← threatfilter.dev / all groups / Gamaredon Group
Gamaredon Group
Also known as: IRON TILDEN · Primitive Bear · ACTINIUM · Armageddon · Shuckworm · DEV-0157 · Aqua Blizzard · NastyShrew
Overview
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns. In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers.
Targets
Government
Regions
Germany · Ukraine
Capabilities
- Destructive / data-wiping operations — ATT&CK T1561.001
- Custom malware/implant development — ATT&CK: 3 attributed custom malware families
TTPs — 70 techniques across 12 tactics
Resource Development
-
T1583.001Domains -
T1583.003Virtual Private Server -
T1583.006Web Services -
T1587.003Digital Certificates -
T1588.002Tool -
T1608.001Upload Malware
Initial Access
-
T1566.001Spearphishing Attachment
Execution
-
T1047Windows Management Instrumentation -
T1053.005Scheduled Task -
T1059.001PowerShell -
T1059.003Windows Command Shell -
T1059.005Visual Basic -
T1106Native API -
T1204.001Malicious Link -
T1204.002Malicious File -
T1559.001Component Object Model
Persistence
-
T1137Office Application Startup -
T1547.001Registry Run Keys / Startup Folder
Stealth
-
T1027Obfuscated Files or Information -
T1027.004Compile After Delivery -
T1027.010Command Obfuscation -
T1027.012LNK Icon Smuggling -
T1027.015Compression -
T1027.016Junk Code Insertion -
T1036.005Match Legitimate Resource Name or Location -
T1055Process Injection -
T1070.004File Deletion -
T1140Deobfuscate/Decode Files or Information -
T1218.005Mshta -
T1218.011Rundll32 -
T1221Template Injection -
T1480Execution Guardrails -
T1497.001System Checks -
T1564.003Hidden Window -
T1620Reflective Code Loading
Defense Impairment
-
T1112Modify Registry -
T1685Disable or Modify Tools
Discovery
-
T1012Query Registry -
T1016.001Internet Connection Discovery -
T1033System Owner/User Discovery -
T1057Process Discovery -
T1082System Information Discovery -
T1083File and Directory Discovery -
T1120Peripheral Device Discovery -
T1518.001Security Software Discovery
Lateral Movement
-
T1021.005VNC -
T1080Taint Shared Content -
T1091Replication Through Removable Media -
T1534Internal Spearphishing
Collection
-
T1005Data from Local System -
T1025Data from Removable Media -
T1039Data from Network Shared Drive -
T1113Screen Capture -
T1119Automated Collection
Command and Control
-
T1001Data Obfuscation -
T1071.001Web Protocols -
T1090Proxy -
T1090.003Multi-hop Proxy -
T1095Non-Application Layer Protocol -
T1102Web Service -
T1102.002Bidirectional Communication -
T1102.003One-Way Communication -
T1105Ingress Tool Transfer -
T1568Dynamic Resolution -
T1568.001Fast Flux DNS -
T1571Non-Standard Port
Exfiltration
-
T1020Automated Exfiltration -
T1041Exfiltration Over C2 Channel
Impact
-
T1491.001Internal Defacement -
T1561.001Disk Content Wipe
Tools & malware (6)
QuietSieve · Pteranodon · Remcos · Ping · Reg · PowerPunch
Reporting (3)
- Introducing the 2026 Cloudflare Threat Report — Cloudflare
- How Microsoft names threat actors — Microsoft
- ACTINIUM targets Ukrainian organizations — Microsoft Threat Intelligence Center