A notorious threat actor known as Gamaredon has been observed employing Cloudflare Tunnels to hide its malware staging infrastructure, facilitating the deployment of GammaDrop malware. This technique is part of a spear-phishing campaign actively targeting Ukrainian organizations since early 2024.
Campaign Details and Tactics
According to Recorded Future’s Insikt Group, the primary goal of this campaign is to deliver Visual Basic Script malware. The group, monitored under the alias BlueAlpha, has also been identified by several other names, including:
- Aqua Blizzard
- Armageddon
- Hive0051
- Iron Tilden
- Primitive Bear
- Shuckworm
- Trident Ursa
- UAC-0010
- UNC530
- Winterflounder
Active since 2014, BlueAlpha is linked to Russia’s Federal Security Service (FSB).
“BlueAlpha has recently started using Cloudflare Tunnels to obscure staging infrastructure for GammaDrop, a tactic gaining traction among cybercriminal groups,” noted Insikt Group. Additionally, the group continues to use DNS fast-fluxing to complicate the tracking and disruption of command-and-control (C2) communications.
ESET described BlueAlpha’s methods as “reckless and not particularly stealth-focused,” although the group employs measures to evade detection and maintain access to compromised sy
[…]
Content was cut in order to protect the source.Please visit the source for the rest of the article.
Read the original article: