Gamaredon Expands Ukraine Attacks With New Malware

The Russian advanced persistent threat (APT) group Gamaredon has continued to expand its cyberattacks against Ukraine throughout 2025, evolving its malware and employing new tactics. Slovakian cybersecurity firm ESET reported observing 35 distinct spear-phishing campaigns launched by Gamaredon against new targets, with a significant increase in activity during the second half of the year. These campaigns primarily targeted individuals and organizations within Ukraine.

ESET's analysis, published on January 27, 2026, details how Gamaredon has incorporated new malware families and leveraged legitimate cloud services to facilitate its operations. The group has been observed using cloud platforms for command and control (C2) infrastructure, making it more challenging to detect and disrupt their activities. This strategic shift indicates an effort by Gamaredon to enhance the stealth and resilience of their cyberespionage operations.

Gamaredon's ongoing campaign against Ukraine is characterized by its persistence and adaptability. The group has historically focused on intelligence gathering and disruption, and their continued evolution suggests a long-term commitment to these objectives. ESET's findings highlight the persistent threat posed by state-sponsored APT groups and the need for continuous monitoring and defense against sophisticated cyber threats.