BlueAlpha Abuses Cloudflare Tunneling Service for GammaDrop Staging Infrastructure

    Tuesday, April 8, 2025 In: Threat Research Print

    Date: 04/08/2025

    Severity: High 

    Summary

    BlueAlpha is a state-sponsored cyber threat group linked to the Russian Federal Security Service (FSB), with ties to known groups such as Gamaredon, Shuckworm, Hive0051, and UNC530. Active since at least 2014, BlueAlpha persistently targets Ukrainian organizations through aggressive spearphishing campaigns. Since October 2023, they have deployed custom VBScript malware, GammaLoad, to facilitate data exfiltration, credential theft, and maintain long-term access to compromised systems.

    Indicators of Compromise (IOC) List

    Domain\URL :

    else-accommodation-allowing-throws.trycloudflare.com

    cod-identification-imported-carl.trycloudflare.com

    amsterdam-sheet-veteran-aka.trycloudflare.com

    benjamin-unnecessary-mothers-configured.trycloudflare.com

    longitude-powerpoint-geek-upgrade.trycloudflare.com

    attribute-homework-generator-lovers.trycloudflare.com

    infected-gc-rhythm-yu.trycloudflare.com

    IP Address : 

    178.130.42.94

    Hash :

    3afc8955057eb0bae819ead1e7f534f6e5784bbd5b6aa3a08af72e187b157c5b

    93aa6cd0787193b4ba5ba6367122dee846c5d18ad77919b261c15ff583b0ca17

    b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Domain\URL  :

    domainname like "attribute-homework-generator-lovers.trycloudflare.com" or url like "attribute-homework-generator-lovers.trycloudflare.com" or siteurl like "attribute-homework-generator-lovers.trycloudflare.com" or domainname like "infected-gc-rhythm-yu.trycloudflare.com" or url like "infected-gc-rhythm-yu.trycloudflare.com" or siteurl like "infected-gc-rhythm-yu.trycloudflare.com" or domainname like "benjamin-unnecessary-mothers-configured.trycloudflare.com" or url like "benjamin-unnecessary-mothers-configured.trycloudflare.com" or "benjamin-unnecessary-mothers-configured.trycloudflare.com" or domainname like "cod-identification-imported-carl.trycloudflare.com" or url like "cod-identification-imported-carl.trycloudflare.com" or siteurl like "cod-identification-imported-carl.trycloudflare.com" or domainname like "else-accommodation-allowing-throws.trycloudflare.com" or url like "else-accommodation-allowing-throws.trycloudflare.com" or "else-accommodation-allowing-throws.trycloudflare.com" or domainname like "longitude-powerpoint-geek-upgrade.trycloudflare.com" or url like "longitude-powerpoint-geek-upgrade.trycloudflare.com" or "longitude-powerpoint-geek-upgrade.trycloudflare.com" or domainname like "amsterdam-sheet-veteran-aka.trycloudflare.com" or url like "amsterdam-sheet-veteran-aka.trycloudflare.com" or siteurl like "amsterdam-sheet-veteran-aka.trycloudflare.com" 

    IP Address :

    dstipaddress IN ("178.130.42.94") or srcipaddress IN ("178.130.42.94")

    Hash : 

    sha256hash IN ("b95eea2bee2113b7b5c7af2acf6c6cbde05829fab79ba86694603d4c1f33fdda""3afc8955057eb0bae819ead1e7f534f6e5784bbd5b6aa3a08af72e187b157c5b","93aa6cd0787193b4ba5ba6367122dee846c5d18ad77919b261c15ff583b0ca17")

    Reference:    

    https://www.recordedfuture.com/research/bluealpha-abuses-cloudflare-tunneling-service


    Tags

    MalwareThreat ActorGamaredonHive0051UNC530UkraineRussiaGammaLoadSpear Phishing

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.