Gamaredon Expands PowerShell Downloaders and Spear‑Phishing Campaigns, Leveraging Cloud Services to Obscure C2
What Happened — Russian‑linked threat group Gamaredon released six new PowerShell‑based downloaders and launched at least 35 spear‑phishing campaigns in 2025. The actors hid command‑and‑control infrastructure behind Cloudflare workers, Microsoft dev tunnels, and services like Telegram and Dropbox, using “dead drops” to retrieve encrypted payloads.
Why It Matters for Compliance & Audit Readiness
- Spear‑phishing and malicious PowerShell scripts directly test the effectiveness of SOC 2 Access Control (CC6.1) and Security Awareness Training (CC6.2) requirements.
- The use of legitimate cloud services for C2 highlights the need for continuous monitoring of third‑party services and evidence of policy enforcement, a core element of a defensible SOC 2 audit trail.
Who Is Affected — Government agencies, defense contractors, NGOs, and any organization with Ukrainian ties or operating in high‑risk geopolitical zones.
Recommended Actions
- Map the phishing and PowerShell execution scenarios to SOC 2 Access Control criteria and collect evidence of MFA, least‑privilege, and logging controls.
- Deploy regular security‑awareness training and phishing simulations to validate user resilience.
- Implement continuous monitoring of cloud‑service usage (e.g., Cloudflare, Microsoft tunnels) and log any anomalous outbound connections.
Technical Notes
- Attack vector: spear‑phishing emails delivering malicious HTA files exploiting CVE‑2025‑8088 (WinRAR).
- Malware families: PteroPaste (downloader + USB weaponizer), PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy.
- C2 storage: encrypted payloads in Dropbox, Telegram, and markdown paste services (Rentry).
Source: DataBreachToday