A Russian hacking group known as Gamaredon has adopted new tactics to mask its malicious activities, using Cloudflare Tunnels to conceal malware distribution infrastructure, according to cybersecurity researchers.
The group, linked to Russia's Federal Security Service (FSB), has been targeting Ukrainian organizations since early 2024 through spear-phishing campaigns designed to deploy GammaDrop malware. Security experts at Recorded Future, who track the group as BlueAlpha, revealed these findings in their latest analysis.
The attackers send phishing emails containing HTML attachments that use a technique called HTML smuggling. When victims open these attachments, they unknowingly trigger a chain of events that installs multiple malicious components, including a custom loader called GammaLoad.
What makes this campaign notable is the use of Cloudflare Tunnels - a legitimate service - to hide the servers hosting the malware. The group also employs DNS fast-flux techniques, rapidly changing their command-and-control server addresses to avoid detection and maintain access to compromised systems.
The malware's primary goals include stealing sensitive data from web browsers, email clients, and messaging apps like Signal and Telegram. It can also spread to connected USB drives and download additional malicious software.
While the group's tools are not particularly sophisticated, they compensate through frequent updates and changing obfuscation methods. The attackers also deploy multiple backdoors simultaneously to maintain their presence in compromised systems.
Security researchers warn that Gamaredon's use of legitimate services like Cloudflare makes their activities harder to detect using traditional security measures. Organizations, especially those with limited threat detection capabilities, face growing challenges as the group continues to refine their evasion techniques.
Note: Only one link was inserted since Link 2 about Pokemon Go was not contextually relevant to this article about the Gamaredon hacking group.