Gamaredon's New Playbook
Russia's Gamaredon APT has been around long enough to know that the old tricks stop working. So they stopped relying on them.
What ESET uncovered is a group that has systematically upgraded its entire arsenal — from how it delivers malware to how it hides its command-and-control infrastructure. This isn't a single tool update. It's a complete reinvention of how the group operates, and it makes Gamaredon significantly more dangerous in Ukraine's cyber war and beyond.
The findings come from ESET's analysis of 35 spear-phishing campaigns targeting Ukraine in 2025 alone. That's not a smattering of opportunistic attacks. That's sustained, coordinated espionage at scale.
What stands out isn't any single technique. It's the pattern. Gamaredon is building a more resilient, harder-to-detect operation by combining new delivery mechanisms with infrastructure that exploits the same services defenders trust every day.
The PowerShell Downloader Problem
Here's where things get interesting for defenders who thought they had the PowerShell attack surface under control.
Gamaredon has developed new PowerShell-based downloaders that represent a meaningful evolution from what the group was using before. These aren't the same old one-liners that security teams have been triaging for years. The new variants are designed to be more stealthy, more resilient against detection, and better at maintaining persistence on compromised systems.
PowerShell remains one of the most dangerous tools in any attacker's kit because it's built into Windows. It's trusted by administrators. It runs with elevated privileges. And when you combine that trust with obfuscation techniques, you get a delivery mechanism that can slip past even well-configured endpoint protection.
The concern here goes beyond Gamaredon specifically. This is a pattern we're seeing across artificial intelligence cybersecurity threats and nation-state operations: attackers are treating PowerShell not as a legacy tool but as a first-class delivery platform. The group's willingness to invest in custom downloaders signals that they expect their targets to have modern defenses, and they're building around those expectations rather than hoping defenders are still running legacy configurations.
Hiding in Plain Sight: Cloudflare Tunneling and Dead Drops
The most technically sophisticated aspect of Gamaredon's upgrade is how it's concealing its command-and-control infrastructure.
The group has adopted Cloudflare tunneling for C2 communications. This is a move that deserves attention because it represents a fundamental shift in how nation-state actors approach infrastructure. Instead of renting VPS servers, registering suspicious domains, or building out their own botnets, Gamaredon is routing its traffic through one of the most trusted networks on the internet.
Cloudflare sits between attackers and defenders. When your C2 traffic looks like legitimate Cloudflare traffic, you're not just hiding from network monitoring — you're hiding inside the infrastructure that security teams explicitly whitelist. It's a brilliant abuse of trust.
Dead drops add another layer. Rather than maintaining persistent connections to a C2 server, Gamaredon appears to be using dead drop resolvers where compromised systems check in at irregular intervals, pull down instructions, and disconnect. This makes traffic analysis significantly harder because there's no consistent beacon pattern to flag.
For AI-driven cybersecurity threats, this infrastructure choice is particularly notable. Traditional detection relies on identifying anomalous network behavior — unusual destinations, irregular communication patterns, suspicious TLS certificates. When your C2 looks like Cloudflare traffic and your beacon pattern mimics legitimate web browsing, you've effectively neutralized a large portion of network-based detection.
USB: The Analog Backdoor
You'd think in 2025, with everything delivered over the network, USB malware would be a relic. Gamaredon disagrees.
The group continues to deploy USB-borne malware vectors, and this isn't nostalgia. Physical media remains one of the most effective ways to bypass network security controls entirely. A USB device plugged into an air-gapped or heavily segmented system doesn't care about your firewall rules, your email gateway, or your web proxy.
The USB approach also bypasses many of the detection mechanisms that have gotten better over the past decade. Network-based monitoring can't see what happens on a local machine after initial infection via removable media. And in Ukraine's context, where operational security around physical devices is often tight, a compromised USB drive can sit undetected for months.
This isn't a new technique, but Gamaredon's continued investment in it signals something important: the group understands that not all targets live on the network, and they're willing to meet those targets where they are. It's a reminder that cyber espionage isn't purely digital. The physical world still matters.
The Turla Connection
Perhaps the most strategically significant finding is Gamaredon's collaboration with Turla APT.
ESET's research indicates that Gamaredon is providing initial access for Turla's exploitation frameworks. This is a division of labor that makes both groups more effective. Gamaredon handles the phishing, the delivery, the initial compromise — the messy work of getting inside. Turla then moves in with more sophisticated tools for lateral movement, data exfiltration, and long-term persistence.
This kind of collaboration between Russian-aligned APT groups has been observed before, but the specificity here is notable. It suggests an organized ecosystem rather than loose coordination between independent operators. There's a structure to this, and it means that compromising an organization through Gamaredon's spear-phishing doesn't just mean you've been hit by one threat actor — it potentially opens the door for Turla's full toolkit.
For defenders, this means that Gamaredon indicators of compromise shouldn't be treated as isolated events. If you detect a Gamaredon-style phishing campaign or PowerShell downloader, the assumption should be that more sophisticated actors may already be moving laterally through your environment.
What This Means for Defenders
The Gamaredon upgrade is a case study in how threat actors adapt when their old methods stop working. The group hasn't just added new tools — it's rethought its entire operational model around modern defenses.
The implications are clear. Network monitoring alone won't catch this. You need endpoint detection that can identify suspicious PowerShell execution, behavioral analysis that flags unusual USB activity, and threat intelligence that connects Gamaredon indicators to the broader Turla ecosystem.
The Cloudflare tunneling approach also forces a conversation about zero-trust networking. If you're whitelisting Cloudflare traffic at your network perimeter, you need to understand what's actually flowing through those tunnels. Application-layer inspection, TLS decryption where legally permissible, and behavioral baselining become essential.
And the spear-phishing campaigns — 35 of them in a single year against Ukraine — remind us that human factors remain the weakest link. No amount of technical control can fully compensate for a well-crafted phishing email that lands in the right inbox. Security awareness training isn't optional. It's the last line of defense against a group that knows exactly how to exploit human trust.
The Bigger Picture
Gamaredon's evolution doesn't exist in a vacuum. It reflects a broader trend in how nation-state cyber operations are maturing. The groups that survive are the ones that treat their TTPs as living systems — constantly tested, continuously improved, and ruthlessly optimized against the defenses they face.
For the artificial intelligence cybersecurity threats landscape, Gamaredon represents a different model than AI-native malware generation. This is human-operated espionage enhanced by technical sophistication and organizational coordination. The threat isn't that AI wrote the malware. It's that a disciplined group of operators has systematically upgraded every aspect of their operation to exploit the gaps in modern defenses.
The Ukraine conflict has accelerated this evolution. Gamaredon is operating in a real-world cyber war with real consequences, and the pressure to be effective has driven genuine innovation. What works in Ukraine will eventually be tested elsewhere, and the techniques documented here should be treated as indicators of what's coming next across the broader threat landscape.