Russian Gamaredon Hackers Target Ukraine Military Mission via USB Drives

A cyberattack, attributed to the Russia-linked threat actor Gamaredon (also known as Shuckworm), has targeted a foreign military mission stationed in Ukraine. The goal? To deploy an updated version of their malware, dubbed GammaSteel.

According to the Symantec Threat Hunter team, the group set its sights on the military mission of a Western nation. The first signs of this malicious activity surfaced around February 26, 2025.

"It looks like the attackers initially gained access through an infected removable drive," said the Broadcom-owned threat intelligence division in their report shared with The Hacker News.

So, how did the attack unfold? It began with creating a specific value in the Windows Registry under the UserAssist key. From there, "mshta.exe" was launched via "explorer.exe," kicking off a multi-stage infection process and launching two key files.

The first file, "NTUSER.DAT.TMContainer00000000000000000001.regtrans-ms," is used to establish communication with a command-and-control (C2) server. It does this by reaching out to URLs linked to legitimate services like Teletype, Telegram, and Telegraph.

The second file, "NTUSER.DAT.TMContainer00000000000000000002.regtrans-ms," is designed to spread the infection to any removable and network drives. It achieves this by creating shortcut files for every folder, which then execute the malicious "mshta.exe" command while staying hidden.

Then, on March 1, 2025, a script was executed to contact the C2 server. This script exfiltrated system metadata and, in return, received a Base64-encoded payload. This payload was then used to run a PowerShell command designed to download a new, obfuscated version of the same script.

This script, in turn, connects to a hard-coded C2 server to retrieve two more PowerShell scripts. The first is a reconnaissance tool, capable of taking screenshots, running the systeminfo command, gathering details about the security software on the host, listing files and folders on the Desktop, and enumerating running processes.

The second PowerShell script is an updated and improved version of GammaSteel. This is a known information stealer with the ability to exfiltrate files from the victim's Desktop and Documents folders, based on a pre-defined list of file extensions.

"This attack suggests a move towards increased sophistication for Shuckworm. While they may not be as skilled as other Russian actors, they make up for it with their relentless focus on targets in Ukraine," Symantec noted.

In conclusion, while the group might not possess the same advanced capabilities as some other Russian hacking groups, Shuckworm seems to be trying to compensate by continuously tweaking their code, adding layers of obfuscation, and leveraging legitimate web services to minimize the risk of being detected.