Recent findings from Eset, a prominent cybersecurity research firm, have shed light on the activities of a notorious hacking group linked to Russian domestic intelligence known as Gamaredon. This group has reportedly expanded its operational toolkit and intensified its phishing campaigns throughout 2025, leveraging legitimate online services to obscure its infrastructure and the data it has stolen.

According to the detailed report released by Eset, Gamaredon devoted the initial months of 2025 to developing six new PowerShell-based downloaders. By mid-year, the group’s focus pivoted towards launching at least 35 spear-phishing campaigns targeting various entities. This strategic shift highlights the group’s commitment to enhancing its operational tactics and expanding its reach.

Furthermore, Gamaredon has adopted innovative methods to conceal its backend infrastructure. It has begun utilizing platforms such as Cloudflare workers and Microsoft’s developer tunnels, as well as the reverse proxy service known as Loophole. Such methods involve employing “dead drops”—an espionage technique in which command and control (C2) information is stored in legitimate services like Telegram, allowing the malware to fetch the information discreetly when needed.

This group has been operational since approximately 2013 or 2014 and includes individuals who are regular officers of Russia’s Federal Security Service (FSB), alongside some former law enforcement officials from Ukraine, as indicated by the Security Service of Ukraine in a 2021 report.

Among the newly developed tools, Eset has pinpointed PteroPaste as the most sophisticated addition to Gamaredon’s arsenal. This multi-faceted tool integrates functions of a downloader, USB weaponizer, and runner component, which serve to ensure persistence and execution of further malicious activities. Remarkably, this tool was previously utilized by another FSB threat group known as Turla to deploy backdoors and maintain persistent access to targeted systems.

Researchers have observed that newer iterations of PteroPaste can acquire encrypted C2 information from cloud storage platforms such as Dropbox. Upon infection, the malware decrypts this data and establishes connections to infrastructures concealed behind tunneling services. In contrast, earlier iterations of this malware relied on Rentry, a markdown paste service, to stage encrypted payloads effectively.

The remaining five tools developed by Gamaredon—PteroDee, PteroCache, PteroDum, PteroOdd, and PteroEffigy—are characterized as lightweight downloaders that function by retrieving subsequent payloads, C2 information, or additional malware. Eset notes a distinctive pragmatic approach taken by Gamaredon, which opts to use a larger quantity of simpler tools rather than a handful of complex malware programs that require extensive investment in development.

In terms of spear-phishing activities, Gamaredon’s strategies have evolved and intensified markedly throughout the last half of 2025. Notably, operators began exploiting CVE-2025-8088, a vulnerability within WinRAR, by deploying malicious HTA downloaders into victims’ Startup folders, ensuring automatic execution upon the next log-in, thereby further increasing the likelihood of successful compromises.

To enhance the security of its network infrastructure, Gamaredon increasingly turned to tunneling services and serverless worker platforms. These technologies enable the group to mask the locations of their backend servers behind trusted domains and intermediary services, which ultimately allows the malicious traffic to merge seamlessly into legitimate internet activities. This shift complicates the efforts of defenders, making it more challenging to identify and disrupt the group’s operations.

Already leveraging Cloudflare heavily by 2024, Gamaredon escalated its use of Cloudflare workers in May 2025 and subsequently incorporated Microsoft’s devtunnels.ms and Loophole the following month. Additionally, the group utilized No-IP domains and platform-as-a-service offerings from providers like Clever Cloud and Supabase to further obfuscate its operations.

Infrastructure components were strategically placed on legitimate services, including Telegram, Dropbox, GoFile, and Mastodon. This practice echoes traditional espionage strategies where information is strategically hidden for later retrieval, allowing Gamaredon to conduct operations with increased discretion.

Eset highlighted several advantages of this operational approach. It enhances flexibility, as the group can quickly switch servers as needed. Furthermore, it complicates defensive measures, as defenders may be hesitant to block commonly used and legitimate services outright, creating a significant challenge in the ongoing cybersecurity landscape.

As part of its data exfiltration efforts, the group employed Amazon S3-compatible cloud storage services. The shift in primary exfiltration destinations has been noted to transition from Wasabi and Tebi to Intercolo. This method effectively reduces the necessity for maintaining a dedicated file receiving infrastructure while enabling malicious traffic to become indistinguishable from legitimate storage provider networks, underscoring the evolving sophistication of cyber threats in the contemporary digital landscape.