What happened
Russian state-linked threat group Gamaredon has significantly upgraded its cyber espionage toolkit, according to new research from ESET. The group, also known as Aqua Blizzard, Armageddon, and BlueAlpha, has remained active since at least 2013 and continues to evolve its tactics in support of Russia’s intelligence objectives.
During 2025, ESET tracked 35 spear-phishing campaigns targeting Ukraine. The first half of the year focused on developing new malware, including six PowerShell-based downloaders. One of the most notable additions is PteroPaste, a tool capable of copying malicious scripts onto USB drives by disguising them as legitimate Microsoft Word documents using shortcut (.lnk) files.
Gamaredon also strengthened its command-and-control (C2) infrastructure by abusing trusted services such as Microsoft, Cloudflare, Dropbox, and Amazon S3. The group used Cloudflare tunneling, serverless workers, and “dead drop” techniques to conceal malicious communications behind legitimate platforms, making detection more difficult.
According to ESET Director of Threat Research Jean-Ian Boutin, these changes enabled Gamaredon to launch more frequent and larger-scale attacks during the second half of 2025. Some operations also involved collaboration with the Russian APT group Turla, which used Gamaredon’s initial access capabilities to deploy its Kazuar malware framework.
Who is affected
The campaigns documented by ESET primarily targeted Ukraine’s government and military organizations, with the objective of stealing sensitive information related to the ongoing conflict.
However, the techniques demonstrated by Gamaredon are relevant to organizations worldwide. The group’s reliance on legitimate cloud services, PowerShell scripts, USB propagation, and trusted infrastructure reflects tactics increasingly adopted by advanced threat actors. Enterprises that depend heavily on Windows environments and cloud services may face similar attack methods from other espionage groups.
Why CISOs should care
Gamaredon’s latest evolution highlights how mature threat actors continue refining their operations instead of relying on legacy techniques. By hiding malicious traffic inside trusted cloud platforms and using removable media to reach isolated systems, attackers can bypass many traditional security controls.
Louis Eichenbaum, Federal CTO at ColorTokens, noted that defenders can no longer assume communications with trusted platforms are automatically safe. Instead, organizations should validate whether activity is expected, authorized, and consistent with normal user and application behavior.
The report also reinforces the importance of monitoring PowerShell activity, controlling USB usage, and strengthening visibility into cloud communications as part of modern threat detection strategies.
3 practical actions
- Restrict PowerShell and unnecessary scripting capabilities for non-administrative users whenever business requirements allow.
- Implement strict USB security policies, including scanning, sanitization, or blocking unauthorized removable media.
- Continuously monitor communications with trusted cloud services and apply identity-aware segmentation to detect and contain suspicious activity.
