Russia's most relentless cyberespionage group against Ukraine spent 2025 making itself much harder to find, hiding its servers behind everyday internet services that defenders are reluctant to block. ESET Research, which has tracked the FSB linked group Gamaredon for years, says the operators leaned on tunnels, serverless workers, and old school espionage dead drops to keep spying on Ukrainian government and military targets right through the war.
Ukraine's security service attributes Gamaredon to the 18th Center of Information Security of Russia's FSB, and the group is believed to operate out of occupied Crimea. Throughout 2025 it focused exclusively on Ukrainian governmental and military institutions, running 35 distinct spearphishing campaigns, most of them in the busier, larger second half of the year. IntelFusions profiles the group's history and toolset on its Gamaredon Group actor page.
What changed in 2025
Gamaredon has never relied on sophisticated malware; its edge is persistence and constant iteration. In 2025 it rolled out six new tools, all written in PowerShell and mostly simple downloaders, and resurrected an old VBScript weaponizer called PteroSetup that swaps legitimate installer files on drives for malicious self extracting archives. The standout, PteroPaste, bundles a downloader, a USB weaponizer and a persistence component, pulling an encrypted command server address from Dropbox before connecting through tunnel services.
Late in the year the group also added a persistence trick by abusing CVE-2025-8088, a WinRAR vulnerability, to drop its malicious downloader into a victim's Startup folder so it runs at the next login. IntelFusions previously covered Russia aligned campaigns weaponizing that same WinRAR flaw against Ukraine.
Hiding in legitimate traffic
The bigger story is infrastructure. To keep its command and control servers from being traced or blocked, Gamaredon increasingly tucked them behind legitimate platforms: Cloudflare tunnels and workers, Microsoft's devtunnels, dynamic DNS, and platform as a service offerings. It also revived the classic spy tradecraft of the dead drop, planting the real server address on ordinary public pages, Telegram channels, Telegra.ph and Teletype posts, Dropbox, GoFile, even Mastodon and the DEV Community, so the malware reads a hidden value from a trusted site before phoning home. For stolen data, the group upgraded its PteroPSDoor and PteroVDoor file stealers to upload directly to S3 compatible cloud storage such as Wasabi, Tebi and Intercolo, letting the exfiltration blend in with normal cloud traffic.
ESET also confirmed a notable alliance: in early 2025 Gamaredon collaborated with Turla, another FSB linked Russian group, sharing tooling on operations. That partnership echoes a broader pattern of task sharing among Russia aligned actors. IntelFusions recently reported on Turla's own stealthy new backdoor against Ukraine.
Why it matters
None of Gamaredon's individual tools are advanced, but the shift toward disposable, hard to block infrastructure makes the group's campaigns more resilient and harder to disrupt. With command servers hidden behind services that organizations use every day, simple domain or IP blocking is no longer enough. ESET expects Gamaredon to remain a significant threat to Ukrainian institutions for as long as the war continues, and urges defenders to watch for the behaviors instead: HTA downloaders arriving by spearphishing, rogue scheduled persistence, and unexpected connections to tunnel and paste services.
This briefing is provided by IntelFusions for informational and defensive purposes only. It is based on sources assessed to be reliable at the time of writing, and analytic judgments carry the confidence levels indicated. Indicators of compromise are defanged; re-arm them only in controlled environments. IntelFusions is not affiliated with the organizations named and makes no warranty as to completeness or accuracy.