Russian Entities Under Attack: Mystery Hackers Clone Gamaredon’s Elite Cyber Tactics

Russian Entities Under Attack: Mystery Hackers Clone Gamaredon's Elite Cyber Tactics

New Threat Actor “GamaCopy” Mimics Russian Gamaredon Group’s Tactics

A newly identified threat actor, dubbed GamaCopy, has been discovered imitating the tactics of the Kremlin-affiliated Gamaredon hacking group to target Russian-speaking entities. The group shows significant overlap with another known threat actor, Core Werewolf (also known as Awaken Likho and PseudoGamaredon).

According to Knownsec 404 Advanced Threat Intelligence team’s recent report, GamaCopy’s attacks utilize military facility-related content as bait to deploy UltraVNC, a remote access tool. The attack methodology begins with a self-extracting archive file created using 7-Zip, which delivers subsequent payloads including a batch script that installs UltraVNC while displaying a decoy PDF document.

To evade detection, the group disguises the UltraVNC executable as “OneDrivers.exe,” masquerading as a Microsoft OneDrive component. The operation shares several technical characteristics with Core Werewolf campaigns, including:

– Use of 7z-SFX files
– Port 443 for server connection
– Implementation of EnableDelayedExpansion command

GamaCopy joins a growing list of threat actors targeting Russian organizations amid the Russo-Ukrainian conflict, including Sticky Werewolf (PhaseShifters), Venture Wolf, and Paper Werewolf. These groups primarily focus on data theft through sophisticated phishing campaigns.

This discovery follows Kaspersky’s earlier report of Core Werewolf targeting Russian government agencies and industrial entities using similar tactics but deploying MeshCentral instead of UltraVNC.

Share This Article