Gamaredon
Russian state-sponsored intrusion set publicly attributed by the Security Service of Ukraine (SBU) to FSB officers based in Russian-occupied Crimea. The longest-running publicly-documented intrusion set targeting Ukraine — heavy spear-phishing volume against Ukrainian government, military, security services, and judiciary, with sustained operational tempo throughout the post-2022 full-scale invasion. Tradecraft is noisy and prolific rather than stealthy — weaponized Office docs and PowerShell loaders updated almost daily.
Aliases
Motivations
Target sectors
Target countries
Diamond Model
Caltagirone / Pendergast / Betz 2013 — four-vertex attribution framework.
MITRE ATT&CK techniques
Timeline
6 events- CompromiseHigh2025-04-10·Symantec (Broadcom)
Shuckworm targets foreign military mission in Ukraine with updated GammaSteel
Symantec disclosed a February–March 2025 Shuckworm campaign against the Ukraine-based mission of a Western military, in which the operators delivered an updated PowerShell variant of the GammaSteel infostealer. Initial access came via an infected removable drive triggering a malicious 'files.lnk' shortcut, with command and control rotated across trycloudflare[.]com tunnels and a Tor-fallback cURL channel for exfiltration.
espionageukrainemilitarygammasteelusb - ReportHigh2023-06-15·Symantec (Broadcom)
Symantec details Shuckworm long-running intrusions in Ukrainian military and government
Symantec's Threat Hunter Team reported sustained Shuckworm (Gamaredon) intrusions against Ukrainian security, military and government organizations between February and May 2023, with some intrusions persisting for up to three months. The operators sought reporting on Ukrainian service members, battlefield engagements, air strikes and arsenal inventories, and deployed a new PowerShell USB-propagation script to spread the Pterodo backdoor across air-gapped or removable media.
espionageukrainemilitarypterodousb - ReportMedium2022-09-15·Cisco Talos
Cisco Talos reports Gamaredon info-stealer campaign against Ukrainian government
Cisco Talos documented an ongoing Gamaredon espionage campaign running through August 2022 that targeted Ukrainian government agencies with malicious LNK files delivered inside RAR archives. The infection chain relied on PowerShell and VBScript loaders to deploy a custom information stealer alongside the GammaLoad and GammaSteel implants, with lure themes referencing the Russian invasion.
espionageukraineinfo-stealergammaload - AdvisoryHigh2022-04-20·CISA
Five Eyes joint advisory AA22-110A names Primitive Bear (Gamaredon) among Russian threats to critical infrastructure
CISA, FBI, NSA and partner agencies from Australia, Canada, New Zealand and the United Kingdom issued joint advisory AA22-110A on Russian state-sponsored and criminal cyber threats to critical infrastructure. The advisory cited Primitive Bear (Gamaredon) as a long-running FSB-attributed actor targeting Ukrainian government, military and law enforcement entities since at least 2013, reaffirming Ukraine's November 2021 attribution to FSB Center 18.
joint-advisoryfive-eyescritical-infrastructure - ReportHigh2022-02-04·Microsoft
Microsoft details ACTINIUM (Gamaredon) operations against Ukrainian organizations
Microsoft Threat Intelligence Center (MSTIC) published a detailed report on ACTINIUM — Microsoft's tracking name at the time for Gamaredon, later renamed Aqua Blizzard. The report documented spear-phishing with malicious remote-template macro documents targeting Ukrainian government, military, judiciary, law enforcement, NGOs and humanitarian coordination bodies since October 2021, and described seven custom malware families including PowerPunch, Pterodo and QuietSieve.
espionageukrainephishingpterodo - AnnouncementHigh2021-11-04·Recorded Future / The Record
SBU publicly attributes Gamaredon to FSB Center 18 and names five officers
The Security Service of Ukraine (SBU) publicly attributed the Gamaredon / Armageddon intrusion set to Russia's FSB Center for Information Security (Center 18) operating out of occupied Sevastopol, Crimea. The disclosure named five FSB officers — Sklianko, Chernykh, Starchenko, Miroshnychenko, and Sushchenko — and stated the group had conducted more than 5,000 cyberattacks against Ukrainian government and critical infrastructure systems since 2014.
attributionfsbukrainerussia
Indicators of compromise
3 indicators| Type | Value | First seen | Source |
|---|---|---|---|
| SHA-256 | family · GammaSteel GammaSteel PowerShell infostealer component recovered from the February–March 2025 Shuckworm intrusion into a foreign military mission in Ukraine, documented by Symantec's Threat Hunter Team. | Apr 9, 2025 | Symantec (Broadcom) |
| SHA-256 | family · QuietSieve QuietSieve information-stealer sample associated with Gamaredon and published in Microsoft's February 2022 ACTINIUM indicator list. | Feb 3, 2022 | Microsoft |
| SHA-256 | family · Pterodo Pterodo backdoor sample listed in Microsoft Threat Intelligence Center's February 2022 ACTINIUM report on Gamaredon activity against Ukrainian organizations. | Feb 3, 2022 | Microsoft |
Related actors
shared ATT&CK techniques- CN · ChinaMustang Panda4 shared techniques
- CN · ChinaNaikon4 shared techniques
- IR · IranAPT393 shared techniques
- KP · DPRKLazarus Group3 shared techniques
- KP · DPRKAPT372 shared techniques
- CN · ChinaAPT412 shared techniques
References
cite this page
Threat Intel Tracker. (2026-05-19). Gamaredon — actor profile. Retrieved from https://threatintel.local/actors/gamaredon