Yo everyone - you need to read this Dark Reading report because Russian state actors are getting serious about how they hide while attacking organizations. Gamaredon is FSB-sponsored and just upgraded its entire arsenal so the team can load malware more stealthily, which means their operations are becoming much harder to detect before damage is done. Their latest move uses legitimate Windows admin tools β€” WMI and WinRM β€” for persistence instead of obvious backdoor software because those are normal services that sysadmins actually use every day. So when they run remote commands via them, it blends in with authorized activity, which is exactly how you get a breach to sit undetected on your network for months while the attacker exfiltrates data.

But here's the real story about their infrastructure concealment because this part is genuinely clever and worth paying attention to as defenders. They don't just point at one command-and-control server; they hide it behind multiple layers of redirection so you never find the actual bad IP during an investigation. A victim machine communicates with a fake phishing site β€” some that have been live for up to eight months already β€” which then issues 301/302 redirects through several redirector IPs before reaching the backend C2, all while encoding data in a base64-wrapped HTTP POST body. They rotate domains constantly and use fresh ones alongside old favorites; I'll list three active IOCs for anyone who needs to hunt: t8q9m5g2ljs7.sitek.ru, s1pqrf4c3nrt9.skeymdt.com, aea0r5u5h1e6d.teledataz.org β€” note that these are just snapshots and the group cycles them frequently. This multi-hop approach is why basic IOC blocking fails because by the time you block one domain they've already moved on to two more before your update even propagates through your SIEM.

What this means for us practically is that we can no longer rely solely on static IP or file hash blocks and must start monitoring behavior instead. I want everyone to check their EDR configs β€” SentinelOne, CrowdStrike Falcon, MDE all have detections against Gamaredon's toolkit already written if you look up the vendor alerts. We should be hunting for an unusual volume of WinRM/WMI activity coming from non-admin accounts or at odd hours since those are legitimate protocols being abused by a threat actor. The report highlights that FortiEDR, Sophos Intercept X EDR Advanced, Palo Alto Cortex, Zscaler ThreatGraph and Check Point Harmony also have these detections mapped out for their customers to use. If you're running any of those platforms your team needs to build a dashboard specifically watching for remote command executions from unknown sources because that is the signal we need to catch this group before they move laterally.

Source: https://www.darkreading.com/threat-intelligence/russia-apt-gamaredon-arsenal-defense