A newly discovered cyber threat actor, dubbed GamaCopy, has been found imitating the tactics of the Kremlin-linked Gamaredon hacking group to target Russian-speaking organizations. Security researchers at Knownsec 404 Advanced Threat Intelligence team uncovered this development in their latest report.
The threat actor employs military facility-related content as bait to deploy UltraVNC, a remote access tool that enables unauthorized control of compromised systems. This approach bears striking similarities to another hacking group known as Core Werewolf (also called Awaken Likho and PseudoGamaredon).
The attack pattern begins with a self-extracting archive file created using 7-Zip, which delivers additional malicious payloads. A batch script then installs UltraVNC, disguised as "OneDrivers.exe" to masquerade as legitimate Microsoft OneDrive software, while simultaneously displaying a decoy PDF document to the victim.
Technical analysis reveals several shared characteristics between GamaCopy and Core Werewolf operations, including the use of 7z-SFX files, communication over port 443, and specific command implementations like EnableDelayedExpansion.
This development comes as part of a broader trend of cyber attacks targeting Russian organizations since the start of the Russo-Ukrainian war. Other active groups in this space include Sticky Werewolf (PhaseShifters), Venture Wolf, and Paper Werewolf, all focusing on data theft through sophisticated phishing campaigns.
The emergence of GamaCopy highlights the evolving landscape of cyber espionage, where threat actors deliberately mimic established groups' techniques to obscure their true identity and achieve their objectives while creating confusion about attribution.