HomeIntelligenceBrief
BREACH BRIEF🟠 High ThreatIntel

Gamaredon Expands PowerShell Downloaders and Spear‑Phishing Campaigns, Leveraging Cloud Services to Obscure C2

Gamaredon released six PowerShell‑based downloaders and over 35 spear‑phishing campaigns in 2025, using cloud services to hide C2. The activity tests SOC 2 access‑control and security‑awareness controls, making continuous monitoring and evidence collection essential for audit readiness.

LiveThreat™ Intelligence · 📅 June 25, 2026· 📰 databreachtoday.com
🟠
Severity
High
TI
Type
ThreatIntel
🎯
Confidence
High
🏢
Affected
3 sector(s)
Actions
3 recommended
📰
Source
databreachtoday.com

Gamaredon Expands PowerShell Downloaders and Spear‑Phishing Campaigns, Leveraging Cloud Services to Obscure C2

What Happened — Russian‑linked threat group Gamaredon released six new PowerShell‑based downloaders and launched at least 35 spear‑phishing campaigns in 2025. The actors hid command‑and‑control infrastructure behind Cloudflare workers, Microsoft dev tunnels, and services like Telegram and Dropbox, using “dead drops” to retrieve encrypted payloads.

Why It Matters for Compliance & Audit Readiness

  • Spear‑phishing and malicious PowerShell scripts directly test the effectiveness of SOC 2 Access Control (CC6.1) and Security Awareness Training (CC6.2) requirements.
  • The use of legitimate cloud services for C2 highlights the need for continuous monitoring of third‑party services and evidence of policy enforcement, a core element of a defensible SOC 2 audit trail.

Who Is Affected — Government agencies, defense contractors, NGOs, and any organization with Ukrainian ties or operating in high‑risk geopolitical zones.

Recommended Actions

  • Map the phishing and PowerShell execution scenarios to SOC 2 Access Control criteria and collect evidence of MFA, least‑privilege, and logging controls.
  • Deploy regular security‑awareness training and phishing simulations to validate user resilience.
  • Implement continuous monitoring of cloud‑service usage (e.g., Cloudflare, Microsoft tunnels) and log any anomalous outbound connections.

Technical Notes

  • Attack vector: spear‑phishing emails delivering malicious HTA files exploiting CVE‑2025‑8088 (WinRAR).
  • Malware families: PteroPaste (downloader + USB weaponizer), PteroDee, PteroCache, PteroDum, PteroOdd, PteroEffigy.
  • C2 storage: encrypted payloads in Dropbox, Telegram, and markdown paste services (Rentry).

Source: DataBreachToday

📰 Original Source
https://www.databreachtoday.com/russias-gamaredon-adapts-tactics-to-target-ukraine-a-32068

This LiveThreat Intelligence Brief is an independent analysis. Read the original reporting at the link above.

From the Verisq platform · Security Awareness

Awareness is a control you can evidence too.

Verisq AI Trust Operations records training completion and policy adoption as audit evidence — turning 'we train our staff' into something you can actually prove.

See how Verisq AI Trust Operations covers awareness →