Gamaredon's 2025 Phishing Surge: 35 Campaigns, Fresh Loaders, and Identity Tradecraft

Gamaredon isn't subtle. It rarely needs to be.

The Russia-aligned crew — tracked variously as Armageddon, Primitive Bear, and Shuckworm — ran at least 35 distinct spear-phishing campaigns against Ukrainian targets in 2025, with the bulk landing in the second half of the year. Researchers monitoring the group say its malware family tree keeps branching, with new loaders and stealers slotted alongside long-running tools like PteroDash and GammaSteel.

The targeting profile hasn't shifted much. Government bodies, defense entities, and Ukrainian public-sector orgs remain the primary marks. The delivery does the heavy lifting: LNK files, HTA droppers, and Office documents wrapped in lures crafted to look like internal correspondence or military paperwork.

What's worth flagging for the identity crowd is how much of Gamaredon's post-compromise activity now revolves around credential harvesting and session abuse rather than noisy implants. GammaSteel variants this year have been pulling browser-stored credentials, cookies, and tokens — the kind of artifacts that let an attacker walk past a password prompt entirely. If your threat model still treats "the user typed their password" as the bar to clear, you're already behind.

The group has also continued abusing legitimate cloud services for C2 staging and exfiltration. Telegram, Cloudflare tunnels, and Dropbox have all shown up in campaign infrastructure across the year. Blending into sanctioned SaaS traffic is the whole point. It defeats naive egress filtering and complicates any DNS-based detection strategy that assumes attackers register their own domains.

Would MFA have helped? Partially, and honestly less than you'd hope. Stolen session cookies bypass the second factor by design unless the relying party binds tokens to the device — token binding per RFC 8471 never really shipped at scale, and DPoP (RFC 9449) adoption outside of a few OAuth providers is thin. Phishing-resistant authenticators (WebAuthn, FIDO2) raise the cost meaningfully at the auth step, but if the attacker is grabbing live cookies from a browser profile after initial execution, you're in authz territory, not auth.

A few practical takeaways for IAM teams watching Ukraine-adjacent threat reporting:

• Shorten refresh-token lifetimes and enforce rotation with reuse detection. A stolen refresh token that's good for 90 days is a gift.
• Bind sessions to device posture signals where your IdP supports it. Conditional access on impossible-travel alone is not enough against residential-proxy egress.

Gamaredon is not the most sophisticated Russian APT in the field. It is arguably the most persistent. The group's value to its sponsors appears to be tempo, not finesse — and tempo is exactly what wears defenders down over a multi-year conflict.

Expect the campaign count to keep climbing into 2026. The tooling will keep mutating just enough to dodge static signatures, and the lures will keep looking like something a tired analyst would click at 4pm on a Friday.