- Symantec says he found Gammastel on aircraft belonging to a military operation in Ukraine
- Gammasteel is an infostealer built by the Russian cyber-outfit Gamaredon
- Gamaredon is one of the many groups on GRU’s wage bill
A “military mission of a western country”, located in Ukraine, was the target of a Russian cyber-spying attack according to the cybersecurity researchers Symantec, who said that he had identified an attack that had started in February 2025 and was probably continued for several weeks.
The researchers say that the attack began with an infected removable reader containing a malicious .lnk file which sparked an infection chain that led to the deployment of GammaSteel.
GammaSteel is an infosseed malware, capable of expelling documents in various formats, such as .docx, .pdf, .xls, .txt, etc. It was probably built and deployed by a threat actor sponsored by the Russian state known as Gamaredon (or Shuckworm).
Infected removable discs
In addition to steal files, it can also take screenshots from the infected device and collect vital information on things such as installed antivirus tools, execution processes, etc.
Finally, the tool establishes persistence on the termination points compromised via a new Windows registry input. The researchers said that threat actors had changed their tactics a little to better hide the payload.
Symantec did not say whose military mission has been compromised, or what type of information – if necessary – was stolen in the attack. He is sure to assume that the attack is part of a wider cyber war effort since Russia invaded Ukraine over three years ago.
Russian aggression has shown how digital war has changed. The digital world has become an entire front, with a Russian cyber-infantry targeting communication satellites, government parameters, electricity stations, etc.
The Ukrainians responded by hacking Russian television and radio to broadcast anti-war messages, handled a taxi application to send dozens of cars to one place in Moscow and disclose gigabytes of Russian Enties data, including the private Wagner group.
Gamaredon is only one of the many groups actively involved in the war, next to Conti or Sandworm. All are apparently part of GRU, the military intelligence unit of Russia.
Via Bleeping Compompute
