Threat Actor Profile
High APT
Description

Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022) In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. (Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022)

Confidence Score
90%
Known Aliases
Gamaredon Group IRON TILDEN Primitive Bear ACTINIUM Armageddon Shuckworm DEV-0157 Aqua Blizzard
Tags
mitre-attack stix-2.1 intrusion-set
First Seen

Unknown

Last Updated

Unknown

Active Status
Active
Created

April 29, 2026

MITRE ATT&CK Techniques (70)
T1005 - Data from Local System
Collection
T1025 - Data from Removable Media
Collection
T1039 - Data from Network Shared Drive
Collection
T1113 - Screen Capture
Collection
T1119 - Automated Collection
Collection
T1001 - Data Obfuscation
Command and Control
T1071.001 - Web Protocols
Command and Control
T1090 - Proxy
Command and Control
T1090.003 - Multi-hop Proxy
Command and Control
T1095 - Non-Application Layer Protocol
Command and Control
T1102 - Web Service
Command and Control
T1102.002 - Bidirectional Communication
Command and Control
T1102.003 - One-Way Communication
Command and Control
T1105 - Ingress Tool Transfer
Command and Control
T1568 - Dynamic Resolution
Command and Control
T1568.001 - Fast Flux DNS
Command and Control
T1571 - Non-Standard Port
Command and Control
T1027 - Obfuscated Files or Information
Defense Evasion
T1027.004 - Compile After Delivery
Defense Evasion
T1027.010 - Command Obfuscation
Defense Evasion
T1027.012 - LNK Icon Smuggling
Defense Evasion
T1027.015 - Compression
Defense Evasion
T1027.016 - Junk Code Insertion
Defense Evasion
T1036.005 - Match Legitimate Resource Name or Locat…
Defense Evasion
T1055 - Process Injection
Defense Evasion
T1070.004 - File Deletion
Defense Evasion
T1112 - Modify Registry
Defense Evasion
T1140 - Deobfuscate/Decode Files or Information
Defense Evasion
T1218.005 - Mshta
Defense Evasion
T1218.011 - Rundll32
Defense Evasion
T1221 - Template Injection
Defense Evasion
T1480 - Execution Guardrails
Defense Evasion
T1497.001 - System Checks
Defense Evasion
T1562.001 - Disable or Modify Tools
Defense Evasion
T1564.003 - Hidden Window
Defense Evasion
T1620 - Reflective Code Loading
Defense Evasion
T1012 - Query Registry
Discovery
T1016.001 - Internet Connection Discovery
Discovery
T1033 - System Owner/User Discovery
Discovery
T1057 - Process Discovery
Discovery
T1082 - System Information Discovery
Discovery
T1083 - File and Directory Discovery
Discovery
T1120 - Peripheral Device Discovery
Discovery
T1518.001 - Security Software Discovery
Discovery
T1047 - Windows Management Instrumentation
Execution
T1053.005 - Scheduled Task
Execution
T1059.001 - PowerShell
Execution
T1059.003 - Windows Command Shell
Execution
T1059.005 - Visual Basic
Execution
T1106 - Native API
Execution
T1204.001 - Malicious Link
Execution
T1204.002 - Malicious File
Execution
T1559.001 - Component Object Model
Execution
T1020 - Automated Exfiltration
Exfiltration
T1041 - Exfiltration Over C2 Channel
Exfiltration
T1491.001 - Internal Defacement
Impact
T1561.001 - Disk Content Wipe
Impact
T1566.001 - Spearphishing Attachment
Initial Access
T1021.005 - VNC
Lateral Movement
T1080 - Taint Shared Content
Lateral Movement
T1091 - Replication Through Removable Media
Lateral Movement
T1534 - Internal Spearphishing
Lateral Movement
T1137 - Office Application Startup
Persistence
T1547.001 - Registry Run Keys / Startup Folder
Persistence
T1583.001 - Domains
Resource Development
T1583.003 - Virtual Private Server
Resource Development
T1583.006 - Web Services
Resource Development
T1587.003 - Digital Certificates
Resource Development
T1588.002 - Tool
Resource Development
T1608.001 - Upload Malware
Resource Development
Indicators of Compromise

Loading IOCs…

IOC KQL for Sentinel
STIX Data 
{'aliases': ['Gamaredon Group',
             'IRON TILDEN',
             'Primitive Bear',
             'ACTINIUM',
             'Armageddon',
             'Shuckworm',
             'DEV-0157',
             'Aqua Blizzard'],
 'created': '2017-05-31T21:32:09.849Z',
 'created_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'description': '[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a '
                'suspected Russian cyber espionage group that has targeted '
                'military, law enforcement, judiciary, non-profit, and '
                'non-governmental organizations in Ukraine since at least '
                '2013. The name [Gamaredon '
                'Group](https://attack.mitre.org/groups/G0047) derives from a '
                'misspelling of the word "Armageddon," found in early '
                'campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: '
                'TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon '
                'June 2020)(Citation: Symantec Shuckworm January '
                '2022)(Citation: Microsoft Actinium February 2022)\n'
                '\n'
                'In November 2021, the Ukrainian government publicly '
                'attributed [Gamaredon '
                'Group](https://attack.mitre.org/groups/G0047) to Russia’s '
                'Federal Security Service (FSB) Center 18, an assessment later '
                'supported by multiple independent cybersecurity researchers. '
                '(Citation: Bleepingcomputer Gamardeon FSB November '
                '2021)(Citation: Microsoft Actinium February 2022)',
 'external_references': [{'external_id': 'G0047',
                          'source_name': 'mitre-attack',
                          'url': 'https://attack.mitre.org/groups/G0047'},
                         {'description': '(Citation: Microsoft Actinium '
                                         'February 2022)',
                          'source_name': 'ACTINIUM'},
                         {'description': '(Citation: Microsoft Actinium '
                                         'February 2022)',
                          'source_name': 'DEV-0157'},
                         {'description': '(Citation: Microsoft Threat Actor '
                                         'Naming July 2023)',
                          'source_name': 'Aqua Blizzard'},
                         {'description': '(Citation: Palo Alto Gamaredon Feb '
                                         '2017)',
                          'source_name': 'Gamaredon Group'},
                         {'description': '(Citation: Secureworks IRON TILDEN '
                                         'Profile)',
                          'source_name': 'IRON TILDEN'},
                         {'description': '(Citation: Symantec Shuckworm '
                                         'January 2022)',
                          'source_name': 'Armageddon'},
                         {'description': '(Citation: Symantec Shuckworm '
                                         'January 2022)',
                          'source_name': 'Shuckworm'},
                         {'description': '(Citation: Unit 42 Gamaredon '
                                         'February 2022)',
                          'source_name': 'Primitive Bear'},
                         {'description': 'Boutin, J. (2020, June 11). '
                                         'Gamaredon group grows its game. '
                                         'Retrieved June 16, 2020.',
                          'source_name': 'ESET Gamaredon June 2020',
                          'url': 'https://www.welivesecurity.com/2020/06/11/gamaredon-group-grows-its-game/'},
                         {'description': 'Kakara, H., Maruyama, E. (2020, '
                                         'April 17). Gamaredon APT Group Use '
                                         'Covid-19 Lure in Campaigns. '
                                         'Retrieved May 19, 2020.',
                          'source_name': 'TrendMicro Gamaredon April 2020',
                          'url': 'https://blog.trendmicro.com/trendlabs-security-intelligence/gamaredon-apt-group-use-covid-19-lure-in-campaigns/'},
                         {'description': 'Kasza, A. and Reichel, D. (2017, '
                                         'February 27). The Gamaredon Group '
                                         'Toolset Evolution. Retrieved March '
                                         '1, 2017.',
                          'source_name': 'Palo Alto Gamaredon Feb 2017',
                          'url': 'https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/'},
                         {'description': 'Microsoft . (2023, July 12). How '
                                         'Microsoft names threat actors. '
                                         'Retrieved November 17, 2023.',
                          'source_name': 'Microsoft Threat Actor Naming July '
                                         '2023',
                          'url': 'https://learn.microsoft.com/en-us/microsoft-365/security/intelligence/microsoft-threat-actor-naming?view=o365-worldwide'},
                         {'description': 'Microsoft Threat Intelligence '
                                         'Center. (2022, February 4). ACTINIUM '
                                         'targets Ukrainian organizations. '
                                         'Retrieved February 18, 2022.',
                          'source_name': 'Microsoft Actinium February 2022',
                          'url': 'https://www.microsoft.com/security/blog/2022/02/04/actinium-targets-ukrainian-organizations/'},
                         {'description': 'Secureworks CTU. (n.d.). IRON '
                                         'TILDEN. Retrieved February 24, 2022.',
                          'source_name': 'Secureworks IRON TILDEN Profile',
                          'url': 'https://www.secureworks.com/research/threat-profiles/iron-tilden'},
                         {'description': 'Symantec. (2022, January 31). '
                                         'Shuckworm Continues Cyber-Espionage '
                                         'Attacks Against Ukraine. Retrieved '
                                         'February 17, 2022.',
                          'source_name': 'Symantec Shuckworm January 2022',
                          'url': 'https://symantec-enterprise-blogs.security.com/blogs/threat-intelligence/shuckworm-gamaredon-espionage-ukraine'},
                         {'description': 'Toulas, B. (2018, November 4). '
                                         'Ukraine links members of Gamaredon '
                                         'hacker group to Russian FSB. '
                                         'Retrieved April 15, 2022.',
                          'source_name': 'Bleepingcomputer Gamardeon FSB '
                                         'November 2021',
                          'url': 'https://www.bleepingcomputer.com/news/security/ukraine-links-members-of-gamaredon-hacker-group-to-russian-fsb/'},
                         {'description': 'Unit 42. (2022, February 3). '
                                         'Russia’s Gamaredon aka Primitive '
                                         'Bear APT Group Actively Targeting '
                                         'Ukraine. Retrieved February 21, '
                                         '2022.',
                          'source_name': 'Unit 42 Gamaredon February 2022',
                          'url': 'https://unit42.paloaltonetworks.com/gamaredon-primitive-bear-ukraine-update-2021/'}],
 'id': 'intrusion-set--2e290bfe-93b5-48ce-97d6-edcd6d32b7cf',
 'modified': '2025-10-24T01:05:47.958Z',
 'name': 'Gamaredon Group',
 'object_marking_refs': ['marking-definition--fa42a846-8d90-4e51-bc29-71d5b4802168'],
 'revoked': False,
 'spec_version': '2.1',
 'type': 'intrusion-set',
 'x_mitre_attack_spec_version': '3.3.0',
 'x_mitre_contributors': ['ESET',
                          'Trend Micro Incorporated',
                          'Yoshihiro Kori, NEC Corporation',
                          'Manikantan Srinivasan, NEC Corporation India',
                          'Pooja Natarajan, NEC Corporation India'],
 'x_mitre_deprecated': False,
 'x_mitre_domains': ['enterprise-attack'],
 'x_mitre_modified_by_ref': 'identity--c78cb6e5-0c4b-4611-8297-d1b8b55e40b5',
 'x_mitre_version': '3.2'}
Quick Actions
Related TTPs (70)
Data from Local System
Collection
Data from Removable Media
Collection
Data from Network Shared Drive
Collection
Screen Capture
Collection
Automated Collection
Collection
View All 70 TTPs
Back to Threat Actors
Dashboard Home