G0047 Gamaredon Group
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word “Armageddon,” found in early campaigns.32175
In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. 85
| Item | Value |
|---|---|
| ID | G0047 |
| Associated Names | IRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm, DEV-0157, Aqua Blizzard |
| Version | 3.2 |
| Created | 31 May 2017 |
| Last Modified | 24 October 2025 |
| Navigation Layer | View In ATT&CK® Navigator |
Associated Group Descriptions
| Name | Description |
|---|---|
| IRON TILDEN | 6 |
| Primitive Bear | 9 |
| ACTINIUM | 5 |
| Armageddon | 7 |
| Shuckworm | 7 |
| DEV-0157 | 5 |
| Aqua Blizzard | 4 |
Techniques Used
| Domain | ID | Name | Use |
|---|---|---|---|
| enterprise | T1583 | Acquire Infrastructure | - |
| enterprise | T1583.001 | Domains | Gamaredon Group has registered multiple domains to facilitate payload staging and C2.591214 |
| enterprise | T1583.003 | Virtual Private Server | Gamaredon Group has used VPS hosting providers for infrastructure outside of Russia.131211 |
| enterprise | T1583.006 | Web Services | Gamaredon Group has used Cloudflare’s TryClouldflare service to obtain C2 nodes.14 |
| enterprise | T1071 | Application Layer Protocol | - |
| enterprise | T1071.001 | Web Protocols | Gamaredon Group has used HTTP and HTTPS for C2 communications.3217109131215 |
| enterprise | T1119 | Automated Collection | Gamaredon Group has deployed scripts on compromised systems that automatically scan for interesting documents.1 |
| enterprise | T1020 | Automated Exfiltration | Gamaredon Group has used modules that automatically upload gathered documents to the C2 server.1 |
| enterprise | T1547 | Boot or Logon Autostart Execution | - |
| enterprise | T1547.001 | Registry Run Keys / Startup Folder | Gamaredon Group tools have registered Run keys in the registry to give malicious VBS files persistence.21101312 |
| enterprise | T1059 | Command and Scripting Interpreter | - |
| enterprise | T1059.001 | PowerShell | Gamaredon Group has used obfuscated PowerShell scripts for staging.512 Additionally, (LinkById : G0047) has used PowerShell based tools later in its attack chain.14 Additionally, Gamaredon Group has used the PowerShell cmdlet Get-Command to download and execute the next stage payload.15 |
| enterprise | T1059.003 | Windows Command Shell | Gamaredon Group has used various batch scripts to establish C2 and download additional files. Gamaredon Group’s backdoor malware has also been written to a batch file.31109 |
| enterprise | T1059.005 | Visual Basic | Gamaredon Group has embedded malicious macros in document templates, which executed VBScript. Gamaredon Group has also delivered Microsoft Outlook VBA projects with embedded macros.21105612 Additionally, Gamaredon Group has executed VBScript files using wscript.exe.14 |
| enterprise | T1005 | Data from Local System | Gamaredon Group has collected files from infected systems and uploaded them to a C2 server.112 |
| enterprise | T1039 | Data from Network Shared Drive | Gamaredon Group malware has collected Microsoft Office documents from mapped network drives.112 |
| enterprise | T1025 | Data from Removable Media | A Gamaredon Group file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.3112 |
| enterprise | T1001 | Data Obfuscation | Gamaredon Group has used obfuscated VBScripts with randomly generated variable names and concatenated strings.13 |
| enterprise | T1491 | Defacement | - |
| enterprise | T1491.001 | Internal Defacement | Gamaredon Group has left taunting images and messages on the victims’ desktops as proof of system access.10 |
| enterprise | T1140 | Deobfuscate/Decode Files or Information | Gamaredon Group tools decrypted additional payloads from the C2. Gamaredon Group has also decoded Base64-encoded source code of a downloader.2112 Additionally, Gamaredon Group has decoded Telegram content to reveal the IP address for C2 communications.13 |
| enterprise | T1587 | Develop Capabilities | - |
| enterprise | T1587.003 | Digital Certificates | Gamaredon Group has used the same TLS certificate across its infrastructure.11 |
| enterprise | T1561 | Disk Wipe | - |
| enterprise | T1561.001 | Disk Content Wipe | Gamaredon Group has used tools to delete files and folders from victims’ desktops and profiles.10 |
| enterprise | T1568 | Dynamic Resolution | Gamaredon Group has incorporated dynamic DNS domains in its infrastructure.9 |
| enterprise | T1568.001 | Fast Flux DNS | Gamaredon Group has used fast flux DNS to mask their command and control channel behind rotating IP addresses.131216 Additionally, Gamaredon Group has used a low-frequency variant of the single-flux method.11 |
| enterprise | T1480 | Execution Guardrails | Gamaredon Group has used geoblocking to limit downloads of the malicious file to specific geographic locations.1315 |
| enterprise | T1041 | Exfiltration Over C2 Channel | A Gamaredon Group file stealer can transfer collected files to a hardcoded C2 server.31214 |
| enterprise | T1083 | File and Directory Discovery | Gamaredon Group macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. Gamaredon Group has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.1912 Gamaredon Group has also identified directory trees, folders and files on the compromised host.14 |
| enterprise | T1564 | Hide Artifacts | - |
| enterprise | T1564.003 | Hidden Window | Gamaredon Group has used hidcon to run batch files in a hidden console window.9 Gamaredon Group has also executed PowerShell in a hidden window.15 |
| enterprise | T1562 | Impair Defenses | - |
| enterprise | T1562.001 | Disable or Modify Tools | Gamaredon Group has delivered macros which can tamper with Microsoft Office security settings.112 |
| enterprise | T1070 | Indicator Removal | - |
| enterprise | T1070.004 | File Deletion | Gamaredon Group tools can delete files used during an operation.271012 |
| enterprise | T1105 | Ingress Tool Transfer | Gamaredon Group has downloaded additional malware and tools onto a compromised host.32151215 For example, Gamaredon Group uses a backdoor script to retrieve and decode additional payloads once in victim environments.13 |
| enterprise | T1559 | Inter-Process Communication | - |
| enterprise | T1559.001 | Component Object Model | Gamaredon Group malware can insert malicious macros into documents using a Microsoft.Office.Interop object.112 |
| enterprise | T1534 | Internal Spearphishing | Gamaredon Group has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.1 |
| enterprise | T1036 | Masquerading | - |
| enterprise | T1036.005 | Match Legitimate Resource Name or Location | Gamaredon Group has used legitimate process names to hide malware including svchosst.9 Additionally, Gamaredon Group disguised malicious ZIP archives as Office documents that are related to the invasion.15 |
| enterprise | T1112 | Modify Registry | Gamaredon Group has removed security settings for VBA macro execution by changing registry values HKCU\Software\Microsoft\Office\<version>\<product>\Security\VBAWarnings and HKCU\Software\Microsoft\Office\<version>\<product>\Security\AccessVBOM.11012 Gamaredon Group has also modified Registry keys to hide folders and system files and to add the C2 address under HKEY_CURRENT_USER\Console\WindowsUpdate. 14 |
| enterprise | T1106 | Native API | Gamaredon Group malware has used CreateProcess to launch additional malicious components.112 |
| enterprise | T1095 | Non-Application Layer Protocol | Gamaredon Group has used SOCKS5 over port 9050 for C2 communication.14 |
| enterprise | T1571 | Non-Standard Port | Gamaredon Group has used port 6856 for C2 communications.15 |
| enterprise | T1027 | Obfuscated Files or Information | Gamaredon Group has delivered self-extracting 7z archive files within malicious document attachments.1 Additionally, Gamaredon Group has used an obfuscated .drv file.14 |
| enterprise | T1027.004 | Compile After Delivery | Gamaredon Group has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.1 |
| enterprise | T1027.010 | Command Obfuscation | Gamaredon Group has used obfuscated or encrypted scripts.151412 |
| enterprise | T1027.012 | LNK Icon Smuggling | Gamaredon Group has used LNK files to hide malicious scripts for execution.1415 |
| enterprise | T1027.015 | Compression | Gamaredon Group has delivered malicious payloads within compressed archives and zip files. 15 |
| enterprise | T1027.016 | Junk Code Insertion | Gamaredon Group has obfuscated .NET executables by inserting junk code.1 |
| enterprise | T1588 | Obtain Capabilities | - |
| enterprise | T1588.002 | Tool | Gamaredon Group has used various legitimate tools, such as mshta.exe and Reg, and services during operations.1312 |
| enterprise | T1137 | Office Application Startup | Gamaredon Group has inserted malicious macros into existing documents, providing persistence when they are reopened. Gamaredon Group has loaded the group’s previously delivered VBA project by relaunching Microsoft Outlook with the /altvba option, once the Application.Startup event is received.1 |
| enterprise | T1120 | Peripheral Device Discovery | Gamaredon Group tools have contained an application to check performance of USB flash drives. Gamaredon Group has also used malware to scan for removable drives.3112 |
| enterprise | T1566 | Phishing | - |
| enterprise | T1566.001 | Spearphishing Attachment | Gamaredon Group has delivered spearphishing emails with malicious attachments to targets.2110596131216 Additionally, Gamaredon Group has distributed malicious LNK files compressed in ZIP archives.15 |
| enterprise | T1057 | Process Discovery | Gamaredon Group has used tools to enumerate processes on target hosts including Process Explorer.7914 |
| enterprise | T1055 | Process Injection | Gamaredon Group has injected Remcos into explorer.exe.15 |
| enterprise | T1090 | Proxy | Gamaredon Group has used the Cloudflare Tunnel client to proxy C2 traffic.12 |
| enterprise | T1090.003 | Multi-hop Proxy | Gamaredon Group has used Tor for C2 traffic.14 |
| enterprise | T1012 | Query Registry | Gamaredon Group has queried HKEY_CURRENT_USER\\Console\\WindowsUpdates to obtain the C2 addresses.14 Gamaredon Group has queried HKEY_CURRENT_USER\\Console\\WindowsUpdates to obtain the C2 addresses.14 |
| enterprise | T1620 | Reflective Code Loading | Gamaredon Group has used an obfuscated PowerShell script that used System.Reflection.Assembly to gather and send victim information to the C2.14 |
| enterprise | T1021 | Remote Services | - |
| enterprise | T1021.005 | VNC | Gamaredon Group has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.759 |
| enterprise | T1091 | Replication Through Removable Media | Gamaredon Group has replicated to removable media by leveraging the User Assist Reg Key and creating LNKs on all network and removable drives available on the infected host.14 |
| enterprise | T1053 | Scheduled Task/Job | - |
| enterprise | T1053.005 | Scheduled Task | Gamaredon Group has created scheduled tasks to launch executables after a designated number of minutes have passed.110513 |
| enterprise | T1113 | Screen Capture | Gamaredon Group’s malware can take screenshots of the compromised computer every minute.11412 |
| enterprise | T1518 | Software Discovery | - |
| enterprise | T1518.001 | Security Software Discovery | Gamaredon Group has used PowerShell scripts to identify security software on the victim machine.14 |
| enterprise | T1608 | Stage Capabilities | - |
| enterprise | T1608.001 | Upload Malware | Gamaredon Group has registered domains to stage payloads.59 |
| enterprise | T1218 | System Binary Proxy Execution | - |
| enterprise | T1218.005 | Mshta | Gamaredon Group has used mshta.exe to execute malicious files.7131214 |
| enterprise | T1218.011 | Rundll32 | Gamaredon Group malware has used rundll32 to launch additional malicious components.1 |
| enterprise | T1082 | System Information Discovery | A Gamaredon Group file stealer can gather the victim’s computer name and drive serial numbers to send to a C2 server.32101412 |
| enterprise | T1016 | System Network Configuration Discovery | - |
| enterprise | T1016.001 | Internet Connection Discovery | Gamaredon Group has tested connectivity between a compromised machine and a C2 server using Ping with commands such as CSIDL_SYSTEM\cmd.exe /c ping -n 1.7 Gamaredon Group has searched the ping records to obtain the C2 address and has used ping to search for the C2’s status.14 |
| enterprise | T1033 | System Owner/User Discovery | A Gamaredon Group file stealer can gather the victim’s username to send to a C2 server.3 |
| enterprise | T1080 | Taint Shared Content | Gamaredon Group has injected malicious macros into all Word and Excel documents on mapped network drives.1 |
| enterprise | T1221 | Template Injection | Gamaredon Group has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.17 Gamaredon Group can also inject malicious macros or remote templates into documents already present on compromised systems.211059612 |
| enterprise | T1204 | User Execution | - |
| enterprise | T1204.001 | Malicious Link | Gamaredon Group has attempted to get users to click on a link pointing to a malicious HTML file leading to follow-on malicious content.1312 |
| enterprise | T1204.002 | Malicious File | Gamaredon Group has attempted to get users to click on Office attachments with malicious macros embedded.2171059613 Gamaredon Group has also attempted to get users to click on thematically named files.15 |
| enterprise | T1497 | Virtualization/Sandbox Evasion | - |
| enterprise | T1497.001 | System Checks | Gamaredon Group has checked existing conditions, such as geographic location, device type, or system specification, before the victim is sent a malicious Word document.16 |
| enterprise | T1102 | Web Service | Gamaredon Group has used GitHub repositories for downloaders which will be obtained by the group’s .NET executable on the compromised system.1 |
| enterprise | T1102.002 | Bidirectional Communication | Gamaredon Group has used several ways to try to resolve the C2 server, including: public third-party websites, an adversary-operated Telegraph channel, the ngrok utility and the TXT record of a hardcoded C2 domain.1214 |
| enterprise | T1102.003 | One-Way Communication | Gamaredon Group has used Telegram Messenger content to discover the IP address for C2 communications.13 |
| enterprise | T1047 | Windows Management Instrumentation | Gamaredon Group has used WMI to execute scripts used for discovery and for determining the C2 IP address.10131412 Gamaredon Group has used the following WMI query to search for a ping record: Select * From Win32_PingStatus where Address = 'mil.gov.ua'.14 |
Software
References
-
Boutin, J. (2020, June 11). Gamaredon group grows its game. Retrieved June 16, 2020. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Kakara, H., Maruyama, E. (2020, April 17). Gamaredon APT Group Use Covid-19 Lure in Campaigns. Retrieved May 19, 2020. ↩↩↩↩↩↩↩↩↩↩↩
-
Kasza, A. and Reichel, D. (2017, February 27). The Gamaredon Group Toolset Evolution. Retrieved March 1, 2017. ↩↩↩↩↩↩↩↩↩↩
-
Microsoft . (2023, July 12). How Microsoft names threat actors. Retrieved November 17, 2023. ↩
-
Microsoft Threat Intelligence Center. (2022, February 4). ACTINIUM targets Ukrainian organizations. Retrieved February 18, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Secureworks CTU. (n.d.). IRON TILDEN. Retrieved February 24, 2022. ↩↩↩↩↩↩
-
Symantec. (2022, January 31). Shuckworm Continues Cyber-Espionage Attacks Against Ukraine. Retrieved February 17, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩
-
Toulas, B. (2018, November 4). Ukraine links members of Gamaredon hacker group to Russian FSB. Retrieved April 15, 2022. ↩
-
Unit 42. (2022, February 3). Russia’s Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine. Retrieved February 21, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
CERT-EE. (2021, January 27). Gamaredon Infection: From Dropper to Entry. Retrieved February 17, 2022. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Hunt.io. (2025, April 8). State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure. Retrieved July 23, 2025. ↩↩↩
-
Rusnák, Z. (2024, September 26). Cyberespionage the Gamaredon way: Analysis of toolset used to spy on Ukraine in 2022 and 2023. Retrieved October 30, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Unit 42. (2022, December 20). Russia’s Trident Ursa (aka Gamaredon APT) Cyber Conflict Operations Unwavering Since Invasion of Ukraine. Retrieved September 12, 2024. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Threat Hunter Team, Symantec and Carbon Black. (2025, April 10). Shuckworm Targets Foreign Military Mission Based in Ukraine. Retrieved July 23, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Venere, G. (2025, March 28). Gamaredon campaign abuses LNK files to distribute Remcos backdoor. Retrieved July 23, 2025. ↩↩↩↩↩↩↩↩↩↩↩↩↩
-
Silent Push. (2023, September 7). From Russia with a 71: Uncovering Gamaredon’s fast flux infrastructure. New Apex domains and ASN/IP diversity patterns discovered. Retrieved July 28, 2025. ↩↩↩
-
Raggi, M. (2021, December 1). Injection is the New Black: Novel RTF Template Inject Technique Poised for Widespread Adoption Beyond APT Actors . Retrieved December 9, 2021. ↩