Skip to main content
All Posts
Research
1
min read

Malicious Activity Aligning with Gamaredon TTPs Targets Ukraine

The Anomali Threat Research (ATR) team has identified malicious activity that we believe is being conducted by the Russia-sponsored Advanced Persistent Threat (APT) group Gamaredon (Primitive Bear).
Anomali Threat Research
Published on
December 5, 2019
Table of Contents

Overview

The Anomali Threat Research (ATR) team has identified malicious activity that we believe is being conducted by the Russia-sponsored Advanced Persistent Threat (APT) group Gamaredon (Primitive Bear). Some of the documents have been discussed by other researchers.[1] This Gamaredon campaign appears to have begun in mid-October 2019 and is ongoing as of November 25, 2019. Based on lure documents observed by ATR, we believe that at least the following Ukrainian entities and individuals may be targeted:

  • Diplomats
  • Government officials and employees
  • Journalists
  • Law enforcement
  • Military officials and personnel
  • Non-Governmental Organization (NGO)
  • The Ministry of Foreign Affairs of Ukraine

ATR analysts have found Tactics, Techniques, and Procedures (TTPs) that align with known Gamaredon tactics, in addition to a new template-injection technique that has not previously been observed to be utilized by the group.

The object of this report is to highlight a new Gamaredon TTP and share IOCs to the security community for awareness and further analysis. Several lure documents will also be examined, as well as a technical analysis section that showcases the functionalities of the template injection.

Get the full report on Gamaredon (Primitive Bear) and read through our key findings here.

Endnotes

[1] Evgeny Ananin and Artern Semenchenko “The Gamaredon Group: A TTP Profile Analysis,” Fortinet Blog, accessed November 25, 2019, published August 21 2019, https://www.fortinet.com/blog/threat-research/gamaredon-group-ttp-profile-analysis.html; ZLAB-YOROI, “The Russian Shadow in Eastern Europe: Ukrainian MOD Campaign,” YOROI Blog, accessed November 25, 2019, published April, 24, 2019 https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/; ZLAB-YOROI, “The Russian Shadow in Eastern Europe: A Month Later,” YORIO Blog, accessed November 25, 2019, published June 4, 2019, https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-a-month-later/.

FEATURED RESOURCES

January 13, 2026
Anomali Cyber Watch

Anomali Cyber Watch: Cisco ISE Flaw, Ni8mare, N8scape, Zero-Click Prompt Injection and more

Anomali Cyber Watch: Cisco ISE Flaw Enables Arbitrary File Read via Administrative Access. Ni8mare and N8scape Vulnerabilities Expose n8n Automation Platforms to Full Compromise. Zero-Click Prompt Injection Abuse Enables Silent Data Exfiltration via AI Agents. Phishing Attacks Exploit Misconfigured Email Routing to Spoof Internal Domains. Ransomware Activity in the U.S. Continued to Rise in 2025. Android Ghost Tap Malware Drives Remote NFC Payment Fraud Campaigns. Black Cat SEO Poisoning Malware Campaign Exploits Software Search Results. MuddyWater Upgrades Espionage Arsenal with RustyWater RAT in Middle East Spear-Phishing. China-Linked ESXi VM Escape Exploit Observed in the Wild. Instagram Denies Data Breach Despite Claims of 17.5 Million Account Data Leak
Read More
January 6, 2026
Anomali Cyber Watch

Anomali Cyber Watch: OWASP Agentic AI, MongoBleed, WebRAT Malware, and more

Real-World Attacks Behind OWASP Agentic AI Top 10. MongoDB Memory Leak Vulnerability “MongoBleed” Actively Exploited. WebRAT Malware Spread via Fake GitHub Proof of Concept Exploits. Trusted Cloud Automation Weaponized for Credential Phishing. MacSync macOS Stealer Evolves to Abuse Code Signing and Swift Execution. Claimed Resecurity Breach Turns Out to Be Honeypot Trap. Cybersecurity Professionals Sentenced for Enabling Ransomware Attacks. Google Tests Nano Banana 2 Flash as Its Fastest Image AI Model. RondoDox Botnet Exploits React2Shell to Hijack 90,000+ Systems. Critical n8n Expression Injection Leads to Arbitrary Code Execution
Read More
December 23, 2025
Anomali Cyber Watch

Anomali Cyber Watch: SantaStealer Threat, Christmas Scams of 2025, React2Shell Exploit, Phishing via ISO, and more

SantaStealer Infostealer Threat Gains Traction in Underground Forums. From Fake Deals to Phishing: The Most Effective Christmas Scams of 2025. React2Shell Exploitation Expands With New Payloads and Broader Targeting. Russian Phishing Campaign Delivers Phantom Stealer via ISO Attachments. And More...
Read More
Explore All