FSB’s Matryoshka #1/3 – Gamaredon’s Gifts That Keep Unpacking – GammaPhish and GammaWorm

    Tuesday, June 2, 2026 In: Threat Research Print

    Date: 06/02/2026

    Severity: High

    Summary

    Gamaredon, a Russian APT (Advanced Persistent Threat) group operated by the FSB, continues to conduct long-term cyberespionage campaigns targeting Ukrainian government, military, and critical infrastructure organizations. The group employs a stealthy, multi-stage infection chain that abuses legitimate Windows features and trusted services such as Telegram, Cloudflare, and cloud storage to maintain persistent access while minimizing detection. Its malware ecosystem, including GammaPhish and GammaWorm, enables USB-based propagation across air-gapped systems, document theft, and continuous deployment of additional payloads, supporting sustained espionage operations against Ukrainian targets.

    Indicators of Compromise (IOC) List

    Domains/URLs

    https://graph.org/kyjfkyr-12-06

    https://bold.zsjtn41091.workers.dev

    https://teletype.in/@myrain/Xh1Lta2Ccro

    https://quitethepastry.ru (operator controlled)

    https://telegra.ph/f8bfl6sp-01-02

    https:/t.me/s/teotori

    https://www.telegram.me/s/oberfarir

    IP Address

    104.194.140.6

    Hash

    1794369214b7f62e70a0485e61335c61

    8e1624d110c090ff57d4b493a9107c66

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "https://telegra.ph/f8bfl6sp-01-02" or url like "https://telegra.ph/f8bfl6sp-01-02" or siteurl like "https://telegra.ph/f8bfl6sp-01-02" or domainname like "https://graph.org/kyjfkyr-12-06" or url like "https://graph.org/kyjfkyr-12-06" or siteurl like "https://graph.org/kyjfkyr-12-06" or domainname like "https://teletype.in/@myrain/Xh1Lta2Ccro" or url like "https://teletype.in/@myrain/Xh1Lta2Ccro" or siteurl like "https://teletype.in/@myrain/Xh1Lta2Ccro" or domainname like "https://www.telegram.me/s/oberfarir" or url like "https://www.telegram.me/s/oberfarir" or siteurl like "https://www.telegram.me/s/oberfarir" or domainname like "https://bold.zsjtn41091.workers.dev" or siteurl like "https://bold.zsjtn41091.workers.dev" or url like "https://bold.zsjtn41091.workers.dev" or domainname like "https://quitethepastry.ru" or siteurl like "https://quitethepastry.ru" or url like "https://quitethepastry.ru" or domainname like "https:/t.me/s/teotori" or siteurl like "https:/t.me/s/teotori" or url like "https:/t.me/s/teotori"

    Detection Query 2 :

    dstipaddress IN ("104.194.140.6") or srcipaddress IN ("104.194.140.6")

    Detection Query 3 :

    md5hash IN ("1794369214b7f62e70a0485e61335c61","8e1624d110c090ff57d4b493a9107c66")

    Reference:    

    https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/#                     


    Tags

    MalwareThreat ActorAPTGamaredonRussiaCyber EspionageUkraineCritical InfrastructureGovernment Services and FacilitiesDefense Industrial BaseTelegramCloudflare

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.