Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse

A Russian advanced persistent threat (APT) group has continued to evolve and expand its malware arsenal as part of its ongoing cyber onslaught against Ukraine throughout 2025. Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year. Primary targets of these

The article describes how the Russian APT group Gamaredon expanded its 2025–2026 campaigns against Ukrainian government and military entities with new malware families, upgraded PowerShell toolsets, and extensive abuse of cloud and legitimate online services for command-and-control and data exfiltration.[2][6] ESET reports at least 35 spear-phishing campaigns in 2025, with file stealers now exfiltrating data to S3-compatible cloud providers (e.g., Wasabi, Tebi, Intercolo) and using messaging, social media, blogging, and paste platforms as dead drops and infrastructure shields.[2][1] From a CyberSE.AI perspective, these tradecraft patterns demonstrate how state actors can repurpose common SaaS, cloud storage, and web platforms that AI agents also rely on, enabling stealthy data theft, living-off-the-land C2, and potentially covert delivery of malicious prompts or tooling into AI-assisted analyst workflows. Organizations using AI agents in security or mission-critical environments should treat cloud/SaaS integrations as high-risk supply-chain surfaces, apply continuous AI-focused red teaming against spear-phishing and file-ingestion paths, and enforce strict network and data governan