Ddos 
Russia-linked espionage group Shuckworm (also known as Gamaredon or Armageddon) has launched a renewed and more sophisticated cyber campaign targeting a foreign military mission based in Ukraine, according to a detailed report by the Symantec Threat Hunter Team.
This latest wave of activity, which began in February 2025 and continued through March, underscores Shuckworm’s relentless focus on Ukrainian targets, and its commitment to enhancing malware capabilities despite being perceived as less technically adept than its peers.
“While the group does not appear to have access to the same skill set as some other Russian groups, Shuckworm does now appear to be trying to compensate… by continually making minor modifications to the code it uses,” Symantec observed.
The attack began with a removable USB drive, which delivered a malicious .LNK file named files.lnk. This shortcut triggered a chain of obfuscated commands, including:
This JavaScript command, embedded in the shortcut, executed a heavily obfuscated VBScript, which then created and ran two malicious registry transaction files to establish communication with command and control (C&C) servers and modify system settings.
The attack’s infection chain is multi-staged and stealthy, designed to avoid detection by leveraging:
- Legitimate tools like mshta.exe, wscript.exe, and PowerShell
- Registry-stored scripts to evade traditional file-based AV detection
- UserAssist key manipulation to hide folder execution via .LNK shortcuts
- Windows Registry Run key for persistence
This campaign uses an updated version of Shuckworm’s custom infostealer tool GammaSteel. It now includes reconnaissance functionality capable of:
- Capturing screenshots
- Gathering system information (systeminfo, running processes, volume serial numbers)
- Enumerating desktop contents and user documents
- Harvesting file types including .docx, .pptx, .pdf, .xls, .rtf, .odt, and .txt
“GammaSteel was deployed following a complex, multi-staged attack chain, with frequent use of obfuscation… designed to minimize the risk of detection.”
Shuckworm’s network communication is notably resilient, using a mix of:
- Cloudflare tunnels (e.g., trycloudflare[.]com)
- Telegram channels (t[.]me/s/futar23)
- Obscure Russian domains (sleep.crudoes[.]ru, position.crudoes[.]ru)
- Write.as web service for covert data exfiltration
Symantec noted this shift as a marked increase in sophistication. The group is now leveraging legitimate web services, all to try lower the risk of detection.
GammaSteel exfiltrates data using:
- PowerShell web requests
- cURL via Tor proxy to hide the attacker’s location
- User-Agent manipulation to encode hostnames, serial numbers, and filenames in headers
To maintain stealth, the malware modifies registry keys to:
- Hide hidden and system files
- Infect network and removable drives by creating .LNK files for each folder and hiding original content
File names like “Рапорт поранення” (Wound Report) and “БОЙОВЕ РОЗПОРЯДЖЕННЯ ППО” (AIR DEFENSE COMBAT ORDER) hint at the targeting of military communications and operational documents.
Shuckworm’s latest campaign demonstrates a clear evolution in its tactics, using better obfuscation, deeper registry integration, and more secure C&C channels.
“This attack does mark something of an increase in sophistication for Shuckworm,” Symantec concluded.
Donate