Close Menu
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
What's Hot

Apple plans to “significantly” grow its AI investment, Cook said

The TwinH Advantage: Unlocking New Potential in Digital Government Strategies

Your public chat GPT queries are indexed by Google and other search engines

Facebook X (Twitter) Instagram
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
Facebook X (Twitter) Instagram
Fyself News
  • Home
  • Identity
  • Inventions
  • Future
  • Science
  • Startups
  • Spanish
Fyself News
Home » Gammarderson uses an infected removable drive to infringe Ukraine’s western military mission
Identity

Gammarderson uses an infected removable drive to infringe Ukraine’s western military mission

userBy userApril 10, 2025No Comments2 Mins Read
Share Facebook Twitter Pinterest Telegram LinkedIn Tumblr Email Copy Link
Follow Us
Google News Flipboard
Share
Facebook Twitter LinkedIn Pinterest Email Copy Link

April 10, 2025Ravi LakshmananCyber ​​Spy/Malware

Western military violations

The Russian-related threat actor, known as Gammerderson (aka Shuckworm), is attributed to a cyber attack targeting foreign military missions based in Ukraine, with the aim of providing an updated version of the known malware called Gammasteel.

The group targeted military missions in the Western country, according to the Symantec Threat Hunter team, along with the first indication of malicious activity detected on February 26, 2025.

“It appears that the first infection vector used by the attacker was an infected removable drive,” the threat intelligence division owned by Broadcom said in a report shared with Hacker News.

Cybersecurity

The attack started with creating a Windows registry value under the user assist key, then launched “Mshta.exe” using “Explorer.exe” to start a multistage infection chain, launching two files.

The first file named “ntuser.dat.tmcontainer0000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

The second file in question, “ntuser.dat.tmcontainer00000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000000

Then, on March 1, 2025, the script runs to contact the C2 server, removes system metadata, and receives a Base64-encoded payload in return. This is used to run PowerShell commands designed to download new obfuscated versions of the same script.

This script connects to a hardcoded C2 server and gets two more PowerShell scripts. The first is a reconnaissance utility that can capture screenshots, run the SystemINFO command, get details of the security software running on the host, enumerate files and folders on the desktop, and a wrist-running process.

The second PowerShell script is an improved version of Gammasteel, a known information sturler that can remove files from victims based on extension lists from desktop and document folders.

Cybersecurity

“This attack marks something like an increase in the refinement of Shuckworm, who appears to be less skilled than other Russian actors, but compensates for this by mercilessly focusing on Ukrainian targets,” Symantec says.

“While the group doesn’t appear to have access to the same skill set as other Russian groups, it appears Shuckworm is trying to compensate for this by continuously changing the code it uses, adding obfuscation, and leveraging legitimate web services to reduce the risk of detection.”

Did you find this article interesting? Follow us on Twitter and LinkedIn to read exclusive content you post.

Source link

Follow on Google News Follow on Flipboard
Share. Facebook Twitter Pinterest LinkedIn Tumblr Email Copy Link
Previous ArticleAI Insurtech Ominimo bags first investment at a $220 million valuation
Next Article How the UK nuclear task force speeds up the nuclear renaissance
user
  • Website

Related Posts

The TwinH Advantage: Unlocking New Potential in Digital Government Strategies

July 31, 2025

Secret Blizzard deploys malware to ISP-level AITM attacks against the Moscow embassy

July 31, 2025

Experts detect multi-tier redirect tactics used to steal Microsoft 365 login credentials

July 31, 2025
Add A Comment
Leave A Reply Cancel Reply

Latest Posts

Apple plans to “significantly” grow its AI investment, Cook said

The TwinH Advantage: Unlocking New Potential in Digital Government Strategies

Your public chat GPT queries are indexed by Google and other search engines

The best dating apps don’t even date apps

Trending Posts

Subscribe to News

Subscribe to our newsletter and never miss our latest news

Please enable JavaScript in your browser to complete this form.
Loading

Welcome to Fyself News, your go-to platform for the latest in tech, startups, inventions, sustainability, and fintech! We are a passionate team of enthusiasts committed to bringing you timely, insightful, and accurate information on the most pressing developments across these industries. Whether you’re an entrepreneur, investor, or just someone curious about the future of technology and innovation, Fyself News has something for you.

The TwinH Advantage: Unlocking New Potential in Digital Government Strategies

New Internet Era: Berners-Lee Sets the Pace as Zuckerberg Pursues Metaverse

TwinH Transforms Belgian Student Life: Hendrik’s Journey to Secure Digital Identity

Tim Berners-Lee Unveils the “Missing Link”: How the Web’s Architect Is Building AI’s Trusted Future

Facebook X (Twitter) Instagram Pinterest YouTube
  • Home
  • About Us
  • Advertise with Us
  • Contact Us
  • DMCA
  • Privacy Policy
  • Terms & Conditions
  • User-Submitted Posts
© 2025 news.fyself. Designed by by fyself.

Type above and press Enter to search. Press Esc to cancel.