Gamaredon in 2024: Cranking out spearphishing campaigns against Ukraine with an evolved toolset

ESET Research analyzes Gamaredon’s updated cyberespionage toolset, new stealth-focused techniques, and aggressive spearphishing operations observed throughout 2024

02 Jul 2025 • , 6 min. read

Since Russia’s full-scale invasion of Ukraine in February 2022, cyberespionage has played a crucial role in the broader threatscape. Russia-aligned advanced persistent threat (APT) groups have relentlessly targeted Ukrainian entities, employing cyberattacks alongside disinformation campaigns. ESET Research has closely monitored these activities, regularly documenting cyber-operations carried out by various threat actors, including the highly active Gamaredon group.

Key points of this blogpost:

• Gamaredon refocused exclusively on targeting Ukrainian governmental institutions in 2024, abandoning prior attempts against NATO countries.
• The group significantly increased the scale and frequency of spearphishing campaigns, employing new delivery methods such as malicious hyperlinks and LNK files executing PowerShell from Cloudflare-hosted domains.
• Gamaredon introduced six new malware tools, leveraging PowerShell and VBScript, designed primarily for stealth, persistence, and lateral movement.
• Existing tools ...