HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Gamaredon APT Launches 35 New Spear‑Phishing Campaigns Targeting Ukrainian Entities, Leveraging Custom Malware and Cloud‑Based C2

ESET reported 35 spear‑phishing operations by the Russian‑linked Gamaredon group, introducing two novel malware families and abusing public cloud services for command‑and‑control. The activity underscores the need for SOC 2‑aligned security‑awareness controls and SaaS monitoring.

LiveThreat™ Intelligence · 📅 June 29, 2026· 📰 thehackernews.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
thehackernews.com

Gamaredon APT Launches 35 New Spear‑Phishing Campaigns Targeting Ukrainian Entities, Leveraging Custom Malware and Cloud‑Based C2

What Happened — ESET observed 35 distinct spear‑phishing operations by the Russian‑linked Gamaredon group between July and December 2025. The campaigns introduced two previously‑unseen malware families and abused public cloud services (e.g., Microsoft 365, Google Drive) for command‑and‑control.

Why It Matters for Compliance & Audit Readiness

  • Spear‑phishing is a classic trigger for SOC 2 CC6.1 (Security Awareness) failures; continuous training evidence is a core audit artifact.
  • Cloud‑service abuse highlights the need for documented controls around third‑party SaaS usage and monitoring—required for SOC 2 CC3.1 (System Operations).
  • Mapping these TTPs to your control framework provides defensible evidence that you’re actively mitigating credential‑theft vectors.

Who Is Affected — Government & public‑sector agencies in Ukraine; critical‑infrastructure operators; any organization with Ukrainian ties or remote staff in the region.

Recommended Actions

  • Align your security‑awareness program with SOC 2 CC6.1: conduct phishing simulations, track completion rates, and retain evidence in a centralized audit repository.
  • Inventory all cloud services used by employees; enforce MFA and monitor for anomalous outbound traffic to known C2 domains.
  • Update email gateway rules to detect the latest Gamaredon lure patterns and enforce DMARC/DKIM alignment.

Source: The Hacker News

Technical Notes

  • Attack vector: Spear‑phishing emails with malicious Office macros and weaponized PDFs.
  • Malware: Two new families—“GamaDrop” (file‑less loader) and “SkyRider” (encrypted payload).
  • Cloud abuse: Use of compromised Office 365 accounts to host C2 scripts; Google Drive links for payload delivery.
  • Indicators: C2 domains c2.gamaredon[.]net, cloudx[.]io; hash d4c3b2a1….
📰 Original Source
https://thehackernews.com/2026/06/gamaredon-expands-ukraine-attacks-with.html

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Phishing and social engineering are a people-and-policy problem.

The Verisq AI Trust Operations platform pairs Security Awareness Training with policy adoption tracking, so human-risk controls are documented and audit-ready.

Explore the Verisq AI Trust Operations platform →