The Russia-linked threat actor known as Gamaredon (aka Shuckworm) has been attributed to a cyber attack targeting a foreign military mission based in Ukraine with an aim to deliver an updated version of a known malware called GammaSteel.
The group targeted the military mission of a Western country, per the Symantec Threat Hunter team, with first signs of the malicious activity detected on February 26, 2025.
“The initial infection vector used by the attackers appears to have been an infected removable drive,” the Broadcom-owned threat intelligence division said in a report shared with The Hacker News.
The attack started with the creation of a Windows Registry value under the UserAssist key, followed by launching “mshta.exe” using “explorer.exe” to initiate a multi-stage infection chain and launch two files.
The first file, named “NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms,” is used to establish communications with a command-and-control (C2) server that’s obtained by reaching out to specific URLs associated with legitimate services like Teletype, Telegram, and Telegraph, among others.
The second file in question, “NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms,” is designed to infect any removable drives and network drives by creating shortcut files for every folder to execute the malicious “mshta.exe” command and hide it.
Subsequently on March 1, 2025, the script was executed to contact a C2 server, exfiltrate system metadata, and receive, in return, a Base64-encoded payload, which is then used to run a PowerShell command engineered to download an obfuscated new version of the same script.
The script, for its part, connects to a hard-coded C2 server to fetch two more PowerShell scripts, the first of which is a reconnaissance utility capable of capturing screenshots, run systeminfo command, get details of security software running on the host, enumerate files and folders in Desktop, and list running processes.
The second PowerShell script is an improved version of GammaSteel, a known information stealer that’s capable of exfiltrating files from a victim based on an extension allowlist from the Desktop and Documents folders.
“This attack does mark something of an increase in sophistication for Shuckworm, which appears to be less skilled than other Russian actors, though it compensates for this with its relentless focus on targets in Ukraine,” Symantec said.
“While the group does not appear to have access to the same skill set as some other Russian groups, Shuckworm does now appear to be trying to compensate for this by continually making minor modifications to the code it uses, adding obfuscation, and leveraging legitimate web services, all to try lower the risk of detection.”
