Gamaredon GammaSteel & Argamal: Surge in Multi-Vector Infostealer Campaigns

Date: 2026-06-06
Source: OTX Pulse Analysis

Threat Summary

Recent OTX pulses from June 4-5, 2026, reveal a complex and aggressive landscape of credential theft activity targeting both Windows and macOS ecosystems. Russian state-sponsored actor Gamaredon (UAC-0010) continues its espionage against Ukrainian entities with the fileless GammaSteel infostealer, utilizing the HKCU\Printers registry key for persistence to avoid disk signatures.

Parallel to this nation-state activity, a surge in cybercriminal operations involves the Argamal RAT, distributed via compromised adult games using COM hijacking, and the evolution of Lumma Stealer into Remus, which specifically bypasses browser Application-Bound Encryption. These campaigns leverage sophisticated delivery mechanisms including Traffic Distribution Systems (TDS) impersonating tools like Ghidra, and ClickFix social engineering lures targeting macOS users with fake system utilities.

Threat Actor / Malware Profile

Gamaredon (FSB/UAC-0010)
- Malware: GammaSteel, GammaLoad, GammaWipe.
- Behavior: APT group targeting Ukrainian government and defense. GammaSteel operates almost entirely from memory, storing 71 distinct payload functions in the HKCU\Printers registry key. It utilizes Windows DPAPI for encryption and propagates via VBScript and USB drives (GammaWorm).
- Persistence: Registry run keys and hidden registry entries.
Argamal / Termixia
- Malware: RAT, Infostealer.
- Behavior: Distributed via "hentai" games. It establishes persistence by hijacking the InprocServer32 entry for the Windows Color System Calibration Loader DLL. The malware delays full payload execution by several days to evade sandbox analysis.
- Persistence: COM Hijacking (HKLM\SOFTWARE\Classes\CLSID).
Remus / Lumma Stealer
- Malware: 64-bit Information Stealer.
- Behavior: Evolution of Lumma Stealer following the doxxing of its developers. It employs "Etherhiding," using the Ethereum blockchain for C2 communication to infrastructure. It specifically targets browser cookies, credentials, and cryptocurrency wallets, bypassing modern encryption protections.
SessionGate / AnimateClipper
- Malware: Clipper, Infostealer.
- Behavior: Distributed via massive SEO poisoning and TDS campaigns impersonating legitimate tools like dnSpy and Ghidra. Uses CloudFront-hosted JavaScript to hijack download clicks.

IOC Analysis

The collected indicators span multiple infection vectors:

Infrastructure: Domains like justsstop.ru (Gamaredon C2) and guiformat.com (TDS/Impersonation) provide critical network-level blocklist candidates. IPs 194.150.220.218 and 165.22.170.129 are associated with these campaigns.
File Hashes: SHA1 hashes for Argamal droppers and a SHA256 hash for the TDS payload (87361ba2bb412dcf49f8738f3b8b9b7dccb557ad2e76ea8d98ffa5b098ae3886) allow for exact file matching in EDR solutions.
Operationalization: SOC teams should immediately ingest these IOCs into SIEM correlation rules and blocklisted domain lists. The use of non-standard ports in URLs (e.g., :48261) suggests custom C2 protocols that may bypass standard firewall inspections if not configured for deep packet inspection.

Detection Engineering

Sigma Rules

YAML

---
title: Potential Argamal Persistence via COM Hijacking
id: 0a1b2c3d-4e5f-6789-0abc-1def23456789
status: experimental
description: Detects registry modifications to the InprocServer32 entry for the Windows Color System Calibration Loader, a technique used by Argamal malware for persistence.
references:
    - https://otx.alienvault.com/pulse/66000000/
author: Security Arsenal Research
date: 2026/06/06
modified: 2026/06/06
tags:
    - attack.persistence
    - attack.t1546.015
logsource:
    product: windows
    registry:
        - set
detection:
    selection:
        TargetObject|contains: '\CLSID\{1ACC0528-2B65-4F80-9096-C5545FDD4271}\InprocServer32\(default)'
    condition: selection
falsepositives:
    - Unknown
level: critical
---
title: Gamaredon Group GammaSteel Registry Persistence
id: 1b2c3d4e-5f67-890a-bcde-f1234567890a
status: experimental
description: Detects the creation or modification of registry values in the HKCU\Printers key, associated with Gamaredon's GammaSteel infostealer storing payload functions.
references:
    - https://otx.alienvault.com/pulse/66000005/
author: Security Arsenal Research
date: 2026/06/06
modified: 2026/06/06
tags:
    - attack.persistence
    - attack.t1114.001
logsource:
    product: windows
    registry:
        - set
detection:
    selection:
        TargetObject|contains: 'Software\Microsoft\Windows NT\CurrentVersion\Printers\'
    filter_generic:
        Details|contains: 'PrinterData'
    condition: selection and not filter_generic
falsepositives:
    - Legitimate printer driver installation
level: high
---
title: Suspicious PowerShell Download via ClickFix Lures
id: 2c3d4e5f-6789-0abc-def1-234567890abc
status: experimental
description: Detects PowerShell commands attempting to download payloads from suspicious domains or utilizing encoding often used in ClickFix campaigns targeting macOS/Windows utilities.
references:
    - https://otx.alienvault.com/pulse/66000003/
author: Security Arsenal Research
date: 2026/06/06
modified: 2026/06/06
tags:
    - attack.execution
    - attack.t1059.001
logsource:
    product: windows
    category: process_creation
detection:
    selection_pwsh:
        Image|endswith: '\powershell.exe'
    selection_cmd:
        CommandLine|contains:
            - 'Invoke-WebRequest'
            - 'IEX'
            - 'DownloadString'
    selection_suspicious:
        CommandLine|contains:
            - 'jihiz.com'
            - 'kayeart.com'
            - 'bintail.com'
            - 'malext.com'
            - 'pixeldrain'
    condition: all of selection_*
falsepositives:
    - Administrator scripts
level: high

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for network connections to IOCs from OTX Pulses
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl in~ ("guiformat.com", "forestoaker.com", "jihiz.com", "kayeart.com", "bintail.com", "wusetail.com", "malext.com", "miappl.com", "pla7ina.cfd", "vagturk.com", "justsstop.ru")
   or RemoteIP in ("194.150.220.218", "217.156.122.75", "165.22.170.129")
| project Timestamp, DeviceName, InitiatingProcessAccountName, RemoteUrl, RemoteIP, RemotePort
| summarize count() by RemoteUrl, RemoteIP, DeviceName
| order by count_ desc

PowerShell Hunt Script

PowerShell

<#
.SYNOPSIS
    IOC Hunt Script for Argamal and GammaSteel Persistence.
.DESCRIPTION
    Checks for specific registry modifications associated with Argamal (COM Hijacking)
    and Gamaredon Group (GammaSteel) based on OTX Pulse data.
#>

function Check-ArgamalPersistence {
    $clsidPath = "Registry::HKLM\SOFTWARE\Classes\CLSID\{1ACC0528-2B65-4F80-9096-C5545FDD4271}\InprocServer32"
    if (Test-Path $clsidPath) {
        $defaultVal = (Get-ItemProperty -Path $clsidPath -ErrorAction SilentlyContinue).'(default)'
        # Legitimate default is usually C:\Windows\System32\mscms.dll
        if ($defaultVal -ne "C:\Windows\System32\mscms.dll" -and $defaultVal -ne $null) {
            Write-Host "[!] SUSPICIOUS: Argamal COM Hijacking detected at $clsidPath"
            Write-Host "    Value: $defaultVal"
        }
    }
}

function Check-GammaSteelPersistence {
    $printersPath = "Registry::HKCU\Printers"
    # GammaSteel stores payload functions in this key, checking for unusual binary data or specific keys
    # This is a heuristic check for non-standard entries
    if (Test-Path $printersPath) {
        $subKeys = Get-ChildItem -Path $printersPath -Recurse -ErrorAction SilentlyContinue
        foreach ($key in $subKeys) {
            $props = Get-ItemProperty -Path $key.PSPath -ErrorAction SilentlyContinue
            foreach ($prop in $props.PSObject.Properties) {
                if ($prop.Name -notlike 'PS*' -and $prop.Value -is [byte[]]) {
                     Write-Host "[!] SUSPICIOUS: Binary data detected in HKCU\Printers at $($key.Name)"
                     Write-Host "    Property: $($prop.Name)"
                }
            }
        }
    }
}

Check-ArgamalPersistence
Check-GammaSteelPersistence

Response Priorities

Immediate: Block all listed domains (TDS, ClickFix, Gamaredon C2) and IP ranges at the perimeter. Isolate endpoints matching the provided SHA1 and SHA256 hashes.
24h: Conduct credential verification and forced resets for users in targeted sectors (Government, Defense) and geographies (Ukraine, Brazil, Germany) due to the high prevalence of credential stealers (Remus, GammaSteel).
1 Week: Harden browser security configurations to mitigate Application-Bound Encryption bypass techniques. Implement Application Control (AppLocker) policies to restrict the execution of unsigned utilities and games, blocking the primary vector for Argamal and ClickFix campaigns.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub