Threat actors sponsored by Russia are targeting Ukrainian entities using information-stealing malware. The ongoing attacks are believed to be a part of cyberespionage operations.

GammaLoad circumvents Ukrainian networks

Recently, Symantec linked the malicious campaign—using GammaLoad infostealer—to a Russian threat actor tracked as Shuckworm. Further, the findings were confirmed by the CERT-UA.
  • The recent set of attacks started on July 15 and was observed to be active as recently as August 8.
  • The infection chains used phishing emails masked as newsletters and combat orders.
  • These phishing emails led to the deployment of a PowerShell stealer malware, GammaLoad.PS1_v2.

About the threat group

The Shuckworm threat group has been active since 2013 and is known for specifically targeting public and private firms in Ukraine. Further, cyberattacks have increased since Russia invaded Ukraine.

Use of two backdoors

The attackers delivered two backdoors named Pterodo and Giddome. Both are trademarks of Shuckworm tools and are continually enhanced by the attackers to stay hidden.
  • Pterodo is a VBS dropper with capabilities to run PowerShell scripts, use scheduled tasks for persistence, and download additional code from a C2 server.
  • The Giddome implant comes with different capabilities, such as recording audio, logging keystrokes, capturing screenshots, and obtaining/running arbitrary executables onto the infected system.

More Insights

  • Hackers use legitimate software such as Ammyy Admin and AnyDesk for remote access.
  • The finding follows an alert from CERT-UA, which warns of phishing attacks using the use of a DotNET downloader (RelicRace) to run payloads such as Snake Keylogger and Formbook.


The Shuckworm group is not tactically sophisticated, though it relentlessly focuses on persistence and targets Ukrainian firms. For protection, Ukrainian firms and government entities are suggested to follow recommendations provided by CERT-UA and the Broadcom.
Cyware Publisher