Jan 27, 2025Ravie LakshmananCyber Espionage / Threat Intelligence
In cyberattacks aimed at Russian-speaking entities, a previously unidentified risk actor has been spotted copying the tradecraft of the Kremlin-aligned hacking group.
GamaCopy, a risk grouping that has been linked to the strategy, has been linked to overlaps with , which has also been tracked as Awaken Likho and PseudoGamaredon.
The attacks use information from military installations as a pretext to drop UltraVNC, allowing risk actors to remotely access the damaged hosts, according to the Knownsec 404 Advanced Threat Intelligence group.
” The TTP ( Tactics, Techniques, and Procedures ) of this organization imitates that of the Gamaredon organization which conducts attacks against Ukraine”, the company in a report published last week.
The spear-phishing assaults, which set the stage for the MeshCentral system rather than UltraVNC, come nearly four months after Kaspersky revealed that Soviet government agencies and professional entities have been the targets of Core Werewolf.
The Russian cybersecurity company’s description of the attack chain’s beginnings resembles the one where a self-extracting ( SFX ) archive file created using 7-Zip serves as a conduit for the dropping of next-stage payloads. This includes a sample script that’s responsible for delivering UltraVNC, and furthermore displaying a deception PDF document.
The UltraVNC file is given the name” OneDrivers. “exe” in an effort to avoid identification by presenting it as a linear belonging to Microsoft OneDrive.
Knownsec 404 said the action shares some similarities with Core Werewolf campaigns, including using 7z-SFX files to deploy and implement UltraVNC, port 443 to connect to the server, and the use of the .
Since its coverage, the company has usually imitated the TTPs used by the Gararedon firm and deftly used open-source tools as a weapon to reach its own objectives while confounding the general public, according to the company.
GamaCopy is one of the that have targeted Russian organizations in the wake of the Russo-Ukrainian war, such as Sticky Werewolf (aka ), Venture Wolf, and Paper Werewolf.
” Teams like PhaseShifters, PseudoGamaredon, and Soft Wolf stand out for their continuous phishing strategies aimed at information theft”, Positive Technologies ‘ Irina Zinovkina .
Found this post exciting? Following us on and Twitter to access more unique content.