Reportseverity: Medium2022-09-15
Cisco Talos reports Gamaredon info-stealer campaign against Ukrainian government
published by Cisco Talos
Actor
Russian state-sponsored intrusion set publicly attributed by the Security Service of Ukraine (SBU) to FSB officers based in Russian-occupied Crimea. The longest-running publicly-documented intrusion…
Summary
Cisco Talos documented an ongoing Gamaredon espionage campaign running through August 2022 that targeted Ukrainian government agencies with malicious LNK files delivered inside RAR archives. The infection chain relied on PowerShell and VBScript loaders to deploy a custom information stealer alongside the GammaLoad and GammaSteel implants, with lure themes referencing the Russian invasion.
Tags
espionageukraineinfo-stealergammaload
Primary source
blog.talosintelligence.comOther Gamaredon events
- 2025-04-10Shuckworm targets foreign military mission in Ukraine with updated GammaSteel
- 2023-06-15Symantec details Shuckworm long-running intrusions in Ukrainian military and government
- 2022-04-20Five Eyes joint advisory AA22-110A names Primitive Bear (Gamaredon) among Russian threats to critical infrastructure
- 2022-02-04Microsoft details ACTINIUM (Gamaredon) operations against Ukrainian organizations
- 2021-11-04SBU publicly attributes Gamaredon to FSB Center 18 and names five officers