European cybersecurity solutions provider HarfangLab has identified an ongoing cyber espionage campaign attributed to the Russian threat actor Gamaredon, with evidence pointing to a new wave of malware targeting Ukrainian military and governmental entities. HarfangLab’s threat researchers share a detailed technical analysis of Gamaredon’s PteroLNK VBScript malware and its supporting infrastructure to empower both cybersecurity players and organizations, even small or mid-sized, to assess exposure and strengthen their defence.
While attribution remains complex, Gamaredon is widely recognized in the cybersecurity community as being linked to Russia’s Federal Security Service (FSB), focused on signals intelligence and information security. Historical targets include Ukrainian government institutions, critical infrastructure, and military commands, and samples from the recent campaign suggest a continued focus on such sectors.
“Gamaredon’s effectiveness lies not in technical sophistication, but in tactical adaptability: high-tempo operations, relentless updats. They generate heavily obfuscated malware en masse, daily update dead drop resolvers to point to new infrastructure tunnels and maintain a low detection rate”, said Ariel Jungheit, Lead Threat Researcher at HarfangLab, involved in the investigation.
The activity identified by HarfangLab, which began in late 2024, marks a continuation of Gamaredon’s decade long operations, targeting Ukraine. This latest research reveals active infections using a new variant from the group’s known Pterodo malware toolkit, featuring updates to its command-and-control channels, improving its resiliency.
“We analysed a new revision of malware from their known Pterodo ecosystem—called Ptero-LNK. We found samples dating back to December 2024, which can propagate via USB drives and network shares by replacing documents and folders with malicious shortcut files —so if one computer is infected, it can propagate easily. Once infected, the malware also acts as a downloader for additional payloads”, explains Ariel Jungheit. “Gamaredon’s goal remains consistent: surveillance and disruption of Ukrainian defence in support of Russia’s military objectives. What sets this campaign apart is not just the persistence and scale, but the fact that it’s still active up until today.”
Though HarfangLab found no direct evidence of German or broader European targets in this specific campaign, past activity from Gamaredon has included outliers in neighbouring countries, indicating the potential for regional spillover, particularly for countries with strong diplomatic or military ties to Ukraine.
Collaboration and transparency to strengthen security
Unlike broader industry reports, HarfangLab’s analysis offers publicly accessible indicators of compromise (IOCs) and detailed malware behaviour breakdowns, empowering small and mid-sized organizations—not just large cybersecurity players—to assess exposure and strengthen defences.
“Gamaredon are masters of obfuscation. Their malware evades static and automated analysis tools. Even now, detection rates are low—only 6 out of 61 antivirus engines detect some of these samples months after their initial appearance. That shows how effective their methods are”, says Ariel Jungheit. “We want to empower organizations to take control of their security. We believe in collaboration and transparency in a field that has become increasingly closed and competitive. This research is detailed, actionable, and designed to help teams detect the threat—whether they’re small SOC teams or large cybersecurity companies. Detection isn’t widespread yet, and we hope this helps detection rates to go up.”
The team’s findings are available on Inside the Lab
About HarfangLab
HarfangLab is a French cybersecurity company specializing in endpoint protection. HarfangLab publishes technologies that anticipate and neutralize cyber-attacks on computers and servers, as well as providing a better understanding of your IT infrastructure for improved security. HarfangLab was the first EDR to be certified by ANSSI, and today boasts a large number of customers, including administrations, companies and international organizations operating in highly sensitive sectors. HarfangLab’s solutions are distinguished by: their openness, with solutions that integrate natively with all other security bricks; their transparency, as the data collected by the tools remains accessible; and the strategic autonomy they offer, as its customers are free to choose their hosting mode: cloud, public, private, or SecNumCloud, or their own infrastructure.