Gamaredon's 2025 Evolution: Cloud Abuse and Spear-Phishing Surge
Hey everyone, just caught the latest report from ESET regarding Gamaredon's activity against Ukraine throughout 2025. It’s wild that they managed to pull off 35 distinct spear-phishing campaigns in just the second half of the year. While they are known for volume, their shift towards abusing legitimate cloud services for C2 is a notable evolution in their TTPs to evade detection.
From a defensive standpoint, their reliance on LNK files to kick off PowerShell chains remains a persistent vector. Since they are abusing legitimate cloud providers (likely Dropbox or OneDrive based on historical patterns), standard IP blocking is less effective. We need to focus on the behavioral correlation between the initial dropper and the subsequent beacon.
I've been tuning our detection logic to flag powershell.exe spawning immediately after user interaction with an archive, specifically when it reaches out to personal cloud storage endpoints.
Here is a basic KQL query we use to hunt for this behavior in Sentinel:
kusto DeviceProcessEvents
| where InitiatingProcessFileName == "explorer.exe"
| where FileName == "powershell.exe"
| where ProcessCommandLine has "Invoke-Expression" or ProcessCommandLine has "IEX"
| join kind=inner (
DeviceNetworkEvents
| where RemoteUrl has_any ("dropboxusercontent.com", "drive.google.com", "onedrive.live.com")
) on DeviceId
| project Timestamp, DeviceName, ProcessCommandLine, RemoteUrl
Is anyone else seeing this specific pattern of cloud abuse in their telemetry, or are they pivoting to other storage mechanisms in your sectors?
Solid query. We've seen a similar uptick in campaigns leveraging cloud storage for C2, specifically using rclone hardcoded with valid credentials to exfil data to Mega.nz. It makes traffic analysis a nightmare since it looks like standard user synchronization. We added a specific Sigma rule to flag rclone executions not initiated by an admin, which caught a few variants of this.
The LNK vector is the real pain point for us. Users just can't help themselves. We've pushed a GPO to disable LNK files from the Internet Zone using the Mark of the Web (MOTW) feature, but it occasionally breaks legitimate installers.
If you're on Windows 10/11, you can enforce this via PowerShell:
Set-ItemProperty -Path "HKCU:\Software\Microsoft\Windows\CurrentVersion\Policies\Attachments" -Name "SaveZoneInformation" -Value 2
It's aggressive, but it significantly reduces the blast radius for these spear-phishing drops.
On the detection side for that PowerShell chain, catching the encoded arguments is vital. Gamaredon frequently obfuscates payloads using Base64 to evade simple string matching. This KQL query helps hunt for PowerShell processes spawned from LNK parents using encoded commands:
Process
| where ProcessName =~ "powershell.exe"
| where CommandLine contains "-EncodedCommand"
| where InitiatingProcessName in ("explorer.exe", "cmd.exe")
Valid point on rclone. To counter that cloud C2 abuse without halting productivity, we've implemented strict egress filtering that only allows traffic to our verified tenant IDs for approved services. It's aggressive, but effective. Regarding the LNK persistence, we finally enabled the ASR rule to block Office apps from creating child processes, which stops the PowerShell chain dead.
# ASR Rule: Block Office apps from creating child processes
Add-MpPreference -AttackSurfaceReductionRules_Ids "D4F940AB-401B-4EFC-AADC-AD5F3C50688A" -AttackSurfaceReductionRules_Actions Enabled
Verified Access Required
To maintain the integrity of our intelligence feeds, only verified partners and security professionals can post replies.
Request Access