216.73.216.67

Matryoshka #3/3: Gamaredon's Gammasteel Infostealer

· Published 04/06/2026 13:57 · Modified 05/06/2026 09:12

Export JSON

Essential information

Published
04/06/2026 13:57
Modified
05/06/2026 09:12
Tags
2026-06-04 cyberespionage dead drop resolver dpapi fsb gamaredon gammaload gammaphish gammasteel gammawipe gammaworm infostealer ukraine usb propagation vbscript
Related entities
2 observables, 1 intrusion sets (apt), 18 techniques (mitre), 5 malware, 4 others

Description

This analysis examines 's (UAC-0010, Armagedon) advanced espionage operations targeting Ukrainian government, military, and critical infrastructure. The -operated group deploys , a sophisticated stealer operating almost entirely from memory using Windows encryption and storing 71 distinct payload functions in the HKCU\Printers registry key. The malware employs three concurrent data acquisition mechanisms: timed drive scans, USB monitoring for air-gapped systems, and real-time file surveillance. Exfiltration occurs via legitimate S3-compatible cloud storage (Tebi.io) with fallback to operator-controlled servers. The infection chain extensively uses for evasion, Dead Drop Resolvers on platforms like Telegram and Mastodon for C2 configuration, and includes bidirectional backdoor capabilities enabling arbitrary remote code execution. Infrastructure demonstrates high automation with servers rotated approximately every 24 hours.

External references