Back to Intelligence

Gamaredon GammaSteel, Argamal RAT, and Remus Stealer: OTX Pulse Analysis — Enterprise Detection Pack

SA
Security Arsenal Team
June 5, 2026
5 min read

Recent OTX pulses indicate a surge in diverse credential theft campaigns ranging from state-sponsored espionage to commodity infostealers. The collection reveals an active FSB-linked Gamaredon operation targeting Ukrainian entities using the memory-resident GammaSteel infostealer. Concurrently, cybercriminals are distributing the Argamal RAT via trojanized adult games and the evolved Remus stealer (a successor to Lumma) via Traffic Distribution Systems (TDS) impersonating legitimate open-source tools. These actors leverage COM hijacking, registry manipulation, and browser encryption bypasses to harvest sensitive data, cryptocurrency wallet keys, and session tokens.

Threat Actor / Malware Profile

Gamaredon Group (UAC-0010 / Armageddon)

  • Objective: Cyberespionage against Ukrainian government and defense sectors.
  • Malware: GammaSteel, GammaLoad.
  • Persistence: Stores 71 payload functions in HKCU\Printers. Operates primarily in-memory to evade disk-based scanning.
  • Propagation: Uses USB worms (GammaWorm) for lateral movement in air-gapped or restricted environments.

Argamal / Termixia

  • Distribution: Hidden within "hentai" games, distributed via platforms like Pixeldrain.
  • Persistence: COM hijacking. Replaces the InprocServer32 entry for the Windows Color System Calibration Loader DLL (mscms.dll context).
  • Behavior: Delayed execution (RAT download after several days) to evade sandbox analysis.

Remus Stealer (Lumma Successor)

  • Technique: Bypasses Browser Application-Bound Encryption (ABE) to steal cookies and passwords.
  • C2: Utilizes "Etherhiding," leveraging the Ethereum blockchain for command and control infrastructure.
  • Distribution: Large-scale TDS operation impersonating tools like Ghidra, dnSpy, and SpiderFoot.

MacOS Campaign (ClickFix)

  • Vector: Fake utility sites hosting malicious AppleScript/Terminal commands disguised as troubleshooting steps.
  • Payloads: Macsync, Shub Stealer, AMOS, PhantomPulse.

IOC Analysis

The provided indicators offer high-fidelity detection opportunities across the kill chain:

  • Network Infrastructure (TDS/C2): Domains such as guiformet.com (typo-squatting), forestoaker.com, and justsstop.ru (Gamaredon) are critical for perimeter blocking. IP 194.150.220.218 is a known TDS node.
  • File Artifacts: Multiple SHA1 hashes (e.g., 02819d200d1424882af81cb504b3e8614b32397a) correspond to the Argamal dropper.
  • Registry/Persistence: The Gamaredon campaign specifically abuses HKCU\Printers, a rare and suspicious registry location for legitimate software.
  • Operationalization: SOC teams should immediately import the SHA1 hashes into EDR endpoints for isolation. Domains must be added to DNS sinkholes. The HKCU\Printers registry modification should be treated as a critical alert, as it is highly specific to Gamaredon activity.

Detection Engineering

Sigma Rules

YAML
---
title: Gamaredon GammaSteel Persistence Registry Key
description: Detects Gamaredon group activity via registry modifications in HKCU\Printers used for payload storage.
references:
    - https://blog.sekoia.io/fsbs-matryoshka-3-3-gamaredons-gifts-that-keeps-unpacking-gammasteel/
author: Security Arsenal
date: 2026/06/05
status: stable
logsource:
    product: windows
    category: registry_set
    definition: 'Requirements: Sysmon config with Registry logging enabled'
detection:
    selection:
        TargetObject|contains: 'Printers'
        TargetObject|contains: 'HKCU\Software'
    condition: selection
falsepositives:
    - Unlikely (Legitimate printer drivers do not write complex payload structures to user hives)
level: critical
tags:
    - attack.persistence
    - attack.defense_evasion
    - gamaredon
---
title: Suspicious COM Hijacking via Windows Color System
description: Detects potential Argamal malware activity via COM hijacking targeting the Windows Color System Calibration Loader.
references:
    - https://securelist.com/argamal-rat-distributed-with-hentai-games/119999/
author: Security Arsenal
date: 2026/06/05
status: stable
logsource:
    product: windows
    category: registry_set
detection:
    selection:
        TargetObject|contains: 'CLSID'
        TargetObject|contains: 'InprocServer32'
        TargetObject|contains: 'mscms'
        Details|contains: '.dll'
    filter:
        Details|contains: 'C:\\Windows\\system32\\mscms.dll'
    condition: selection and not filter
falsepositives:
    - Low
level: high
tags:
    - attack.persistence
    - attack.hijack_execution_flow
    - argamal
---
title: Traffic Distribution System (TDS) Network Connections
description: Detects network connections to known TDS infrastructure used for distributing RemusStealer and SessionGate.
references:
    - https://research.checkpoint.com/2026/impersonation-click-hijacking-and-tds-inside-a-malware-distribution-ecosystem/
author: Security Arsenal
date: 2026/06/05
status: stable
logsource:
    product: windows
    category: network_connection
detection:
    selection_ip:
        DestinationIp:
            - '194.150.220.218'
            - '217.156.122.75'
            - '165.22.170.129'
    selection_domain:
        DestinationHostname|contains:
            - 'guiformet.com'
            - 'forestoaker.com'
            - 'justsstop.ru'
            - 'maxdatahost1.cyou'
    condition: 1 of selection_*
falsepositives:
    - Unknown
level: critical
tags:
    - attack.command_and_control
    - attack.initial_access
    - tds

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender
// Hunt for Gamaredon Registry Persistence
DeviceRegistryEvents
| where Timestamp > ago(7d)
| where ActionType == "RegistryValueSet"
| where RegistryKey has @"HKCU\Software" and RegistryKey has @"Printers"
| project Timestamp, DeviceName, InitiatingProcessAccountName, RegistryKey, RegistryValueName, RegistryValueData

// Hunt for Malware Distribution Network Connections
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has_any ("guiformet.com", "forestoaker.com", "justsstop.ru", "maxdatahost1.cyou") 
   or RemoteIP in ("194.150.220.218", "217.156.122.75", "165.22.170.129")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort

PowerShell Hunt Script

PowerShell
# Hunt for Gamaredon GammaSteel Registry Artifacts
# Checks HKCU\Printers for suspicious values

$UserHives = Get-ChildItem "Registry::HKEY_USERS"
$SuspiciousKeys = @()

foreach ($Hive in $UserHives.Name) {
    $PrintersPath = "$Hive\Software\Microsoft\Windows NT\CurrentVersion\Printers"
    if (Test-Path $PrintersPath) {
        $Keys = Get-Item $PrintersPath -ErrorAction SilentlyContinue
        if ($Keys -and $Keys.ValueCount -gt 0) {
            # Gamaredon stores payload functions here, excessive values or binary data is suspicious
            foreach ($Val in $Keys.GetValueNames()) {
                $ValData = $Keys.GetValue($Val)
                if ($ValData -is [byte[]]) {
                    $SuspiciousKeys += [PSCustomObject]@{
                        UserHive = $Hive
                        Key = $PrintersPath
                        ValueName = $Val
                        DataSize = $ValData.Length
                        Status = "Suspicious Binary Data"
                    }
                }
            }
        }
    }
}

if ($SuspiciousKeys.Count -gt 0) {
    Write-Host "[!] Potential Gamaredon GammaSteel Artifacts Detected:" -ForegroundColor Red
    $SuspiciousKeys | Format-Table -AutoSize
} else {
    Write-Host "[-] No GammaSteel registry artifacts found." -ForegroundColor Green
}

# Hunt for Argamal COM Hijack (mscms.dll)
# Checking HKCU\Software\Classes\CLSID for InprocServer32 changes
$ClsidPath = "Registry::HKEY_CURRENT_USER\Software\Classes\CLSID"
if (Test-Path $ClsidPath) {
    Get-ChildItem -Path $ClsidPath -Recurse -ErrorAction SilentlyContinue | ForEach-Object {
        $InprocPath = "$($_.PSPath)\InprocServer32"
        if (Test-Path $InprocPath) {
            $DefaultVal = (Get-Item $InprocPath).GetValue("")
            # Legitimate is usually C:\Windows\system32\mscms.dll
            if ($DefaultVal -and $DefaultVal -notlike "C:\Windows\system32\*") {
                Write-Host "[!] Suspicious COM Hijack found: $InprocPath -> $DefaultVal" -ForegroundColor Yellow
            }
        }
    }
}

Response Priorities

  • Immediate: Block all listed IOCs (IPs 194.150.220.218, 165.22.170.129, domains justsstop.ru, guiformet.com) at perimeter firewalls and proxies. Isolate endpoints with Sigma hits on HKCU\Printers modifications.
  • 24h: Initiate credential reset for high-privilege accounts and cryptocurrency wallets if suspected infostealer (Remus/GammaSteel) activity is detected.
  • 1 Week: Review application control policies to block unauthorized game execution and unsigned binaries. Conduct security awareness training focused on "ClickFix" social engineering and the risks of downloading open-source tools from unofficial repositories.

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub

darkwebotx-pulsedarkweb-credentialsgamaredonremus-stealerargamal-ratinfostealercredential-theft

Is your security operations ready?

Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.

Book a SOC AssessmentSee AlertMonitor in Action