Gamaredon in 2025: Leveraging Tunnels, Workers, Dead Drops, and New Alliances

    Friday, June 26, 2026 In: Threat Research Print

    Date: 06/26/2026

    Severity: Critical

    Summary

    Russia-aligned APT group Gamaredon maintained an aggressive cyberespionage campaign throughout 2025, targeting Ukrainian government and military organizations with large-scale spearphishing attacks and new PowerShell-based malware. The group enhanced its stealth by using cloud storage services, tunnels, DDNS, PaaS platforms, and legitimate messaging and social media services as dead drops for command-and-control and data exfiltration, making detection and disruption significantly more challenging. 

    Indicators of Compromise (IOC) List

    Domains/URLs

    wwpeeya.ignores.workers.dev

    szrtrboyre.fewwef.workers.dev 

    srkwk.3742eddi.workers.dev 

    d16ss6sn-80.euw.devtunnels.ms

    ser-uk-definesinvolved.trycloudflare.com

    8b82933574e0112129f7062a41689f7a.loophole.site

    litanq.ru

    estaca.ru

    earlysilence.ru

    jvyuwatt.ssuworker.workers.dev

    zalupka.net

    veryinappropriate.ru

    cheese-metalsgourmet-interviews.trycloudflare.com

    stake.ytmrj83283.workers.dev 

    holdmyspice.ru

    ch47f6gl80.euw.devtunnels.ms

    parameter-iron-turns-combinations.trycloudflare.com

    maybefallout.ru

    maybefallout.online

    alfred-assumptionsasin-winston.trycloudflare.com

    your-combinationpercent-gibson.trycloudflare.com

    7tnzsgp4-80.use.devtunnels.ms

    x3f2q1cd80.asse.devtunnels.ms

    innocent-faressupposedloved.trycloudflare.com

    x8b9b7q2-80.euw.devtunnels.ms

    99a23d4d4f0c9ca8e8bac7d30a02442d.loophole.site

    graph-proved-physicians-ward.trycloudflare.com

    lettinggo.ru

    finally-electionaudience-dont.trycloudflare.com

    4273twd6-80.euw.devtunnels.ms

    wage.zpwyi71185.workers.dev

    dushun.ru

    IP Address

    69.67.173.214

    167.88.164.202

    172.235.166.243

    Hash

    41BDC7545EE8A7E37714AE6C4F69F95C846FCB38

    76EC9B898E3FED239AF3895D9F3225EFB1273DCC

    606C2692E409E40E6D563458FDF71FAA9EA22557

    569265C1BDE1D738963DD027BEB24AE0DC864F7F

    584685A6AA84192302DF27C35E492B2846C06DD6

    8CB65FE85C25CE521139990689AC989B44A0A230

    256DE94FDBF675E3CCB1ADC42AB74771B5381B3F

    ED5BA0EF9E2413F1CD29464209F7B5E347810299

    B13B5B1186B5AC0558E692E72990ECEB810BDA47

    7EF497C6A2EF33558C1CAF41F6EC3614AF898C4C

    42DB9DE2017F66ED3AF88E7B1094891627B3C706

    F045E11EEA6AF11867380141C1E1888F433B5342

    F718F25DCCF68BD7CB28AA7CB526FFA54B0E51A8

    09A22856890AB6AEF6311CA2BD27BE54E86DA75C

    0F952E6162BCC881F7F844F3E2C7CDA9A5C74D72

    61B03FF9D84EB653F9F66867DBF76DFB1E130E93

    45ECE835E5065775B7EFD1CCED99B6DD4FEC6A3B

    FA10D0469DBE45F2D359730135BDA39B5CCCC9BE

    B66B2FB1A71A7E8CAF3B9A90DD84A2A3619F5CC5

    7947737949CC3D273DFE8DBD9F70701A25ED05B8

    7FED429FF76C75BBF57D75152160BEABF1EDD886

    7976F1E6B079008E56AE35F1AFC6336D12CBA8E1

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1 :

    domainname like "innocent-faressupposedloved.trycloudflare.com" or url like "innocent-faressupposedloved.trycloudflare.com" or siteurl like "innocent-faressupposedloved.trycloudflare.com" or domainname like "earlysilence.ru" or url like "earlysilence.ru" or siteurl like "earlysilence.ru" or domainname like "wage.zpwyi71185.workers.dev" or url like "wage.zpwyi71185.workers.dev" or siteurl like "wage.zpwyi71185.workers.dev" or domainname like "veryinappropriate.ru" or url like "veryinappropriate.ru" or siteurl like "veryinappropriate.ru" or domainname like "x3f2q1cd80.asse.devtunnels.ms" or url like "x3f2q1cd80.asse.devtunnels.ms" or siteurl like "x3f2q1cd80.asse.devtunnels.ms" or domainname like "szrtrboyre.fewwef.workers.dev" or url like "szrtrboyre.fewwef.workers.dev" or siteurl like "szrtrboyre.fewwef.workers.dev" or domainname like "graph-proved-physicians-ward.trycloudflare.com" or url like "graph-proved-physicians-ward.trycloudflare.com" or siteurl like "graph-proved-physicians-ward.trycloudflare.com" or domainname like "holdmyspice.ru" or url like "holdmyspice.ru" or siteurl like "holdmyspice.ru" or domainname like "maybefallout.online" or url like "maybefallout.online" or siteurl like "maybefallout.online" or domainname like "alfred-assumptionsasin-winston.trycloudflare.com" or url like "alfred-assumptionsasin-winston.trycloudflare.com" or siteurl like "alfred-assumptionsasin-winston.trycloudflare.com" or domainname like "jvyuwatt.ssuworker.workers.dev" or url like "jvyuwatt.ssuworker.workers.dev" or siteurl like "jvyuwatt.ssuworker.workers.dev" or domainname like "zalupka.net" or url like "zalupka.net" or siteurl like "zalupka.net" or domainname like "parameter-iron-turns-combinations.trycloudflare.com" or url like "parameter-iron-turns-combinations.trycloudflare.com" or siteurl like "parameter-iron-turns-combinations.trycloudflare.com" or domainname like "stake.ytmrj83283.workers.dev" or url like "stake.ytmrj83283.workers.dev" or siteurl like "stake.ytmrj83283.workers.dev" or domainname like "estaca.ru" or url like "estaca.ru" or siteurl like "estaca.ru" or domainname like "7tnzsgp4-80.use.devtunnels.ms" or url like "7tnzsgp4-80.use.devtunnels.ms" or siteurl like "7tnzsgp4-80.use.devtunnels.ms" or domainname like "cheese-metalsgourmet-interviews.trycloudflare.com" or url like "cheese-metalsgourmet-interviews.trycloudflare.com" or siteurl like "cheese-metalsgourmet-interviews.trycloudflare.com" or domainname like "lettinggo.ru" or url like "lettinggo.ru" or siteurl like "lettinggo.ru" or domainname like "litanq.ru" or url like "litanq.ru" or siteurl like "litanq.ru" or domainname like "maybefallout.ru" or url like "maybefallout.ru" or siteurl like "maybefallout.ru" or domainname like "your-combinationpercent-gibson.trycloudflare.com" or url like "your-combinationpercent-gibson.trycloudflare.com" or siteurl like "your-combinationpercent-gibson.trycloudflare.com" or domainname like "srkwk.3742eddi.workers.dev" or url like "srkwk.3742eddi.workers.dev" or siteurl like "srkwk.3742eddi.workers.dev" or domainname like "ser-uk-definesinvolved.trycloudflare.com" or url like "ser-uk-definesinvolved.trycloudflare.com" or siteurl like "ser-uk-definesinvolved.trycloudflare.com" or domainname like "wwpeeya.ignores.workers.dev" or url like "wwpeeya.ignores.workers.dev" or siteurl like "wwpeeya.ignores.workers.dev" or domainname like "finally-electionaudience-dont.trycloudflare.com" or url like "finally-electionaudience-dont.trycloudflare.com" or siteurl like "finally-electionaudience-dont.trycloudflare.com" or domainname like "dushun.ru" or url like "dushun.ru" or siteurl like "dushun.ru" or domainname like "d16ss6sn-80.euw.devtunnels.ms" or siteurl like "d16ss6sn-80.euw.devtunnels.ms" or url like "d16ss6sn-80.euw.devtunnels.ms" or domainname like "8b82933574e0112129f7062a41689f7a.loophole.site" or siteurl like "8b82933574e0112129f7062a41689f7a.loophole.site" or url like "8b82933574e0112129f7062a41689f7a.loophole.site" or domainname like "ch47f6gl80.euw.devtunnels.ms" or siteurl like "ch47f6gl80.euw.devtunnels.ms" or url like "ch47f6gl80.euw.devtunnels.ms" or domainname like "x8b9b7q2-80.euw.devtunnels.ms" or siteurl like "x8b9b7q2-80.euw.devtunnels.ms" or url like "x8b9b7q2-80.euw.devtunnels.ms" or domainname like "99a23d4d4f0c9ca8e8bac7d30a02442d.loophole.site" or siteurl like "99a23d4d4f0c9ca8e8bac7d30a02442d.loophole.site" or url like "99a23d4d4f0c9ca8e8bac7d30a02442d.loophole.site" or domainname like "4273twd6-80.euw.devtunnels.ms" or siteurl like "4273twd6-80.euw.devtunnels.ms" or url like "4273twd6-80.euw.devtunnels.ms"

    Detection Query 2 :

    dstipaddress IN ("167.88.164.202","172.235.166.243","69.67.173.214") or srcipaddress IN ("167.88.164.202","172.235.166.243","69.67.173.214")

    Detection Query 3 :

    sha1hash IN ("41BDC7545EE8A7E37714AE6C4F69F95C846FCB38","76EC9B898E3FED239AF3895D9F3225EFB1273DCC","606C2692E409E40E6D563458FDF71FAA9EA22557","569265C1BDE1D738963DD027BEB24AE0DC864F7F","584685A6AA84192302DF27C35E492B2846C06DD6","8CB65FE85C25CE521139990689AC989B44A0A230","256DE94FDBF675E3CCB1ADC42AB74771B5381B3F","ED5BA0EF9E2413F1CD29464209F7B5E347810299","B13B5B1186B5AC0558E692E72990ECEB810BDA47","7EF497C6A2EF33558C1CAF41F6EC3614AF898C4C","42DB9DE2017F66ED3AF88E7B1094891627B3C706","F045E11EEA6AF11867380141C1E1888F433B5342","F718F25DCCF68BD7CB28AA7CB526FFA54B0E51A8","09A22856890AB6AEF6311CA2BD27BE54E86DA75C","0F952E6162BCC881F7F844F3E2C7CDA9A5C74D72","61B03FF9D84EB653F9F66867DBF76DFB1E130E93","45ECE835E5065775B7EFD1CCED99B6DD4FEC6A3B","FA10D0469DBE45F2D359730135BDA39B5CCCC9BE","B66B2FB1A71A7E8CAF3B9A90DD84A2A3619F5CC5","7947737949CC3D273DFE8DBD9F70701A25ED05B8","7FED429FF76C75BBF57D75152160BEABF1EDD886","7976F1E6B079008E56AE35F1AFC6336D12CBA8E1")

    Reference:    

    https://www.welivesecurity.com/en/eset-research/gamaredon-2025-leveraging-tunnels-workers-dead-drops-new-alliances/#iocs    


    Tags

    Spear PhishingPhishingExfiltrationPowerShell AttackThreat ActorMalwareAPTRussiaGamaredonCyber EspionageUkraineGovernment Services and FacilitiesDefense Industrial Base

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2026 by Gurucul - All rights reserved.