Shuckworm, a cyber-espionage group with ties to Russia, has once again targeted a military mission in Ukraine, showcasing their latest tactics in a campaign that began in late February 2025 and continued through March. This group, also known as Gamaredon or Armageddon, has a history of focusing on Ukrainian entities and has now shown a shift towards increased stealth and sophistication in their operations.
Operating on behalf of Russia’s Federal Security Service (FSB), Shuckworm has been active since around 2013, targeting government, military, and law enforcement organizations in Ukraine. Their latest campaign involves the use of an updated, PowerShell-based version of their GammaSteel infostealer malware to infiltrate and gather sensitive information from their targets.
The initial compromise in this campaign was traced back to an infected USB drive containing a malicious LNK shortcut file. The infection was activated on February 26, 2025, triggering a complex series of attacks designed to evade detection. This involved the use of various scripts and files to establish connections with command-and-control servers and propagate the infection to other network drives.
One notable change in this campaign is Shuckworm’s increased reliance on PowerShell, moving away from their previous use of VBS scripts. This shift aims to enhance obfuscation and make it harder for traditional file-based detection methods to identify the malware.
After gaining initial access and communicating with their C&C server, the attackers deployed reconnaissance tools and the final payload, the updated GammaSteel infostealer. This malware is designed to gather and exfiltrate specific files from user directories while evading detection through various methods such as PowerShell web requests and encoding system details in request parameters.
Despite not possessing the advanced capabilities of some other Russian state-sponsored actors, Shuckworm has demonstrated a significant increase in sophistication in this campaign. Through continuous code modifications, enhanced obfuscation techniques, and the strategic use of legitimate tools and services, they have managed to evade detection and pose a significant cyber threat to entities connected with Ukraine.
Broadcom Security researchers have emphasized the ongoing threat that Shuckworm poses and highlighted the need for vigilance among organizations with ties to Ukraine. This campaign serves as a reminder of the evolving nature of cyber threats and the importance of staying updated on the latest tactics used by malicious actors.
In conclusion, the relentless focus and evolving methodology of Shuckworm underscore the persistent cyber threat they pose to Ukrainian entities. As they continue to adapt and enhance their tactics, it is crucial for organizations to strengthen their cybersecurity measures and stay informed about the latest developments in the threat landscape.