Gamaredon Group
Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns. In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers.
Attribution signal
?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 LowAttribution signals
8 mentions · 2 sources"Google's Threat Intelligence Group documented the same CVE being exploited by Sandworm, Turla, and Gamaredon in the same timeframe"
"Gamaredon actively facilitated Turla's access to high-value Ukrainian targets in Ukraine."
"Gamaredon tooling, including PteroGraphin and PteroOdd, was used to deploy Turla's Kazuar backdoor and, in at least one case, restore Turla's access after the group appeared to have lost its foothold."
"Still one of the most active espionage actors targeting Ukraine, the group relies on relentless spearphishing, lightweight custom tooling, and fast operational tempo to compromise military and government organizations."
"The researchers' provide evidence of direct operational collaboration between Gamaredon and Turla, detailing concrete cases in which Gamaredon activity enabled Turla operations on already compromised systems."
"The group was tied to the FSB by Ukraine's Security Service"
"Russia-linked APT group Gamaredon (a.k.a. Armageddon, Primitive Bear, ACTINIUM, Callisto) has been active since 2014 and its activity focuses on Ukraine"
"Gamaredon infection chain: spoofed emails, GammaDrop and GammaLoad"
Hedge terms observed