A notorious Russian-linked cyber espionage group dubbed Shuckworm has intensified its operations in Ukraine by targeting the military mission of a Western country based in the region.
This latest campaign, which ran from late February through March 2025, demonstrates a concerning evolution in the group’s methods and a renewed focus on military intelligence gathering.
Shuckworm, also known as Gamaredon or Armageddon, has been active since 2013 and is believed to be closely tied to Russia’s Federal Security Service (FSB). The group has consistently focused its attacks on the Ukrainian government and defense sectors. However, its latest campaign is targeting a foreign military organization operating within Ukraine’s borders.
A New Wave of Attacks
According to Symantec’s Threat Hunter Team, the cyberattack began with an infected USB drive, a common method used to infiltrate air-gapped or secure networks. Once connected, the drive triggered a chain of events designed to secretly install malicious software and maintain a hidden presence on the target systems.
Central to the operation was an updated version of Shuckworm’s malware known as GammaSteel. “GammaSteel is an infostealer that exfiltrates data from victim networks. The attackers are seen using various methods for data exfiltration, including using the write.as web service for possible exfiltration. They are also seen using cURL alongside Tor as a backup method of data exfiltration. cURL is an open-source command-line tool that can be used to transfer data to and from a server and is frequently leveraged by malicious actors,” the researchers said.
GammaSteel was deployed through a multi-stage attack chain that used disguised code and obscure file names to avoid raising red flags. Among the tools used were disguised Windows scripts, registry manipulation techniques, and covert communication with command-and-control (C&C) servers operated by the malefactors.
Digging In and Staying Hidden
Once the malware was in place, it set up a presence in the Windows registry—making sure it would run every time the infected computer restarted. It also altered system settings to hide key files and prevent users from noticing anything unusual.
The malicious actors used a range of online services to communicate with infected machines and extract stolen data, including anonymous blogging and messaging platforms, Cloudflare tunnels to disguise the traffic, and Tor, a free overlay network that enables anonymous communications, and is more often than not, used to hide illicit activities.
In some cases, the malware collected detailed information about the target machine, including screenshots, lists of running programs, and even a breakdown of files stored on the desktop. This information would then be exfiltrated to servers controlled by Shuckworm.
What Was Targeted
The documents targeted made it clear the group was after military intelligence—among the file names found in the malware’s code—many in Ukrainian—were phrases like:
- “Deployment plan”
- “Special inspection”
- “Wound report”
- “Combat orders”
- “Information on the deceased”
- “Support from GUR” (Ukraine’s military intelligence agency)
These names suggest that Shuckworm was searching for highly sensitive operational documents, possibly to gain insights into troop movements, defense strategies, and allied military cooperation.
For some time, cybersecurity analysts have viewed Shuckworm as a persistent but relatively unsophisticated actor, but this latest operation suggests the group is becoming more advanced. Its use of multiple fallback channels for data theft, reliance on PowerShell for stealth, and layered obfuscation techniques herald a growing maturity in its operations.
The Bigger Picture
This attack is part of a broader cyber conflict that has been intensifying since Russia’s 2014 annexation of Crimea and escalated further with its full-scale invasion of Ukraine in 2022. As the war has dragged on, the digital front has become increasingly critical, with both sides engaging in cyber operations to disrupt, spy, and sabotage.
However, targeting a Western military mission ups the ante and risks dragging more international actors into the cyber conflict, perhaps sending the message that Russia’s intelligence is watching not only Ukraine but its allies, too.
Information Security Buzz News Editor
Kirsten Doyle has been in the technology journalism and editing space for nearly 24 years, during which time she has developed a great love for all aspects of technology, as well as words themselves. Her experience spans B2B tech, with a lot of focus on cybersecurity, cloud, enterprise, digital transformation, and data centre. Her specialties are in news, thought leadership, features, white papers, and PR writing, and she is an experienced editor for both print and online publications.
The opinions expressed in this post belong to the individual contributors and do not necessarily reflect the views of Information Security Buzz.