Russia-Linked Group Gamaredon Targets Ukraine with USB-Propagated Malware

Ukraine has been the target of persistent cyberattacks for years. It has faced a range of threat actors, including state-sponsored groups and financially motivated criminals. One of the most active and determined of these groups is Gamaredon. The group’s main focus is espionage, primarily related to Ukraine and its ongoing conflict with Russia. Recent reports have highlighted that Gamaredon has adopted a new tactic to spread its malware via USB drives.

Gamaredon’s Activities in Ukraine

Gamaredon has been active since at least mid-2013, and has focused on targeting individuals and entities in Ukraine. The group is also tracked under different names such as Armageddon, Primitive Bear, Shuckworm, and Trident Ursa. Most of these names are linked to Russia’s Federal Security Service (FSB), indicating that Gamaredon is likely operating on behalf of the FSB.

Attempts to steal sensitive information and gain long-term access have been ongoing

Gamaredon has demonstrated an impressive ability to infiltrate the networks of its targets and maintain long-term access. According to Symantec, the hacking group has obtained long-term access to victim networks, sometimes for as long as three months. During this time, Gamaredon repeatedly attempts to steal sensitive information related to the war between Ukraine and Russia, such as military secrets or diplomatic data.

New tactics are being used by Gamaredon

To remain effective and evade detection, Gamaredon has had to constantly adapt. On the technical side, the group has been using updated tools, fresh infrastructure, and new tactics. For example, in recent attacks, a new PowerShell script was used to spread the group’s custom backdoor, named Pterodo, via USB drives. These USB drives are likely used by the attackers for lateral movement across victim networks and to help them reach air-gapped machines within targeted organizations.

The use of USB drives for lateral movement

Symantec has identified multiple systems that appear to have been compromised after being infected through USB drives. This tactic is not new, but it indicates that Gamaredon is willing to use established methods to achieve its objectives. The USB drives are likely carrying a Trojan program that will execute as soon as they physically connect to the target machine.

Identifying compromised systems and the use of legitimate services

As well as identifying systems that have been compromised, Symantec has also spotted Gamaredon’s use of legitimate services, such as Telegram, for command-and-control (C&C) infrastructure. This technique allows the hackers to blend in with normal traffic and makes it harder for defenders to spot and block any suspicious activity.

The recent Gamaredon campaign

According to Symantec, the most recent Gamaredon campaign started in February-March 2021. The campaign focuses on systems containing sensitive military information. Indications in some organizations suggest that the attackers are targeting the machines of the organizations’ human resources departments, indicating that information about individuals working at the various organizations is a priority for the attackers, among other things.

Targeting individuals and human resources departments

One of the worrying aspects of the latest Gamaredon campaign is that it appears to be targeting individuals as well as organizations. Human resources departments may have been targeted to allow the hackers to access details about the employees of the organizations. This information could then be used to launch further attacks on selected individuals within the target organization.

Gamaredon has been a persistent threat to Ukraine for several years, and the group continues to evolve its tactics. Its recent use of USB-propagated malware is a reminder that established threat actors may still choose to rely on relatively old techniques if they are still effective. The group’s ability to maintain long-term persistent access to compromised networks and adopt new tactics means that it remains a serious threat to Ukraine and other neighboring countries. Defenders need to remain vigilant and continually assess their security arrangements to ensure they have a chance to detect and block Gamaredon’s activities.

Explore more

Ethereum’s Fragile Recovery Faces Resistance and Low Demand

The Ethereum ecosystem is currently navigating a treacherous landscape where price action struggles to align with the technical milestones achieved during the most recent network upgrades. While the shift to a more scalable architecture was intended to invite a surge of institutional and retail capital, the reality in 2026 shows a market plagued by indecision and a noticeable lack of

macOS 28 Drops Support for Encrypted Mac OS Extended Volumes

The landscape of digital storage has shifted dramatically over the past decade, leaving legacy file systems struggling to keep pace with the rigorous security demands of modern computing environments. With the release of macOS 28, the long-standing compatibility for encrypted Mac OS Extended (HFS+) volumes has officially reached its end of life, signaling a definitive transition toward the more robust

CapCut Named 2026 Leader in AI Social Media Content Creation

The rapid evolution of generative artificial intelligence has fundamentally altered the digital landscape, shifting the burden of high-quality video production from specialized studios to the palm of every creator’s hand across the globe. By mid-2026, the demand for short-form content reached an all-time high, necessitating tools that could keep pace with the volatile trends of social media algorithms. CapCut emerged

How Will AI and RPA Shape Desktop Automation in 2026?

The integration of cognitive computing with traditional robotic process automation has fundamentally altered the way desktop environments operate across global industries today. No longer confined to the rigid, rule-based scripts of previous cycles, modern automation tools now serve as dynamic, goal-oriented assistants capable of navigating the intricacies of fragmented software landscapes. This shift has allowed organizations to bridge the significant

UiPath Navigates AI Pivot Amid Market Skepticism

The transition from legacy robotic process automation to a sophisticated, agent-centric architecture has forced enterprise software giants to fundamentally rethink their value propositions in an era defined by autonomous reasoning. This paradigm shift represents more than a mere software update; it is a complete structural overhaul that seeks to bridge the gap between simple task execution and complex cognitive decision-making.