State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure

    Thursday, April 10, 2025 In: Threat Research Print

    Date: 04/10/2025

    Severity: High

    Summary

    Researchers have analyzed the infrastructure tactics of two state-sponsored groups: Gamaredon (linked to Russia) and RedFoxtrot/ShadowPad (linked to China). Gamaredon targets Ukrainian, Western, African, and NATO entities, using low-frequency DNS techniques, rapidly changing IPs, and a reusable TLS certificate for its .ru domains, making takedown difficult. Meanwhile, RedFoxtrot employs dynamic DNS services, spoofed certificates, and JA4X fingerprinting, delivering the ShadowPad backdoor via DLL side-loading, often facilitated by PowerShell and batch scripts.

    Indicators of Compromise (IOC) List

    URL/Domain

    studomed.ru

    vinnichich.ru

    www.langra.ru

    meuviresse.ru

    Iafren.ru

    www.neonation.ru

    baklchug.ru

    rudanka.ru

    prostali.ru

    innocentmillions.ru

    antitrots.ru

    home1and.ru

    www.phlovel.ru

    chinosadame.ru

    toretsky.ru

    jedemdasseine.ru

    spanishsky.ru

    endless-bridge.ru

    www.bakalchug.ru

    rookida.ru

    update.updatemic.com

    opwmail.kozow.com

    zngb.kozow.com

    gssllxqxqzyo.giize.com

    static.developers-cloudfare.us

    IP Address

    159.203.2.177

    157.230.152.7

    139.59.153.79

    206.189.135.34

    159.65.192.30

    64.94.84.66

    64.227.72.253

    159.65.205.28

    139.68.15.131

    149.248.77.157

    139.59.13.239

    45.55.235.87

    142.93.145.206

    168.100.11.43

    159.203.17.42

    209.38.196.253

    216.245.184.160

    104.131.190.132

    134.209.244.43

    139.59.189.155

    168.100.11.116

    165.227.39.7

    139.59.95.111

    178.62.238.209

    64.94.85.230

    45.55.42.145

    167.99.90.162

    142.93.232.225

    68.183.201.96

    162.33.179.216

    46.101.240.172

    143.110.218.175

    45.61.139.116

    46.101.91.224

    206.189.29.231

    64.7.199.19

    149.248.77.157

    45.77.33.174

    64.227.185.216

    139.84.142.99

    172.236.187.135

    172.235.10.252

    149.28.137.179

    Hash

    7ad3331be038b43c1a19066f1e4edbe85dfb08596d70774a5e15480394626d39

    cf0403934749f9d6cbcc80e38d0fca87f7d9e519d9a9031b1797b5568a8e3534

    200db5f89d58ce0060da0fac909162f66d9fa27dfe590e929ce9b42fd8d55ae3

    8b557df773156a87f2fe6bf7bb1b10a690e650c08abb924181165ce82d3fc4af

    a596d4a1ede0d022d77f0b03c723c7071ffec0e89b35f0d30fb9ff15feeb4969

    Gurucul Threat Detection and Incident Response (TDIR) Queries for Detection

    Detection Query 1

    domainname like "zngb.kozow.com" or siteurl like "zngb.kozow.com" or url like "zngb.kozow.com" or domainname like "studomed.ru" or siteurl like "studomed.ru" or url like "studomed.ru" or domainname like "rudanka.ru" or siteurl like "rudanka.ru" or url like "rudanka.ru" or domainname like "endless-bridge.ru" or siteurl like "endless-bridge.ru" or url like "endless-bridge.ru" or domainname like "baklchug.ru" or siteurl like "baklchug.ru" or url like "baklchug.ru" or domainname like "gssllxqxqzyo.giize.com" or siteurl like "gssllxqxqzyo.giize.com" or url like "gssllxqxqzyo.giize.com" or domainname like "static.developers-cloudfare.us" or siteurl like "static.developers-cloudfare.us" or url like "static.developers-cloudfare.us" or domainname like "antitrots.ru" or siteurl like "antitrots.ru" or url like "antitrots.ru" or domainname like "vinnichich.ru" or siteurl like "vinnichich.ru" or url like "vinnichich.ru" or domainname like "www.phlovel.ru" or siteurl like "www.phlovel.ru" or url like "www.phlovel.ru" or domainname like "www.langra.ru" or siteurl like "www.langra.ru" or url like "www.langra.ru" or domainname like "www.neonation.ru" or siteurl like "www.neonation.ru" or url like "www.neonation.ru" or domainname like "rookida.ru" or siteurl like "rookida.ru" or url like "rookida.ru" or domainname like "www.bakalchug.ru" or siteurl like "www.bakalchug.ru" or url like "www.bakalchug.ru" or domainname like "spanishsky.ru" or siteurl like "spanishsky.ru" or url like "spanishsky.ru" or domainname like "home1and.ru" or siteurl like "home1and.ru" or url like "home1and.ru" or domainname like "chinosadame.ru" or siteurl like "chinosadame.ru" or url like "chinosadame.ru" or domainname like "prostali.ru" or siteurl like "prostali.ru" or url like "prostali.ru" or domainname like "meuviresse.ru" or siteurl like "meuviresse.ru" or url like "meuviresse.ru" or domainname like "Iafren.ru" or siteurl like "Iafren.ru" or url like "Iafren.ru" or domainname like "innocentmillions.ru" or siteurl like "innocentmillions.ru" or url like "innocentmillions.ru" or domainname like "toretsky.ru" or siteurl like "toretsky.ru" or url like "toretsky.ru" or domainname like "jedemdasseine.ru" or siteurl like "jedemdasseine.ru" or url like "jedemdasseine.ru" or domainname like "update.updatemic.com" or siteurl like "update.updatemic.com" or url like "update.updatemic.com" or domainname like "opwmail.kozow.com" or siteurl like "opwmail.kozow.com" or url like "opwmail.kozow.com"

    Detection Query 2

    dstipaddress IN ("68.183.201.96","45.61.139.116","139.84.142.99","139.68.15.131","45.77.33.174","139.59.13.239","139.59.189.155","143.110.218.175","168.100.11.116","64.227.185.216","206.189.135.34","159.203.2.177","157.230.152.7","139.59.153.79","159.65.192.30","64.94.84.66","64.227.72.253","159.65.205.28","149.248.77.157","45.55.235.87","142.93.145.206","168.100.11.43","159.203.17.42","209.38.196.253","216.245.184.160","104.131.190.132","134.209.244.43","165.227.39.7","139.59.95.111","178.62.238.209","64.94.85.230","45.55.42.145","167.99.90.162","142.93.232.225","162.33.179.216","46.101.240.172","46.101.91.224","206.189.29.231","64.7.199.19","149.248.77.157","172.236.187.135","172.235.10.252","149.28.137.179") or srcipaddress IN ("68.183.201.96","45.61.139.116","139.84.142.99","139.68.15.131","45.77.33.174","139.59.13.239","139.59.189.155","143.110.218.175","168.100.11.116","64.227.185.216","206.189.135.34","159.203.2.177","157.230.152.7","139.59.153.79","159.65.192.30","64.94.84.66","64.227.72.253","159.65.205.28","149.248.77.157","45.55.235.87","142.93.145.206","168.100.11.43","159.203.17.42","209.38.196.253","216.245.184.160","104.131.190.132","134.209.244.43","165.227.39.7","139.59.95.111","178.62.238.209","64.94.85.230","45.55.42.145","167.99.90.162","142.93.232.225","162.33.179.216","46.101.240.172","46.101.91.224","206.189.29.231","64.7.199.19","149.248.77.157","172.236.187.135","172.235.10.252","149.28.137.179")

    Detection Query 3

    sha256hash IN ("a596d4a1ede0d022d77f0b03c723c7071ffec0e89b35f0d30fb9ff15feeb4969","7ad3331be038b43c1a19066f1e4edbe85dfb08596d70774a5e15480394626d39","8b557df773156a87f2fe6bf7bb1b10a690e650c08abb924181165ce82d3fc4af","cf0403934749f9d6cbcc80e38d0fca87f7d9e519d9a9031b1797b5568a8e3534","200db5f89d58ce0060da0fac909162f66d9fa27dfe590e929ce9b42fd8d55ae3")

    Reference:

    https://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad#Gamaredon_Network_Observables_and_Indicators_of_Compromise_IOCs


    Tags

    MalwareThreat ActorGamaredonShadowPadRedFoxtrotBackdoorDLLRussiaChinaUkraineAfricaNATO

    « Previous ArticleNext Article »

    Comments

    No records to display

    Looking for Something?
    Threat Research Categories:
    Tags

    Privacy & Security StatementTerms & Conditions
    Copyright © 2025 by Gurucul - All rights reserved.