunnels.ms"
      },
      {
        "id": "",
        "name": "nandayo.ru"
      },
      {
        "id": "",
        "name": "fulagam.ru"
      },
      {
        "id": "",
        "name": "bulam.ru"
      },
      {
        "id": "",
        "name": "litanq.ru"
      },
      {
        "id": "",
        "name": "wise.com@p9tm15n7-80.euw.devtunnels.ms"
      },
      {
        "id": "",
        "name": "megamarket.ua@p9tm15n7-80.euw.devtunnels.ms"
      }
    ],
    "intrusion_sets": [
      {
        "id": "59a94f6b-2fd9-4881-a8d4-ca9ef669cc5a",
        "name": "APT-C-53 (Gamaredon)",
        "slug": "apt-c-53-gamaredon"
      }
    ],
    "attack_patterns": [
      {
        "id": "6f00068c-812c-4e2b-9100-2cfa86b3aed9",
        "name": "T1132.001"
      },
      {
        "id": "c22b5073-f426-4294-98bb-219d17345158",
        "name": "T1553.002"
      },
      {
        "id": "9e784d22-5a6c-4da6-968a-5fab2f019efd",
        "name": "T1059.005"
      },
      {
        "id": "32b33067-6566-4b8d-be80-e96f765d84de",
        "name": "T1059.001"
      },
      {
        "id": "9322d33b-00c1-4f99-9f1a-a33d93c0dac2",
        "name": "T1059.007"
      },
      {
        "id": "0156fcda-e385-4662-b388-086c3e16feec",
        "name": "T1140"
      },
      {
        "id": "09124a92-c11f-4571-b35b-ab0bce6dd081",
        "name": "T1112"
      },
      {
        "id": "c340d47a-2ea8-41ca-9a0b-a72559b89bbf",
        "name": "T1584"
      }
    ],
    "others": [
      {
        "id": "",
        "name": "Ukraine"
      },
      {
        "id": "",
        "name": "Defense"
      },
      {
        "id": "",
        "name": "Government"
      }
    ]
  },
  "external_refs": [
    "https://mp.weixin.qq.com/s?__biz=MzUyMjk4NzExMA==&mid=2247507351&idx=1&sn=0b8c9e5b3ff9d7b6551b3a69c151f7e0&chksm=f9c1ee9eceb66788c94178eec69e10142c58dc7721874f9e4d3120d7ea952faa230221a6e2cc",
    "https://otx.alienvault.com/pulse/68b56d89967a129544d7aa5c"
  ]
}