Date: 04/07/2025
Severity: High
Summary
Gamaredon—also known as Primitive Bear, Actinium, or Shuckworm—is a Russian Advanced Persistent Threat (APT) group active since at least 2013. While historically targeting the US and Indian Subcontinent, their recent focus has shifted toward Ukraine, including attacks on Western government entities. Unlike typical hit-and-run APT operations, Gamaredon conducts persistent, highly obfuscated, and notably aggressive campaigns. Their tactics reflect a bold and sustained approach uncommon among other threat actors.
Indicators of Compromise (IOC) List
Domain\URL : | http://encyclopedia83.samiseto.ru/home-pc/registry/amiable/prick/sorry.83glf http://relation46.samiseto.ru/desktop-uvhg99d/percy.46rra amalsa.ru ayrympo.ru bromumo.ru caccabius.ru dedspac.ru encyclopedia83.samiseto.ru erinaceuso.ru madzhidgo.ru quyenzo.ru relation46.samiseto.ru samiseto.ru ulitron.ru |
IP Address : | 141.98.233.103 141.98.233.109 46.29.234.119 5.44.42.154 |
Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection
Domain\URL : | domainname like "erinaceuso.ru" or url like "erinaceuso.ru" or siteurl like "erinaceuso.ru" or domainname like "http://relation46.samiseto.ru/desktop-uvhg99d/percy.46rra" or url like "http://relation46.samiseto.ru/desktop-uvhg99d/percy.46rra" or siteurl like "http://relation46.samiseto.ru/desktop-uvhg99d/percy.46rra" or domainname like "bromumo.ru" or url like "bromumo.ru" or siteurl like "bromumo.ru" or domainname like "amalsa.ru" or url like "amalsa.ru" or siteurl like "amalsa.ru" or domainname like "quyenzo.ru" or url like "quyenzo.ru" or siteurl like "quyenzo.ru" or domainname like "caccabius.ru" or url like "caccabius.ru" or siteurl like "caccabius.ru" or domainname like "http://encyclopedia83.samiseto.ru/home-pc/registry/amiable/prick/sorry.83glf" or url like "http://encyclopedia83.samiseto.ru/home-pc/registry/amiable/prick/sorry.83glf" or siteurl like "http://encyclopedia83.samiseto.ru/home-pc/registry/amiable/prick/sorry.83glf" or domainname like "ayrympo.ru" or url like "ayrympo.ru" or siteurl like "ayrympo.ru" or domainname like "relation46.samiseto.ru" or url like "relation46.samiseto.ru" or siteurl like "relation46.samiseto.ru" or domainname like "madzhidgo.ru" or url like "madzhidgo.ru" or siteurl like "madzhidgo.ru" or domainname like "ulitron.ru" or url like "ulitron.ru" or siteurl like "ulitron.ru" or domainname like "dedspac.ru" or url like "dedspac.ru" or siteurl like "dedspac.ru" or domainname like "encyclopedia83.samiseto.ru" or url like "encyclopedia83.samiseto.ru" or siteurl like "encyclopedia83.samiseto.ru" or domainname like "samiseto.ru" or url like "samiseto.ru" or siteurl like "samiseto.ru" |
IP Address : | dstipaddress IN ("141.98.233.103","141.98.233.109","46.29.234.119","5.44.42.154") or srcipaddress IN ("141.98.233.103","141.98.233.109","46.29.234.119","5.44.42.154") |
Reference:
https://www.silentpush.com/blog/from-russia-with-a-71/