A little-known hacking group has been mimicking the tactics of a prominent Kremlin-linked threat actor to target Russian-speaking victims, according to new research.
In its latest campaign, the group being dubbed GamaCopy used phishing documents disguised as official reports about the location of Russian armed forces’ facilities in Ukraine. It also deployed an open-source software called UltraVNC to remotely access victims’ systems.
These tactics, along with the use of the self-opening 7-Zip file archiver (7zSFX) to deliver and load subsequent payloads, are commonly associated with the Russia-backed threat actor known as Gamaredon, according to a report published Monday by the Chinese cybersecurity firm Knownsec.
Gamaredon has been active since at least 2013 and is believed to operate from the Russian-annexed Crimean peninsula. The group is thought to act on orders from Russia’s Federal Security Service (FSB).
Despite GamaCopy’s similarities to Gamaredon, the researchers noted several differences in their campaigns. For example, Gamaredon primarily uses Ukrainian-language lures, while GamaCopy has employed Russian-language ones. The analysis also revealed that GamaCopy’s attack chain involving UltraVNC differs significantly from that of Gamaredon.
GamaCopy was first discovered by Knownsec in June 2023 and has since launched multiple cyberattacks against Russia’s defense and critical infrastructure sectors by imitating Gamaredon, the researchers said. However, it is believed the organization has been active since at least August 2021.
Knownsec described GamaCopy’s campaign as “a successful false flag operation.” In reality, this group is most likely linked to another state-backed actor, known as Core Werewolf, which researchers have not been able to definitively link to a specific country.
Core Werewolf, active since 2021, has targeted Russia’s defense industry and critical infrastructure. Like GamaCopy, it has used 7zSFX and UltraVNC in its previous campaigns.
Earlier in January, Russian researchers discovered that a suspected Ukraine-linked hacker group, dubbed Sticky Werewolf, targeted Russian scientific and industrial enterprises in a cyber-espionage campaign. In a report released in June, the Russian cybersecurity company BI.ZONE revealed that a hacker group called Sapphire Werewolf had attacked more than 300 Russian companies using the Amethyst infostealer.
Recorded Future
Intelligence Cloud.
No previous article
No new articles
Daryna Antoniuk
is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.
