Russian state hackers abuse Cloudflare services to spy on Ukrainian targets

Avatar

A Russian state-sponsored hacker group, known as Gamaredon, has been targeting Ukrainian-speaking victims in an ongoing cyber-espionage campaign, researchers have found.

Gamaredon, also tracked as BlueAlpha, has been previously described as one of “the most engaged” Moscow-backed hacker groups in Ukraine. It has been active since at least 2013 and likely operates from the Russian-annexed Crimean peninsula. The group is believed to act on orders from Russia’s Federal Security Service (FSB).

In its latest campaign, the group has been observed using Cloudflare Tunnels — a tool that helps hide the real location of servers or infrastructure — to infect their targets with custom GammaDrop malware and stay undetected, according to Recorded Future’s Insikt Group. The Record is an editorially independent unit of Recorded Future.

“Cloudflare Tunnels have been gaining momentum as a defense evasion technique due to their ease of setup and the fact that they have no cost to the user in most cases,” researchers said.

Earlier in August, another security company, Proofpoint, reported observing an increase in malware delivery via Cloudflare Tunnel abuse. The attacks they detected were financially motivated.

Cloudflare did not immediately respond to a request for comment.

To deliver GammaDrop to the targeted systems, the hackers used malicious email attachments. GammaDrop is a payload used to establish a foothold on a victim’s machine and deliver GammaLoad, the group’s custom backdoor.

Insikt Group said that the latest GammaDrop sample they obtained has been obfuscated with “extensive amounts” of junk code and random variable names, making it harder to detect and analyze.

According to researchers, the group will likely continue improving its evasion techniques, including by using popular legitimate services like Cloudflare.

Researchers haven’t disclosed which Ukrainian organizations the hackers targeted or the results of the campaign, but Gamaredon is known for using malware that allows hackers to exfiltrate data, steal credentials, execute additional payloads and maintain persistent access to compromised networks.

In August, around the same time Insikt Group said they obtained the GammaDrop sample, the group targeted Ukraine’s military and government agencies during the country’s long-anticipated counteroffensive. In a report published at that time by Ukraine’s National Coordination Center for Cybersecurity (NCCC), the agency said that to hide its activity from targets and researchers, the group’s malware retrieves domain names from legitimate services such as Cloudflare, Telegram and Telegraph instead of using its real IP addresses.

CybercrimeGovernmentNews
Get more insights with the

Recorded Future

Intelligence Cloud.

Learn more.

No previous article

No new articles

Daryna Antoniuk

is a reporter for Recorded Future News based in Ukraine. She writes about cybersecurity startups, cyberattacks in Eastern Europe and the state of the cyberwar between Ukraine and Russia. She previously was a tech reporter for Forbes Ukraine. Her work has also been published at Sifted, The Kyiv Independent and The Kyiv Post.

 

Total
0
Shares
Previous Post

US org with ‘significant presence in China’ targeted by hackers, Symantec says

Next Post

Blue Yonder says some customers restored as ransomware gang boasts of attack

Related Posts

New Chrome Zero-Day Actively Exploited; Google Issues Emergency Out-of-Band Patch

Google on Monday released out-of-band fixes to address three security issues in its Chrome browser, including one that it said has come under active exploitation in the wild. The high-severity flaw is being tracked as CVE-2025-5419, and has been flagged as an out-of-bounds read and write vulnerability in the V8 JavaScript and WebAssembly engine. "Out-of-bounds read and write in V8 in Google
Avatar
Read More

Scattered Spider Behind Cyberattacks on M&S and Co-op, Causing Up to $592M in Damages

The April 2025 cyber attacks targeting U.K. retailers Marks & Spencer and Co-op have been classified as a "single combined cyber event." That's according to an assessment from the Cyber Monitoring Centre (CMC), a U.K.-based independent, non-profit body set up by the insurance industry to categorize major cyber events. "Given that one threat actor claimed responsibility for both M&S and
Avatar
Read More