Shuckworm Group Leverages GammaSteel Malware in Targeted PowerShell Attacks

The Russia-linked cyber-espionage group known as Shuckworm (also identified as Gamaredon or Armageddon) has been observed targeting a Western country’s military mission located within Ukraine, employing an updated, PowerShell-based version of its GammaSteel infostealer malware.

This campaign, which began in late February 2025 and continued into March, signifies Shuckworm’s persistent focus on Ukrainian entities and demonstrates an evolution in its tactics towards increased stealth and sophistication.

Believed to operate on behalf of Russia’s Federal Security Service (FSB), Shuckworm has historically concentrated its efforts on government, military, and law enforcement targets in Ukraine since emerging around 2013.

Attack Methodology and Timeline

The initial point of compromise in this campaign appears to have been an infected removable USB drive containing a malicious LNK shortcut file (e.g., files.lnk).

Evidence from the Windows Registry’s UserAssist key suggests the infection was triggered from such an external drive on February 26, 2025[1][7]. Activation of the shortcut initiated a complex, multi-stage attack chain designed to minimize detection.

This chain involved:

• explorer.exe launching mshta.exe to execute embedded JavaScript.
• Execution of a heavily obfuscated VBScript (~.drv).
• The VBScript creating and running two malicious files disguised as registry transaction files (.regtrans-ms).

One of these files established contact with command-and-control (C&C) servers, leveraging legitimate web services like Teletype, Telegram, Telegraph, and specific Russian domains to dynamically resolve C&C IP addresses, potentially using Cloudflare tunnels.

The script checked for connectivity to mil.gov.ua before proceeding. The second file modified registry settings to hide system files and then propagated the initial infection mechanism by creating LNK shortcuts on other removable network drives.

A notable shift in this campaign is Shuckworm’s increased use of PowerShell, particularly in the later stages, moving away from its previous reliance on VBS scripts.

This likely aims to improve obfuscation and leverage PowerShell’s ability to store scripts directly within the Windows Registry, making file-based detection harder.

GammaSteel Infostealer Deployment

Following initial access and C&C communication, usually around March 1st in the observed timeline, the attackers deployed reconnaissance tools and the final payload.

An initial PowerShell script gathered system information, including screenshots, running processes, security software details, disk information, and desktop file listings, sending this data back to a C&C server.

Subsequently, a second, more complex PowerShell script was delivered – the updated GammaSteel infostealer. This payload was stored obfuscated and split across multiple values within the Windows Registry.

Its primary function is to enumerate and exfiltrate files from specific user directories like Desktop, Documents, and Downloads. GammaSteel targets files with common office and document extensions such as .doc, .docx, .xls, .xlsx, .ppt, .pptx, .pdf, .rtf, .odt, and .txt, while ignoring system-related folders.

GammaSteel employs several methods for data exfiltration and evasion:

• Primary Exfiltration: Uses PowerShell web requests.
• Backup Exfiltration: If the primary method fails, it utilizes the cURL command-line tool routed through a Tor proxy (socks5://127.0.0.1:9050) to obfuscate the source IP address.
• Metadata Encoding: Includes system details like hostname and disk serial number within POST request parameters or potentially encoded in User-Agent headers.
• Hashing: Uses certutil.exe to calculate the MD5 hash of stolen files, potentially for logging purposes.
• Web Services: Potentially leverages the write.as web service for additional covert data exfiltration.

Persistence is achieved by adding an entry to the HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run registry key.

Broadcom Security researchers note that while Shuckworm may not possess the advanced capabilities of some other state-sponsored Russian actors, this campaign shows a marked increase in sophistication.

The group compensates for perceived skill gaps through continuous, minor code modifications, enhanced obfuscation, and the strategic use of legitimate tools and web services to evade detection.

This relentless focus and evolving methodology underscore the ongoing cyber threat Shuckworm poses, particularly to entities connected with Ukraine.

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!