Russia-Linked Group Gamaredon Targets Ukraine with USB-Propagated Malware

Ukraine has been the target of persistent cyberattacks for years. It has faced a range of threat actors, including state-sponsored groups and financially motivated criminals. One of the most active and determined of these groups is Gamaredon. The group’s main focus is espionage, primarily related to Ukraine and its ongoing conflict with Russia. Recent reports have highlighted that Gamaredon has adopted a new tactic to spread its malware via USB drives.

Gamaredon’s Activities in Ukraine

Gamaredon has been active since at least mid-2013, and has focused on targeting individuals and entities in Ukraine. The group is also tracked under different names such as Armageddon, Primitive Bear, Shuckworm, and Trident Ursa. Most of these names are linked to Russia’s Federal Security Service (FSB), indicating that Gamaredon is likely operating on behalf of the FSB.

Attempts to steal sensitive information and gain long-term access have been ongoing

Gamaredon has demonstrated an impressive ability to infiltrate the networks of its targets and maintain long-term access. According to Symantec, the hacking group has obtained long-term access to victim networks, sometimes for as long as three months. During this time, Gamaredon repeatedly attempts to steal sensitive information related to the war between Ukraine and Russia, such as military secrets or diplomatic data.

New tactics are being used by Gamaredon

To remain effective and evade detection, Gamaredon has had to constantly adapt. On the technical side, the group has been using updated tools, fresh infrastructure, and new tactics. For example, in recent attacks, a new PowerShell script was used to spread the group’s custom backdoor, named Pterodo, via USB drives. These USB drives are likely used by the attackers for lateral movement across victim networks and to help them reach air-gapped machines within targeted organizations.

The use of USB drives for lateral movement

Symantec has identified multiple systems that appear to have been compromised after being infected through USB drives. This tactic is not new, but it indicates that Gamaredon is willing to use established methods to achieve its objectives. The USB drives are likely carrying a Trojan program that will execute as soon as they physically connect to the target machine.

Identifying compromised systems and the use of legitimate services

As well as identifying systems that have been compromised, Symantec has also spotted Gamaredon’s use of legitimate services, such as Telegram, for command-and-control (C&C) infrastructure. This technique allows the hackers to blend in with normal traffic and makes it harder for defenders to spot and block any suspicious activity.

The recent Gamaredon campaign

According to Symantec, the most recent Gamaredon campaign started in February-March 2021. The campaign focuses on systems containing sensitive military information. Indications in some organizations suggest that the attackers are targeting the machines of the organizations’ human resources departments, indicating that information about individuals working at the various organizations is a priority for the attackers, among other things.

Targeting individuals and human resources departments

One of the worrying aspects of the latest Gamaredon campaign is that it appears to be targeting individuals as well as organizations. Human resources departments may have been targeted to allow the hackers to access details about the employees of the organizations. This information could then be used to launch further attacks on selected individuals within the target organization.

Gamaredon has been a persistent threat to Ukraine for several years, and the group continues to evolve its tactics. Its recent use of USB-propagated malware is a reminder that established threat actors may still choose to rely on relatively old techniques if they are still effective. The group’s ability to maintain long-term persistent access to compromised networks and adopt new tactics means that it remains a serious threat to Ukraine and other neighboring countries. Defenders need to remain vigilant and continually assess their security arrangements to ensure they have a chance to detect and block Gamaredon’s activities.

Explore more

Why Is Hybrid Connectivity Key to Utility Communications?

What happens when a storm knocks out power across vast rural stretches, and the utility company struggles to pinpoint the damage due to faltering communication networks? In 2025, with energy demands soaring and grids becoming smarter, the reliability of utility communications stands as a critical pillar of service delivery, especially as utilities across Europe grapple with modernizing aging infrastructure while

How to Choose the Right DevOps Provider in 2026?

Navigating the DevOps Landscape: Why the Right Provider Matters In today’s hyper-competitive digital economy, businesses face immense pressure to deliver software solutions at lightning speed while ensuring unwavering reliability and robust security. A staggering statistic reveals that companies adopting DevOps practices deploy code up to 30 times more frequently than their peers, highlighting the transformative power of this methodology. Yet,

Trend Analysis: AI Agent Management in DevOps

The landscape of software development is undergoing a seismic shift, with artificial intelligence (AI) emerging as a game-changer that redefines how teams operate, as exemplified by GitHub’s innovative Agent HQ platform. This transformative tool, introduced recently, underscores a critical trend: the integration of AI agents into DevOps workflows to enhance efficiency and innovation. As technology races forward in 2025, the

Trend Analysis: Trust in Embedded Finance

The Rising Importance of Trust in Digital Transactions Growth and Adoption of Embedded Finance The digital commerce landscape is undergoing a seismic shift, with embedded finance emerging as a cornerstone of modern transactions, seamlessly integrating financial services into non-financial platforms. Recent industry insights reveal that the global embedded finance market is projected to grow at a staggering compound annual growth

Embedded Finance: UK Corporates See Growth Potential

Imagine a world where a retail giant not only sells products but also offers seamless payment solutions, branded savings accounts, and instant loans right at the checkout, creating a one-stop shop for both shopping and financial needs. This isn’t a distant dream but a tangible reality driven by the rise of embedded finance—a concept that integrates financial services into non-financial