Monday 06 July 2026 13:32:23 GMT+02:00

Netcrook

HomeManifesto
News
Techcrook
Geocrook
WikicrookTeamAppContact
EnglishItalianoArabic

Cyber Warfare & Nation-State Operations

Phishing, Cloud Tunnels, and a Steadier Drumbeat Over Ukraine

Published: 29 June 2026 14:11Category: Cyber Warfare & Nation-State OperationsGeo: Europe / UkraineAuthor: AGONY

A 2025 campaign pattern tied to Gamaredon combined repeated spearphishing with cloud service abuse, showing how ordinary internet tools can become cover for persistent intrusion.

In modern espionage, the quietest attacks are often the hardest to stop. A long-running campaign tied to Gamaredon in 2025 shows that the operator’s edge may come less from exotic exploits than from repetition, disguise, and infrastructure that looks normal at first glance. The pattern matters because it turns routine enterprise trust signals - email, cloud services, and scripting tools - into a delivery system for hostile activity.

Fast Facts

  • Thirty-five distinct spearphishing campaigns were observed in 2025.
  • The activity focused on new targets in Ukraine, with most campaigns occurring in the second half of the year.
  • New malware and cloud service abuse were part of the observed tradecraft.
  • Spearphishing remains one of the most reliable initial-access methods in espionage operations.
  • Legitimate cloud services can complicate detection because malicious traffic may resemble normal SaaS use.

Why the pattern matters

The technical story here is not a single breakthrough exploit. It is an operational shift toward scale and concealment. Repeated spearphishing gives attackers many chances to land a foothold, especially when messages are tailored to a specific organization or workflow. Once a user opens a lure, the next stage can be a script, shortcut, or other lightweight loader that is easier to swap out than a large malware implant.

That is where cloud service abuse becomes important. When malicious tooling leans on trusted web services or tunnels, the traffic can blend into everyday business activity. From a defensive perspective, that means simple domain blocking or signature-based mail filtering may miss the larger pattern. Detection has to look at behavior: which process is making the connection, whether the destination is expected, and whether the endpoint has a reason to talk to that service at all.

This also explains why modular toolsets are attractive to operators. If one component is burned, another can be exchanged without rebuilding the entire intrusion chain. The result is not always a dramatic breach; often it is a long, adaptive campaign designed to keep probing for access, maintain persistence, and make cleanup expensive.

At the time of writing, the public technical picture supports a risk analysis, not a claim that every target or downstream system was fully compromised. What is clear is that the combination of phishing, scripting, and cloud-based hiding places raises the cost of defense.

What defenders should watch

Email controls still matter, but they are only the first layer. Organizations need strong attachment inspection, careful handling of archive files, and limits on risky file types that can trigger script execution. Endpoint logging should pay close attention to PowerShell, VBScript, HTA, and shortcut-based execution chains, especially when they begin from mail-delivered content.

Just as important is egress visibility. Proxy logs, cloud telemetry, and alerts for unusual web API use can reveal endpoints that are talking to services they normally would not touch. In campaigns like this, the real clue is often not the payload alone, but the path it takes to stay alive and communicate.

Conclusion

Gamaredon’s 2025 activity is a reminder that cyber operations do not have to be flashy to be effective. A steady rhythm of phishing, disposable tooling, and trusted cloud infrastructure can be enough to keep pressure on a target for months. For defenders, the lesson is blunt: if the attacker can hide inside normal traffic, security has to become equally fluent in what normal looks like.

TECHCROOK

Hardware security key: A physical security key adds phishing-resistant multi-factor authentication for email, cloud accounts, and admin logins. It is a simple, widely available device that can reduce the risk of account takeover when attackers rely on credential theft or fake login pages.

Scheda Techcrook: Hardware security key

WIKICROOK

  • APT: Advanced Persistent Threat, a long-term and targeted intrusion effort often associated with espionage.
  • Spearphishing: A targeted phishing message crafted for a specific person or organization.
  • Cloud service abuse: Misusing legitimate cloud or web platforms to deliver payloads, relay traffic, or hide command-and-control.
  • Command-and-control (C2): The channel attackers use to issue instructions to compromised systems.
  • PowerShell: A built-in scripting environment on Windows that attackers often abuse for fileless or staged execution.