The Kremlin-linked espionage group “Shuckworm” is back with another hacking campaign against Ukraine and its Western allies, this time targeting a foreign military operation taking place in the war-torn nation.
That’s according to a new blog released Thursday by the Threat Hunter Team at Symantec.
Intelligence researchers said the recent Shuckworm attack was first observed on February 26th, although the Russian threat actors have been around since 2013, relentlessly targeting Ukrainian entities and infrastructure for over a decade on behalf of the Russian Federal Security Service (FSB). The campaign is said to have actively targeted “the military mission of a Western country based in the Eastern European nation,” starting in February and continuing through March.
Sometimes referred to as Gamaredon or Armageddon, Shuckworm is known to “almost exclusively focus its operations on government, law enforcement, and defense organizations in Ukraine,” Symantec said.
The group’s tool of choice this time around appears to be an updated PowerShell version of its “GammaSteel” infostealer, a type of malware designed for data exfiltration.
Latest Shuckworm target we've uncovered: A Western military mission base in Ukraine. https://t.co/zOICzWm9C3 #shuckworm #gamaredon pic.twitter.com/FaePQaAOX9
undefined Threat Intelligence (@threatintel) April 10, 2025
Shuckworm is believed to have initially compromised the target system via an infected removable drive and an LNK file named “D:\files.lnk,’ by creating a Windows Registry value under the UserAssist key.
After launching mishta.exe to bypass security controls and then running several other malicious wscript.exe commands, the attackers were able to establish contact with a Command and Control (C&C) server. Shuckworm was then said to move through and methodically infect all removable and network drives, according to the blog, which lays out all the technical findings and Indicators of Compromise.
The research team also discovered an “array of possible file names in Ukrainian,” but without context, could not say what they were for.
Many of the files had military type monikers, such as “Conduct plan, SPECIAL INSPECTION, Wound report, deployment, AIR DEFENSE COMBAT ORDER, Commander's decision on defense, combat calculation, GUR support, and Information on the dead.”
On March 1st, the Threat Hunter Team observed a “flurry of activity on the targeted server,” mostly using reconnaissance tools to extract various identifiers from the infected machine, as well as the creation of two new hardcoded C&C servers.
Eventually, the attackers launch a final payload – a PowerShell version of Shuckworm’s known GammaSteel tool, the security experts said, exfiltrating a slew of files from the machine’s desktop, documents, and downloads folder.
Symantec said the attackers used a variety of methods for transfer and extraction, including the write.as web service, and also by using cURL (an open source command line tool often leveraged by bad actors) alongside Tor as a backup method.
Shuckworm was observed using much more advanced techniques than in past attacks, such as using more PowerShell-based tools, making minor modifications to the code it uses, and leveraging legitimate web services, all to lower the risk of detection, the team noted.
This alone makes this particular campaign a more complex, multi-staged attack chain, they said.
Your email address will not be published. Required fields are markedmarked