Gamaredon Group
Aliases: IRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm, DEV-0157, Aqua Blizzard
Gamaredon Group is a suspected Russian cyber espionage threat group that has targeted military, NGO, judiciary, law enforcement, and non-profit organizations in Ukraine since at least 2013. The name Gamaredon Group comes from a misspelling of the word "Armageddon", which was detected in the adversary's early campaigns. In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia's Federal Security Service (FSB) Center 18.
Open interactive actor investigation
ATT&CK techniques
T1491.001
Internal DefacementT1583.003
Virtual Private ServerT1001
Data ObfuscationT1534
Internal SpearphishingT1047
Windows Management InstrumentationT1083
File and Directory DiscoveryT1119
Automated CollectionT1036.005
Match Legitimate Name or LocationT1027.004
Compile After DeliveryT1105
Ingress Tool TransferT1021.005
VNCT1027.001
Binary PaddingT1218.011
Rundll32T1566.001
Spearphishing AttachmentT1082
System Information DiscoveryT1059.005
Visual BasicT1113
Screen CaptureT1005
Data from Local SystemT1039
Data from Network Shared DriveT1608.001
Upload MalwareT1102.003
One-Way CommunicationT1112
Modify RegistryT1016.001
Internet Connection DiscoveryT1559.001
Component Object ModelT1562.001
Disable or Modify ToolsT1025
Data from Removable MediaT1221
Template InjectionT1140
Deobfuscate/Decode Files or InformationT1204.001
Malicious LinkT1080
Taint Shared ContentT1106
Native APIT1561.001
Disk Content WipeT1033
System Owner/User DiscoveryT1564.003
Hidden WindowT1070.004
File DeletionT1059.001
PowerShellT1588.002
ToolT1020
Automated ExfiltrationT1071.001
Web ProtocolsT1583.001
DomainsT1568.001
Fast Flux DNST1120
Peripheral Device DiscoveryT1041
Exfiltration Over C2 ChannelT1053.005
Scheduled TaskT1027
Obfuscated Files or InformationT1057
Process DiscoveryT1027.010
Command ObfuscationT1204.002
Malicious FileT1568
Dynamic ResolutionT1547.001
Registry Run Keys / Startup FolderT1480
Execution GuardrailsT1059.003
Windows Command ShellT1218.005
MshtaT1137
Office Application StartupT1102
Web Service
Internal DefacementT1583.003
Virtual Private ServerT1001
Data ObfuscationT1534
Internal SpearphishingT1047
Windows Management InstrumentationT1083
File and Directory DiscoveryT1119
Automated CollectionT1036.005
Match Legitimate Name or LocationT1027.004
Compile After DeliveryT1105
Ingress Tool TransferT1021.005
VNCT1027.001
Binary PaddingT1218.011
Rundll32T1566.001
Spearphishing AttachmentT1082
System Information DiscoveryT1059.005
Visual BasicT1113
Screen CaptureT1005
Data from Local SystemT1039
Data from Network Shared DriveT1608.001
Upload MalwareT1102.003
One-Way CommunicationT1112
Modify RegistryT1016.001
Internet Connection DiscoveryT1559.001
Component Object ModelT1562.001
Disable or Modify ToolsT1025
Data from Removable MediaT1221
Template InjectionT1140
Deobfuscate/Decode Files or InformationT1204.001
Malicious LinkT1080
Taint Shared ContentT1106
Native APIT1561.001
Disk Content WipeT1033
System Owner/User DiscoveryT1564.003
Hidden WindowT1070.004
File DeletionT1059.001
PowerShellT1588.002
ToolT1020
Automated ExfiltrationT1071.001
Web ProtocolsT1583.001
DomainsT1568.001
Fast Flux DNST1120
Peripheral Device DiscoveryT1041
Exfiltration Over C2 ChannelT1053.005
Scheduled TaskT1027
Obfuscated Files or InformationT1057
Process DiscoveryT1027.010
Command ObfuscationT1204.002
Malicious FileT1568
Dynamic ResolutionT1547.001
Registry Run Keys / Startup FolderT1480
Execution GuardrailsT1059.003
Windows Command ShellT1218.005
MshtaT1137
Office Application StartupT1102
Web Service