A sophisticated malware campaign attributed to the Russia-linked Gamaredon threat group has been actively targeting Ukrainian entities since late 2024, according to new research published on April 16, 2025.
Samples of the Pterodo malware family were identified on public malware analysis platforms between December 2024 and mid-March 2025, with active command and control infrastructure still being maintained.
The malware, known as PteroLNK, utilizes heavily obfuscated VBScript files that construct additional payloads during execution.
.png
)
The campaign primarily targets Ukrainian government, military, and critical infrastructure organizations through spearphishing operations with military-themed lures.
Samples were predominantly uploaded from cities across Ukraine including Kyiv, Dnipro, Rivne, Kupyansk, and Odesa.
The malware creates deceptive shortcuts that mimic legitimate documents, allowing it to propagate across networks and execute malicious code when users interact with these seemingly benign files.
HarfangLab researchers identified that the main PteroLNK VBScript dynamically constructs two additional VBScript payloads during execution: a downloader and an LNK dropper.
“The scripts are designed to allow flexibility for their operators, enabling easy modification of parameters such as file names and paths, persistence mechanisms, and detection logic for security solutions on the target system,” the report states.
The malware establishes persistence through scheduled tasks and hides its activities by modifying Windows Explorer settings to hide files.
It drops copies of itself to paths like “%PUBLIC% \NTUSER.DAT.TMContainer” and “%APPDATA%~.drv” while deploying the downloader and LNK dropper payloads to separate locations.
The downloader is scheduled to execute every 3 minutes, while the LNK dropper runs every 9 minutes.
What makes this campaign particularly notable is its sophisticated command and control infrastructure. Gamaredon employs a technique known as Dead Drop Resolvers (DDRs) – posts on platforms like Telegraph and Teletype that contain encoded C2 addresses. These DDRs are frequently updated, providing the threat actors with flexibility to evade detection and disruption.
The downloader component demonstrates this multi-stage C2 communication:-
On Error Resume Next
Dim userAger :, response, executionResult,
url, errorCc e&, vomputたごlame,
serialNumber, extractedText, regexPattern,
DDR
errorCounter = 0
DDR = "hxxps://telegra[.]ph/Vizit-12-28"
regexPattern = "\\"Custom HTTP User-Agent string
When executed, the script generates a custom HTTP User-Agent string containing the computer name and system drive serial number, uniquely identifying the infected machine to the C2 server.
It begins by checking for internet connectivity via benign websites and then proceeds through a series of fallback mechanisms if communication fails, utilizing increasingly diverse methods to obtain C2 addresses.
The LNK dropper component focuses on propagation, replacing existing files with deceptive shortcuts that execute the malware.
The Ukrainian decoy filenames used by the malware include military themes such as “Casualties information,” “Sample monthly report,” and “Support of the Main Intelligence Directorate”.
Attribution to Russia’s Federal Security Service (FSB) is supported by evidence from Ukrainian authorities and multiple independent researchers.
The campaign’s targeting of Ukrainian entities with military-themed lures aligns with Russia’s strategic interests in the ongoing conflict, making this discovery particularly significant for understanding cyber operations in the region.
Malware Trends Report Based on 15000 SOC Teams Incidents, Q1 2025 out!-> Get Your Free Copy
