Shuckworm’s cyber campaign focus on Ukraine has continued into 2025, targeting the military mission of a Western country based in the Eastern European nation.
This first activity in this campaign occurred in February 2025, and it continued into March. The initial infection vector used by the attackers appears to have been an infected removable drive.
In this campaign, the attackers appear to be using an updated version of their GammaSteel tool. GammaSteel is an infostealer that exfiltrates data from victim networks. The attackers are seen using various methods for data exfiltration, including using the write.as web service for possible exfiltration. They are also seen using cURL alongside Tor as a backup method of data exfiltration. cURL is an open-source command-line tool that can be used to transfer data to and from a server and is frequently leveraged by malicious actors.
This campaign also seems to demonstrate a move by Shuckworm from using a lot of VBS scripts to using more PowerShell-based tools, particularly later in its attack chain. It is likely leveraging PowerShell for obfuscation and also because it allows it to store scripts in the registry. GammaSteel was deployed following a complex, multi-staged attack chain, with frequent use of obfuscation. The process was most likely designed to minimize the risk of detection.
Shuckworm (aka Gamaredon, Armageddon) is a Russia-linked espionage group that has almost exclusively focused its operations on government, law enforcement, and defense organizations in Ukraine since it first appeared in 2013. It is believed that Shuckworm operates on behalf of the Russian Federal Security Service (FSB).
Activity Timeline
The initial infection in this campaign appeared to occur on February 26 with the creation of a Windows Registry value under the UserAssist key that indicates the infection may have started from an external drive and an LNK file named D:\files.lnk.
This JavaScript command, embedded in the shortcut, executed a heavily obfuscated VBScript, which then created and ran two malicious registry transaction files to establish communication with command and control (C&C) servers and modify system settings.
The attack’s infection chain is multi-staged and stealthy, designed to avoid detection by leveraging:
- Legitimate tools like mshta.exe, wscript.exe, and PowerShell
- Registry-stored scripts to evade traditional file-based AV detection
- UserAssist key manipulation to hide folder execution via .LNK shortcuts
- Windows Registry Run key for persistence
This campaign uses an updated version of Shuckworm’s custom infostealer tool GammaSteel. It now includes reconnaissance functionality capable of:
- Capturing screenshots
- Gathering system information (systeminfo, running processes, volume serial numbers)
- Enumerating desktop contents and user documents
- Harvesting file types including .docx, .pptx, .pdf, .xls, .rtf, .odt, and .tx.The UserAssist registry key stores the applications, files, links, and other objects accessed by the user through Windows Explorer stored in a ROT13 format.
Shuckworm’s network communication is notably resilient, using a mix of:
- Cloudflare tunnels (e.g., trycloudflare[.]com)
- Telegram channels (t[.]me/s/futar23)
- Obscure Russian domains (sleep.crudoes[.]ru, position.crudoes[.]ru)
- Write.as web service for covert data exfiltration
Symantec noted this shift as a marked increase in sophistication. The group is now leveraging legitimate web services, all to try lower the risk of detection.
GammaSteel exfiltrates data using:
- PowerShell web requests
- cURL via Tor proxy to hide the attacker’s location
- User-Agent manipulation to encode hostnames, serial numbers, and filenames in headers
To maintain stealth, the malware modifies registry keys to:
- Hide hidden and system files
- Infect network and removable drives by creating .LNK files for each folder and hiding original content
File names like “Рапорт поранення” (Wound Report) and “БОЙОВЕ РОЗПОРЯДЖЕННЯ ППО” (AIR DEFENSE COMBAT ORDER) hint at the targeting of military communications and operational documents.
Shuckworm’s latest campaign demonstrates a clear evolution in its tactics, using better obfuscation, deeper registry integration, and more secure C&C channels.
