A sophisticated cyber campaign targeting Russian-speaking entities has been identified by cybersecurity researchers, unveiling a deceptive operation imitating the Tactics, Techniques, and Procedures (TTPs) of the Gamaredon APT group.
The attackers believed to be part of the GamaCopy group, exploited military-related content as bait, leveraging open-source tools to obscure their activities.
The attacks utilized 7z self-extracting (SFX) files to release payloads and load subsequent malware.
One standout feature was the use of UltraVNC, an open-source remote desktop tool, deployed under the guise of a legitimate system process.
The malware execution chain involved obfuscated scripts, file renaming tactics, and connections to command-and-control (C2) servers via port 443, a preferred channel of GamaCopy.
Unlike Gamaredon, whose operations predominantly target Ukraine and focus on Ukrainian-language documents, GamaCopy’s bait documents were crafted in Russian, signaling a focus on Russian defense and infrastructure sectors.
Are you from SOC/DFIR Teams? - Analyse Malware Files & Links with ANY.RUN Sandox -> Try for Free
Deceptive Attack Chain Analysis
In the identified samples, attackers embedded bait documents linked to Russian military facilities and packaged them in 7z SFX archives.
Once executed, these archives extracted scripts and files used to deploy UltraVNC.
The attack scripts featured obfuscation via delayed variable extensions, making static analysis challenging.
The process involved renaming UltraVNC’s executable to “OneDrivers.exe” and overwriting prior instances to evade detection.
UltraVNC is connected to C2 servers, enabling attackers to establish remote control over compromised systems.
An analysis of the samples revealed overlaps with Gamaredon’s known tactics, such as using 7z SFX documentation for payload delivery.
However, significant deviations in execution methods, including the use of port 443 instead of Gamaredon’s preferred port 5612, pointed towards a different actor.
Moreover, historical evidence of GamaCopy’s operations, including their preference for Russian-language bait and targeting of Russian defense entities, strengthened the attribution.
False-Flag Tactics and Attribution
The deceptive nature of the campaign underscores GamaCopy’s strategy of mimicking Gamaredon’s TTPs to misdirect attribution.
This tactic has reportedly misled other cybersecurity vendors, attributing similar samples to Gamaredon in the past.
The sophisticated false-flag approach adds an extra layer of complexity to the ongoing cyber conflict between advanced persistent threat (APT) groups, particularly against the backdrop of the Russia-Ukraine war.
Key distinctions between the two groups include the languages used in bait documents and operational targets.
While Gamaredon primarily targets Ukrainian entities, GamaCopy has consistently focused on Russian government and critical infrastructure sectors, using military-related documents to lure victims.
The campaign exemplifies how state-sponsored or politically motivated groups use open-source tools and mimicry to evade detection and attribution.
The operation’s reliance on military-themed bait reflects its alignment with geopolitical tensions.
Security professionals are urged to remain vigilant against these evolving threats and update their defenses accordingly.
Hashes and C2 servers associated with the campaign have also been disclosed to aid in threat intelligence and mitigation efforts.
Integrating Application Security into Your CI/CD Workflows Using Jenkins & Jira -> Free Webinar
 of the Gamaredon APT group.){kind=link}