A newly discovered hacking group called GamaCopy has been found imitating the methods of the Kremlin-linked Gamaredon group to conduct cyber attacks against Russian-speaking targets.
Security researchers at Knownsec 404 Advanced Threat Intelligence revealed that GamaCopy appears connected to another threat actor known as Core Werewolf (also called Awaken Likho and PseudoGamaredon). The group uses military facility-related content as bait to deploy UltraVNC software, which enables remote access to compromised computers.
The attack pattern begins with a self-extracting archive file created using 7-Zip, which delivers additional malicious payloads. These include a batch script that installs UltraVNC while showing a fake PDF document as a distraction. To avoid detection, the UltraVNC executable is disguised as "OneDrivers.exe" to appear as legitimate Microsoft OneDrive software.
The campaign shares multiple technical characteristics with Core Werewolf operations, including the use of 7z-SFX files, communications over port 443, and specific command implementations. This follows a broader pattern of cyber attacks targeting Russian organizations since the start of the Ukraine conflict.
GamaCopy joins other active threat groups focusing on Russian targets, including Sticky Werewolf (PhaseShifters), Venture Wolf, and Paper Werewolf. These groups primarily employ phishing tactics aimed at stealing sensitive data.
The discovery comes four months after Kaspersky reported that Russian government and industrial organizations were being targeted by Core Werewolf through spear-phishing attacks using MeshCentral platform instead of UltraVNC.