Gamaredon’s PteroLNK VBScript Malware Infrastructure and TTPs Uncovered by Researchers

Researchers have unearthed details of the Pterodo malware family, notably the PteroLNK variant used by the Russian-nexus threat group, Gamaredon.

The group, which is believed to be associated with Russia’s Federal Security Service (FSB), has been targeting Ukrainian entities, focusing on government, military, and critical infrastructure sectors as part of broader geopolitical conflicts.

Tactics, Techniques, and Procedures (TTPs)

Gamaredon employs a highly obfuscated VBScript malware known as PteroLNK, which dynamically constructs and deploys additional payloads during execution.

- Advertisement -

This script features two main components: a downloader and an LNK dropper, both designed to manipulate and propagate through systems.

The primary script, identified by a unique MD5 hash, establishes persistence by scheduling tasks and altering Windows Explorer settings to hide its activities.

The downloader payload, running every three minutes, retrieves additional malware from a modular, multi-stage C2 infrastructure.

It uses a custom HTTP User-Agent string, uniquely identifying the infected machine, and leverages benign websites like ukr.net and sweet.tv for initial connectivity checks.

If connectivity is confirmed, the script proceeds to extract Command and Control (C2) addresses from Dead Drop Resolvers (DDRs) hosted on services like Telegraph and Teletype.

Analysis and Infrastructure

Researchers analyzed samples uploaded between late 2024 and mid-March 2025, identifying active operations through the daily updates to Gamaredon’s DDRs.

The malware uses Cloudflare quick tunnels for anonymity, which can handle up to 200 concurrent requests, making detection challenging.

These tunnels are often pointed to by DDRs, which serve as critical nodes for initial communication, offering flexibility in updating C2 channels.

The infrastructure analysis revealed a timeline of DDR creation from December 28, 2024, to March 26, 2025, showing Gamaredon’s continuous adaptation and operation.

The group has been noted for using previously known domains and even those flagged for phishing by Cloudflare, highlighting their strategic yet not overly sophisticated approach.

The targeted systems predominantly originate from Kyiv, with some uploads from Dnipro, Rivne, Kupyansk, and Odesa, aligning with Gamaredon’s focus on Ukrainian targets.

The malware often uses military-themed lures, reflecting the group’s tactical interest in military operations and personnel logistics.

Attribution to Gamaredon is supported by various technical consistencies and domain associations previously linked to their operations, as well as reports linking them to FSB activities.

Gamaredon’s effectiveness stems not from advanced technical capabilities but from their tactical adaptiveness, focusing on operational impact through aggressive spearphishing, obfuscated malware deployment, and resilient C2 infrastructure.

Their campaigns, especially during Ukraine’s counteroffensive, underscore their role in intelligence gathering and disruption efforts supporting military objectives.

Understanding these tactics is crucial for cybersecurity defenses not only in Ukraine but potentially across Europe as similar techniques might be adopted by other threat actors.

This comprehensive analysis provides valuable insights into Gamaredon’s operations, offering actionable intelligence for cybersecurity professionals to enhance detection and mitigation strategies against these ongoing threats.

Indicators of Compromise (IOCs)

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!