Vernon Yai stands at the forefront of modern data protection, having spent years dissecting the sophisticated maneuvers of state-sponsored threat actors. His expertise in risk management and innovative detection provides a unique lens through which we can view the evolving landscape of information security. In this discussion, we explore the relentless cyber campaign targeting Ukraine throughout 2025, characterized by a sophisticated blend of traditional social engineering and modern cloud exploitation. We examine how threat actors are refining their malware delivery, the strategic weaponization of legitimate web services to mask data exfiltration, and the psychological indicators found in the timing of these operations.
The scale of spear-phishing campaigns targeting Ukrainian institutions in 2025 has been remarkably consistent. How has the approach to initial access evolved to maintain such a high level of activity?
In 2025, the sheer volume of these attacks was striking, with 35 distinct spear-phishing campaigns identified as targeting critical governmental and military infrastructure. These operations weren’t just about sending emails; they utilized complex delivery methods like XHTML files and HTML smuggling to slip malicious HTA downloaders past traditional security filters. By focusing on Ukrainian military interests, the attackers showed a cold, calculated persistence that lasted throughout the entire year, particularly intensifying in the second half. It’s a relentless digital siege where the goal is the constant exfiltration of sensitive data to support geopolitical interests. You can feel the pressure they are applying, essentially trying to wear down the defenders through sheer frequency and slight variations in their delivery payloads.
We’ve seen a shift in how persistence is maintained on a compromised machine, specifically involving vulnerabilities in common software. How does the exploitation of WinRAR play into their long-term strategy?
The weaponization of CVE-2025-8088, a specific vulnerability in WinRAR, represents a clever pivot toward automation and stealth. By exploiting this flaw, the actors can drop a malicious HTA downloader directly into the Windows Startup folder, ensuring that their malware wakes up every single time the victim logs back in. This isn’t just a one-time break-in; it’s about building a permanent home inside the victim’s architecture. When a user simply opens an archive, they are unknowingly triggering a chain of events that makes the infection nearly impossible to ignore. It creates a sense of dread for security teams because the persistence is baked into the very OS behavior that users rely on daily.
The “Ptero” family of tools seems to be a cornerstone of this group’s arsenal. What makes these specific malware variants, including the newly discovered PowerShell tools, so effective in a modern conflict?
The evolution of the Ptero suite is a masterclass in utility, featuring 6 brand-new PowerShell tools designed for specialized tasks like fetching payloads directly into memory to avoid detection. We are seeing tools like PteroSand for initial compromise and PteroSetup, which is a fascinating revival of a VBScript weaponizer first seen back in January 2021. PteroSetup is particularly devious because it scans for legitimate installer files on USB or network drives and replaces them with malicious 7z self-extracting archives. There is also PteroOdd, which suggests a deeper level of collaboration with other elite groups like Turla by using the Telegra.ph API. These tools create a multi-layered net that catches data through encrypted channels, making the exfiltration feel almost invisible to the naked eye.
There appears to be a significant increase in the abuse of legitimate third-party services to mask malicious traffic. Why has the group moved toward using serverless workers and tunnel services instead of their own infrastructure?
By moving their back-end operations behind legitimate platforms like Mastodon, Dropbox, and even the DEV Community, the attackers are effectively hiding in plain sight. In 2025, the reliance on these third-party services grew significantly as a way to create “dead drop” resolvers that point malware to hidden infrastructure. This makes it incredibly difficult for defenders to block the traffic because you can’t simply blacklist a service like Dropbox or Wasabi without disrupting legitimate business operations. They are using tunnels and serverless platforms to create a flexible, shifting maze that is much harder to disrupt than a static command-and-control server. It’s a frustrating game of cat and mouse where the “cat” is using the very tools we use for work every day.
Beyond the technical details, the timing of these attacks offers some interesting insights into the operators themselves. What can we learn from the operational breaks and the surge of activity around specific holidays?
The behavioral patterns we observed in 2025 are quite telling, especially the operational silence during major Russian and Crimean holidays. After a short break in January 2025, there was a massive surge in the development of new tools throughout the first half of the year, often leading right up to these significant calendar dates. This complete lack of activity during the holidays strongly suggests that these are not independent hackers, but likely government-affiliated employees working a standard, state-sanctioned schedule. It adds a human element to the code—you realize there are people sitting in offices, developing these 35 campaigns during their workweek and then logging off for the weekend. This connection between the digital onslaught and a physical work schedule is a powerful indicator of state-level coordination.
What is your forecast for Gamaredon?
I expect this group to become even more deeply integrated into legitimate cloud ecosystems, perhaps even moving into automated AI-driven spear-phishing to increase the success rate of those 35 annual campaigns. As long as the conflict continues, they will likely refine their “living off the cloud” techniques, making it nearly impossible to distinguish malicious data exfiltration from standard API calls. We will see them continue to recycle and improve veteran tools from 2021 and earlier, proving that in the world of cyber espionage, an old tool with a new delivery method is often just as dangerous as a zero-day exploit. The persistence of their “simple” malware is its greatest strength, and that won’t change anytime soon.
