Back to Intelligence

Gamaredon APT, BTMOB Android RAT & Malicious VPN Extensions: OTX Pulse Analysis

SA
Security Arsenal Team
July 1, 2026
7 min read

Excerpt: FSB-linked Gamaredon targeting Ukraine, Android RAT surge in LatAm, and clipper malware distributed via trojanized VPN extensions.


Threat Summary

Recent OTX Pulse data reveals a diverse landscape of active threats ranging from state-sponsored espionage to financially motivated crimeware.

  1. Gamaredon (APT28): The Russia-linked FSB group is aggressively targeting Ukrainian government and defense sectors using a sophisticated infection chain involving HTML smuggling, weaponized RAR archives exploiting a zero-day (CVE-2025-8088), and HTA persistence.
  2. BTMOB (Android RAT): A stealthy Remote Access Trojan (RAT) evolution of SpySolr is active in Argentina and Brazil. Distributed via fake app stores, it utilizes an APK builder for mass generation and abuses accessibility services for data theft.
  3. Malicious VPN Extensions: "Free VPN" browser extensions on Chrome and Firefox have been weaponized via staged updates to deploy clipboard stealers, targeting cryptocurrency credentials and user data.

Collectively, these campaigns highlight a trend toward "living-off-the-land" binaries (LoLBins) like HTA files, the abuse of legitimate distribution platforms (Browser Stores), and the commoditization of malware builders (BTMOB).

Threat Actor / Malware Profile

Gamaredon (GammaPhish / GammaWorm)

  • Adversary: Russian FSB (Forest Blizzard / APT28)
  • Distribution: Spear-phishing with weaponized xHTML files and HTML smuggling.
  • Payload Behavior: Uses RAR archives (exploiting CVE-2025-8088) to extract malicious HTA files.
  • Persistence: Drops HTA files into Windows Startup folders to ensure execution on reboot.
  • C2 Communication: Utilizes cloudflare tunnels (trycloudflare.com) and compromised infrastructure for obfuscation.
  • Anti-Analysis: Heavy obfuscation in HTML smuggling stages; uses "living-off-the-land" techniques to evade signature-based detection.

BTMOB (SpySolr Evolution)

  • Adversary: Unknown (MaaS operator)
  • Distribution: Phishing campaigns impersonating streaming services and government agencies; APK builder interface allows rapid deployment.
  • Target: Mobile devices (Android) in Latin America (Brazil, Argentina).
  • Payload Behavior: Accessibility service abuse to steal SMS, 2FA codes, and keystrokes.
  • C2 Communication: Standard HTTP/S to command and control servers.

VPN Go / Free VPN by VPN GO

  • Adversary: Unknown
  • Distribution: Chrome Web Store and Firefox Add-ons (Supply Chain compromise via staged updates).
  • Payload Behavior: Initial benign proxy functionality; later updated to include clipboard hijacking modules.
  • Objective: Theft of cryptocurrency wallet addresses and credentials copied to the clipboard.

IOC Analysis

The provided IOCs span multiple vectors requiring specific operational responses:

  • File Hashes (MD5/SHA256): Critical for EDR correlation. The GammaWorm and BTMOB hashes (e.g., 1794369214b7f62e70a0485e61335c61, 0a542751724a432a8448324613e0ce10393e41739a1800cbb7d5a2c648fcdc35) should be blocked at the perimeter and scanned for in endpoint quarantine.
  • Domains & URLs:
    • trycloudflare.com subdomains indicate Gamaredon's use of dynamic tunnels, making IP blocking less effective but domain filtering via secure web gateways (SWG) is necessary.
    • Specific VPN extension C2s (77.91.123.187, 178.236.252.133) should be blocked immediately via firewall/NGFW rules.
  • CVEs: CVE-2025-8088 (WinRAR) requires immediate patching validation in vulnerability management systems.
  • Tooling: SIEM solutions should ingest these IOCs for alert correlation; EDRs should have isolation policies triggered on hash matches.

Detection Engineering

Sigma Rules

YAML
title: Gamaredon Persistence via HTA in Startup Folder
id: b3f6a7d0-9c2d-4b5a-8e1f-1a2b3c4d5e6f
description: Detects the creation of HTA files in Windows Startup directories, a known persistence mechanism for Gamaredon Group (GammaWorm/GammaLoad).
status: experimental
date: 2026/07/02
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66846f8e8c266a7c09b8f4d5/
tags:
    - attack.persistence
    - attack.t1547.001
logsource:
    product: windows
    service: security
detection:
    selection:
        EventID: 11
        TargetFilename|contains: '\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\'
        TargetFilename|endswith: '.hta'
    condition: selection
falsepositives:
    - Legitimate administrative scripts
level: critical

---
title: Suspicious Outbound Connection to VPN Extension C2 Infrastructure
id: c4e7b8e1-0d3e-5c6b-9f2a-2b3c4d5e6f7a
description: Detects outbound network connections to known IP addresses associated with malicious VPN browser extensions (Clipboard Stealers).
status: experimental
date: 2026/07/02
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66846f8e8c266a7c09b8f4d6/
tags:
    - attack.command_and_control
    - attack.t1071.001
logsource:
    product: zeek
    service: conn
detection:
    selection:
        dest.ip:
            - '77.91.123.187'
            - '178.236.252.133'
            - '178.236.252.161'
    condition: selection
falsepositives:
    - Rare legitimate traffic to these specific IPs
level: high

---
title: HTML Smuggling via Browser Process Spawning MSHTA
id: d5f8c9f2-1e4f-6d7c-0a3b-3c4d5e6f7a8b
description: Detects browser processes spawning mshta.exe, indicative of HTML smuggling attacks often used by Gamaredon to deliver payloads.
status: experimental
date: 2026/07/02
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66846f8e8c266a7c09b8f4d5/
tags:
    - attack.initial_access
    - attack.t1204.002
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith:
            - '\\chrome.exe'
            - '\firefox.exe'
            - '\\msedge.exe'
        Image|endswith: '\\mshta.exe'
    condition: selection
falsepositives:
    - Legitimate web-based applications launching HTA helpers
level: medium

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Gamaredon C2 Infrastructure and Browser Extension C2s
let IOCs = dynamic([\"quitethepastry.ru\", \"trycloudflare.com\", \"arbsniper.com\", \"77.91.123.187\", \"178.236.252.133\", \"178.236.252.161\"]);
DeviceNetworkEvents
| where RemoteUrl has_any(IOCs) or RemoteIP has_any(IOCs)
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc

// Hunt for Malicious File Hashes (GammaWorm/BTMOB Samples)
let MaliciousHashes = dynamic([\"1794369214b7f62e70a0485e61335c61\", \"8e1624d110c090ff57d4b493a9107c66\", \"25e3c200de4868d754a3b4f4f09ec2bf\", \"43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56\"]);
DeviceFileEvents
| where SHA256 in MaliciousHashes or MD5 in MaliciousHashes
| project Timestamp, DeviceName, FileName, FolderPath, SHA256, MD5, InitiatingProcessAccountName
| order by Timestamp desc

PowerShell Hunt Script

PowerShell
# IOC Hunt for Gamaredon Persistence and Malicious Extensions
# Requires Administrator Privileges

$SuspectHashes = @(
    \"1794369214b7f62e70a0485e61335c61\",
    \"8e1624d110c090ff57d4b493a9107c66\",
    \"25e3c200de4868d754a3b4f4f09ec2bf\",
    \"43dc5b1d4c73d5ed9f4f7f561830079896eeb533a7c21bc577e4e267d5a3aa56\"
)

# 1. Check Startup Folders for HTA files (Gamaredon Persistence)
$StartupPaths = @(
    \"$env:APPDATA\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\",
    \"$env:ALLUSERSPROFILE\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\"
)

Write-Host \"[+] Scanning Startup Folders for suspicious HTA files...\"
foreach ($Path in $StartupPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Filter *.hta -ErrorAction SilentlyContinue | ForEach-Object {
            Write-Host \"[!] Suspicious HTA found: $($_.FullName)\"
            # Calculate Hash
            $FileHash = Get-FileHash -Path $_.FullName -Algorithm MD5
            if ($SuspectHashes -contains $FileHash.Hash) {
                Write-Host \"[CRITICAL] Known malicious hash detected: $($FileHash.Hash)\"
            }
        }
    }
}

# 2. Check Browser Extension Directories for Malicious IDs (VPN Go)
# Chrome Extensions
$ChromePaths = @(
    \"$env:LOCALAPPDATA\\Google\\Chrome\\User Data\",
    \"$env:APPDATA\\Google\\Chrome\\User Data\"
)

Write-Host \"[+] Scanning for Chrome Extensions matching VPN Go...\"
# Note: VPN Go IDs not explicitly provided in IOCs, but hunting for folder names in Profiles
foreach ($BasePath in $ChromePaths) {
    if (Test-Path $BasePath) {
        Get-ChildItem -Path $BasePath -Recurse -Directory -Filter \"Extensions\" | ForEach-Object {
            $ExtPath = $_.FullName
            # Look for recent modifications (last 7 days)
            Get-ChildItem -Path $ExtPath | Where-Object { $_.LastWriteTime -gt (Get-Date).AddDays(-7) } | ForEach-Object {
                Write-Host \"[!] Recently modified extension found: $($_.Name) in $ExtPath\"
            }
        }
    }
}

Write-Host \"[+] Hunt Complete.\"

Response Priorities

Immediate (0-24h)

  1. Block Network Indicators: Block all IP addresses and domains listed in the IOC Analysis section at the perimeter firewall and proxy servers. Specifically, block *.trycloudflare.com if policy permits, or strictly inspect traffic to it.
  2. Scan for Persistence: Execute the PowerShell hunt script across endpoints to identify Gamaredon HTA persistence mechanisms in Startup folders.
  3. Browser Extension Audit: Issue an immediate directive to users to remove "VPN Go" or "Free VPN by VPN GO" extensions if found. Push a browser policy to remove these Extension IDs if IT-managed.

Short Term (24-48h)

  1. Credential Reset: For users in targeted sectors (Gov/Def) or regions (LatAm), mandate password resets and MFA re-enrollment, specifically for those identified as having visited the malicious domains.
  2. Patch Management: Verify patch status for CVE-2025-8088 (WinRAR) and CVE-2018-20250 (WinRAR legacy)
  3. Mobile Device Management (MDM): In regions affected by BTMOB, scan Android fleets for the provided APK hashes and restrict installation from non-official stores.

Long Term (1 Week+)

  1. Architecture Hardening: Implement Application Control (AppLocker) to block unsigned HTA files and binaries executed from the Startup directory.
  2. Browser Isolation: Deploy remote browser isolation for high-risk users to mitigate HTML smuggling and browser-based exploit delivery.
  3. Supply Chain Vetting: Review policies for browser extension allow-listing to prevent future "staged update" attacks.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-malwaregamaredon-aptandroid-ratbrowser-extensionclipboard-stealerespionage

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.