Compromiseseverity: High2025-04-10
Shuckworm targets foreign military mission in Ukraine with updated GammaSteel
published by Symantec (Broadcom)
Actor
Russian state-sponsored intrusion set publicly attributed by the Security Service of Ukraine (SBU) to FSB officers based in Russian-occupied Crimea. The longest-running publicly-documented intrusion…
Summary
Symantec disclosed a February–March 2025 Shuckworm campaign against the Ukraine-based mission of a Western military, in which the operators delivered an updated PowerShell variant of the GammaSteel infostealer. Initial access came via an infected removable drive triggering a malicious 'files.lnk' shortcut, with command and control rotated across trycloudflare[.]com tunnels and a Tor-fallback cURL channel for exfiltration.
Tags
espionageukrainemilitarygammasteelusb
Primary source
security.comOther Gamaredon events
- 2023-06-15Symantec details Shuckworm long-running intrusions in Ukrainian military and government
- 2022-09-15Cisco Talos reports Gamaredon info-stealer campaign against Ukrainian government
- 2022-04-20Five Eyes joint advisory AA22-110A names Primitive Bear (Gamaredon) among Russian threats to critical infrastructure
- 2022-02-04Microsoft details ACTINIUM (Gamaredon) operations against Ukrainian organizations
- 2021-11-04SBU publicly attributes Gamaredon to FSB Center 18 and names five officers