A recent deep-dive analysis by HarfangLab uncovers new insights into the persistent and ever-evolving operations of Gamaredon, a Russian state-linked cyberespionage group. This report focuses on PteroLNK, a heavily obfuscated VBScript malware used by Gamaredon, and its broader infrastructureβrevealing how the group is leveraging deceptive shortcut files, layered persistence mechanisms, and publicly accessible services like Cloudflare Tunnels, Telegraph, and Teletype to evade detection and maintain covert access in Ukrainian systems.
At its core, PteroLNK is engineered for stealth, persistence, and scalability. The main VBScript, obfuscated by design, deploys two additional payloads during runtime: a downloader and a shortcut (LNK) dropper.
Upon execution, the script drops a copy of itself into hidden locations like:
%PUBLIC%\NTUSER.DAT.TMContainer%APPDATA%\~.drvIt then deploys two base64-encoded payloads to similarly disguised paths. These scripts are scheduled to run at 3- and 9-minute intervals respectivelyβunless 360 Total Security antivirus is detected, in which case the malware switches to infinite loop execution as a fallback.
The downloaderβs functionality uses registry keys to store command-and-control (C2) addresses and dynamically constructs HTTP User-Agent strings that include the victimβs hostname and system serial number:
βThis string is spliced randomly between two predefined User-Agent templates embedded within the malware,β the researchers note.
If no C2 address is available, the malware queries benign sites like ukr.net, sweet.tv, and even bbc.com, while leveraging Telegra.ph and Teletype.in as Dead Drop Resolvers (DDRs) to fetch updated C2 URLs using regex-based parsing.
Gamaredonβs shortcut dropper is a file masquerading weapon, systematically replacing files on local and network drives with malicious shortcuts mimicking PDFs, DOCX, and XLSX files. Each shortcut triggers both the original document and the main malware payload using:
javascript:eval('... wscript.exe //e:vbScript ~.drv ...')If fewer than two shortcuts are found in a folder, the malware auto-generates fake files using Ukrainian military-themed filenames like:
βΠ’Π°ΡΠΌΠ½ΠΎβ (Secretly)βΠ‘ΡΠΏΡΠΎΠ²ΡΠ΄ ΠΠ£Π β (Support of the Main Intelligence Directorate)βΠΡΠ°Π·ΠΎΠΊ ΡΠ°ΠΏΠΎΡΡΡ ΡΠΎΠΌΡΡΡΡΡβ (Sample monthly report)This technique maximizes the likelihood of user interaction, enabling the malware to propagate laterally through USB drives and shared folders.
Gamaredonβs DDRs provide on-demand redirection to current C2s without embedding static IPs or domains in the malware itself. The DDRs are updated almost daily and often resolve to Cloudflare Quick Tunnels, allowing the group to:
Avoid detectionRotate infrastructure rapidlyMaintain communication without registered domainsβCloudflare quick tunnelsβ¦ handle up to 200 concurrent requests per tunnel, making them ideal for low-profile C2 operations,β the report explains.
The analyzed samples were uploaded to public scanners from Kyiv, Dnipro, Rivne, Kupyansk, and Odesa, all regions in Ukraine, and primarily targeted government and military personnel. Lure filenames aligned with military logistics, personnel planning, and operational documents.
Attribution to Gamaredon is reinforced by:
Consistent use of NTUSER.DAT.TMContainer filenamesPreviously associated C2 domains like nandayo[.]ru and kimiga[.]ruThe use of Cloudflare tunnels, REGRU-RU registrations, and matching User-Agent patternsβGamaredon operates as a critical component of Russiaβs cyber operations strategy, particularly in its ongoing war with Ukraine,β HarfangLab emphasizes.
As the cyber conflict between Russia and Ukraine continues to intensify, monitoring Gamaredonβs infrastructure, infection chains, and evolving tactics is essential for defenders across Europe and beyond.
βUnderstanding Gamaredonβs tactics and tooling will be criticalβ¦ for mitigating possible copycat actors adopting similar techniques across Europe,β HarfangLab concludes.