Who is Gamaredon and why does their 2025 activity matter?
Gamaredon, also tracked as Primitive Bear, Shuckworm, Actinium, and Aqua Blizzard, is a Russian FSB-linked intrusion set that has been operating against Ukraine since at least 2014. The Security Service of Ukraine publicly attributed Gamaredon to the FSB's 18th Center in 2021, and subsequent reporting from CERT-UA, Mandiant, Microsoft, ESET, and Cisco Talos has repeatedly confirmed the attribution pattern. Unlike more selective Russian groups, Gamaredon runs at high tempo and high volume. Their infrastructure churn, malicious document cadence, and phishing throughput resemble a commodity crimeware crew more than a polished APT.
In 2025, CERT-UA issued a string of advisories (including numbered bulletins CERT-UA#13820 and related, and the broader reporting in the UA30 series) documenting that Gamaredon shifted more effort into two categories that matter for supply chain defenders: compromise of Ukrainian MSPs that serve government and defense clients, and targeted implants inside software-distribution channels used by military and logistics organizations.
What did Gamaredon's 2025 campaigns look like in practice?
Answer first: volumetric spearphishing, credential theft against partner organizations, and quiet implant staging on shared-drive and MSP-managed endpoints.
The 2025 campaigns combined Gamaredon's traditional phishing-led intrusion loop with supply chain techniques that reached targets the operators could not phish directly. Specifically:
- High-volume phishing using Ukrainian-language lures themed around military mobilization, logistics paperwork, and government invoices. Dropper documents use LNK, HTA, and template injection. ESET's 2025 threat reports and CERT-UA's periodic updates document dozens of new lures per week.
- Use of legitimate cloud services (Telegram, Google Drive, Cloudflare workers, Dropbox) for command and control and payload staging, consistent with a pattern Microsoft and Cisco Talos have tracked since 2023.
- PteroLNK, PteroCDR, PteroSand, PteroBox, PteroCookie and other tools in the "Ptero" family used for persistence, screenshot capture, credential theft, and USB propagation.
- Expansion into MSP and integrator environments serving regional Ukrainian government offices, where a single credential compromise yielded multi-tenant access.
CERT-UA's 2025 reporting repeatedly emphasized that Gamaredon now treats MSP credential theft as a primary objective when direct targets are hardened.
Why has Gamaredon pivoted toward supply chain vectors?
Because Ukrainian government, defense, and critical-infrastructure defenders have matured significantly since 2022. Microsoft, Mandiant, and Google TAG all documented in 2024 and 2025 that direct phishing success rates against hardened Ukrainian targets dropped meaningfully as MFA, conditional access, and EDR deployment became standard. When the direct path closes, the trusted-path opens.
Supply chain pivots give Gamaredon three things phishing alone cannot:
- Access that bypasses MFA. MSP remote-management tooling (RMM), shared admin jump hosts, and trusted interconnects between partner and customer networks sidestep the authentication controls that stopped the previous year's lures.
- Persistence that survives endpoint rebuild. If the MSP's provisioning templates are tainted, the implant returns each time a workstation is re-imaged.
- Targeting precision at scale. A compromised MSP gives access to dozens of client organizations, allowing operators to filter for specific units and regions.
Which tools and TTPs should defenders recognize?
Consistent across CERT-UA, ESET, Cisco Talos, and Unit 42 reporting through 2025, the following TTPs recur:
- Template injection via .dotx/.docm documents delivered as attachments or shared-drive content, staging a remote template that fetches subsequent payloads.
- LNK files on removable media as a propagation mechanism. Ukrainian defense supply chains still move USB drives for air-gapped or low-bandwidth sites, and Gamaredon has tooling that specifically targets this vector.
- Wiping and selective destruction variants used alongside collection. Gamaredon is not always quiet; on certain operations the group has deployed destructive scripts against defense logistics targets.
- C2 over legitimate cloud services. Telegram bots, GitHub pages, Cloudflare workers, and Google Drive-hosted documents. This complicates egress-based detection.
- Credential harvesting from browsers, MSP RMM consoles, and VPN clients. Credential re-use then drives lateral movement into customer tenants.
MITRE ATT&CK mappings in CERT-UA bulletins consistently include T1566 (Phishing), T1204 (User Execution), T1221 (Template Injection), T1071.001 (Web Protocols C2), T1091 (Replication Through Removable Media), T1078 (Valid Accounts), and T1219 (Remote Access Software).
How do MSP compromises typically unfold?
The pattern in 2025 CERT-UA reporting is consistent enough to generalize:
- A technician or administrator at a Ukrainian MSP receives a themed spearphishing email. Common themes in 2025 include invoicing for government contracts, court documents, and HR notifications.
- The lure drops a Ptero-family implant that harvests credentials, including RMM console logins, VPN profiles, and saved browser credentials.
- The operators log in to the MSP's RMM platform - ConnectWise, Kaseya VSA, Atera, N-able, or similar - using harvested credentials or session cookies.
- They push scripted payloads to specific customer endpoints via the RMM, often late at night local time.
- The payload harvests documents, takes screenshots, and beacons to Telegram-based C2.
The structural issue is not the RMM product. It is that the MSP's trust boundary extends into dozens of customer tenants without corresponding segmentation of credentials, logging, or runbooks. An MSP operator with console access is, effectively, an unmanaged privileged identity across all customers.
What controls actually reduce exposure to Gamaredon-class supply chain operations?
- Treat MSPs and integrators as privileged vendors. TPRM questionnaires should specifically cover RMM hygiene, MFA on console access, session recording, and segmentation of admin credentials per customer.
- Segment RMM access per customer tenant. Shared credentials across customers is the default and the most common failure. CISA's MSP-focused guidance in AA22-131A remains the baseline and is still widely unimplemented.
- Template injection controls. Block external template fetch for Office documents by policy, or at minimum alert on it. Group Policy and Microsoft 365 admin center both expose relevant controls.
- Removable media discipline for defense supply chains. Write-blockers on ingestion stations, inventory of authorized drives, and endpoint-level LNK execution monitoring.
- Egress monitoring for legitimate cloud abuse. Establish baselines for Telegram, Google Drive, GitHub, and Cloudflare worker egress per business unit. Alert on first-seen domains within these services when correlated with new process creation.
- Credential hygiene at partner organizations. Require partners to rotate on incident, enforce passkeys or hardware tokens on privileged consoles, and disable legacy authentication.
How does Gamaredon fit into the broader Russian ecosystem?
Gamaredon is the volume player. While Sandworm (GRU Unit 74455) focuses on destructive and wiper operations against Ukrainian energy and telecom, and APT28/APT29 focus on selective intelligence collection, Gamaredon provides broad surveillance coverage with low operational cost. Mandiant's 2024 and 2025 Russia-focused reporting repeatedly places Gamaredon as the "always on" collection layer that feeds tasking to other services.
For supply chain defenders outside Ukraine, this matters because Gamaredon's techniques are portable. A template-injection-plus-RMM pattern refined against Ukrainian MSPs will show up in attacks against defense integrators and logistics providers in Europe and North America, usually by adjacent groups reusing the playbook. The 2022-2024 pattern of wiper variants migrating from Ukraine-first campaigns to broader targets is likely to repeat with supply chain tradecraft.
What does the outlook look like through 2026?
Expect continued high-volume Gamaredon activity aimed at Ukrainian government, defense, and critical infrastructure, with increasing emphasis on MSP and integrator compromise. Expect continued tooling iteration in the Ptero family, continued abuse of legitimate cloud services for C2, and continued propagation via removable media in defense logistics. Expect, also, technique portability: the same operators refining MSP-pivot tradecraft against Ukrainian targets raise the baseline capability for Russian and aligned clusters elsewhere.
The implication for supply chain defenders outside the immediate conflict zone is the same as it has been since 2022: Ukraine is the forcing function that drives Russian tradecraft forward. What works there shows up in your TPRM threat model nine to eighteen months later.
How Safeguard.sh Helps
Safeguard.sh maps the MSP, RMM, and integrator tier of your supply chain the same way we map software dependencies. Eagle detection correlates CERT-UA and allied threat intelligence against your actual vendor inventory, surfacing when an RMM platform in use at one of your MSPs is under active Gamaredon-class pressure. Our zero-day pipeline tracks edge-appliance and productivity-suite CVEs that feature in Ukrainian advisory reporting, SBOM lineage captures the full chain of internally developed tooling and partner-provided agents running in your environment, and Griffin AI remediation turns template-injection and RMM-hardening guidance into prioritized, engineer-readable tickets so your team can implement controls before the tradecraft makes the jump to your region.