A Russian hacking group known as Gamaredon has adopted new tactics to conceal malicious software targeting Ukrainian organizations, according to cybersecurity researchers at Recorded Future.
The group, linked to Russia's Federal Security Service (FSB), is using Cloudflare Tunnels and DNS fast-flux techniques to hide their malware infrastructure in an ongoing spear-phishing campaign that began in early 2024.
The attacks start with phishing emails containing HTML attachments that deliver GammaDrop malware through a technique called HTML smuggling. When victims open these attachments, they unknowingly trigger a chain of events that installs multiple malicious programs designed to steal sensitive data.
The hackers specifically target information from web browsers, email clients, and messaging apps like Signal and Telegram. The malware can also spread through connected USB drives and download additional harmful code.
What makes this campaign notable is the use of legitimate Cloudflare services to mask the location of servers hosting the malware. The group also employs DNS fast-flux - a technique that rapidly changes IP addresses to make tracking and blocking the malicious infrastructure more difficult.
While Gamaredon's tools are not particularly sophisticated, the group maintains effectiveness through frequent updates and changing obfuscation methods. They also deploy multiple backdoors simultaneously to maintain access to compromised systems.
Security experts warn that the group will likely continue refining these evasion techniques, presenting ongoing challenges for organizations with limited cybersecurity capabilities. The use of legitimate services like Cloudflare makes it especially difficult for traditional security systems to detect these threats.
The hacking group, also tracked under names like BlueAlpha and Shuckworm, has been active since 2014 and previously targeted various NATO countries including Bulgaria, Latvia, Lithuania, and Poland.