3C-INT logo [Cyber]Crime Characterization for Intelligence FREE PREVIEW
You are exploring the Free preview. To unlock full read-only access to all public profiles and in-app notifications, create a free research account. For analyst / premium plans capabilities (editing, advanced tabs, exports), please contact us

Threat Actor Characterization

Back
You’re viewing the read-only version. Sign in for analyst tools (editors, promote draft, file/relations management, etc.)
Gamaredon Group

Gamaredon Group

ID: a79eedbea3cb8cfa8731d28ba87430b385281
Cybercrime Cybercriminal Malware Dev
Threat types: Intrusion, Espionage
Russia
Updated: 2026-01-13
Created: 2025-10-22
Progress: 49% Completeness: 48% Freshness: 50%
Operation zone:
Aliases Limited alias preview
ACTINIUM Aqua Blizzard Ar******** DE******
Hi****** IR********* Pr************ Sh*******
UA******
Showing 2 of 9 aliases in free preview.
Actor Network Graph
Open Network Graph
Read-only preview for anonymous visitors. Sign in with a free Research account for full workspace.
MITRE ATT&CK®
confidence: high
Actor Techniques page ATT&CK® Diagram

Gamaredon Group (a.k.a. Armageddon/Primitive Bear/ACTINIUM/Shuckworm/UAC-0010) — Russia-nexus actor focused on Ukraine since 2013, using high-volume phishing, VBA/VBS/PowerShell chains, rapid C2 rotation (fast-flux), and automated collection/exfiltration.


Technique Technique name Tactics Evidence
T1566 Phishing TA0001
  • 2013–2025 — Phishing (attachments/links/service) is the primary delivery vector into Ukrainian orgs. · ref
T1059.001 PowerShell TA0002
  • 2013–2025 — PowerShell used for staging and post-exploitation. · ref
T1059.005 Visual Basic TA0002
  • 2013–2025 — VB/VBA macros drive execution; Outlook VBA projects propagate internally. · ref
T1547.001 Registry Run Keys / Startup Folder TA0003 TA0004
  • 2013–2025 — Registry Run keys/Startup for persistence of VBS/VBA loaders. · ref
T1568.001 Fast Flux DNS TA0011
  • 2023–2024 — Fast-flux DNS used to mask/rotate C2. · ref
  • 2024-04 — IBM X-Force notes multi-channel DNS fluxing to deliver Gamma variants at scale. · ref
T1119 Automated Collection TA0009
  • 2022–2023 — Automated scripts scan for interesting documents for collection. · ref
T1041 Exfiltration Over C2 Channel TA0010
  • 2013–2025 — Exfiltration of harvested documents over HTTP/HTTPS C2 channels. · ref
T1491.001 Internal Defacement TA0040
  • 2019–2021 — Internal defacement/taunt images placed on victim desktops as proof of access. · ref
Strategic Intelligence
Limited preview
Last updated: 2025-10-22T18:58:02+00:00
Gamaredon Group — Russia-Nexus Espionage & High-Tempo Collection (G0047)

CLASSIFICATION: Unclassified / Open Source


Executive Summary

Gamaredon Group (a.k.a. Armageddon, Primitive Bear, ACTINIUM, Shuckworm, IRON TILDEN, DEV-0157/Aqua Blizzard, UAC-0010/Hive0051) is a Russia-nexus espionage actor focused overwhelmingly on Ukrainian government, military, law-enforcement, judiciary, NGO and civil-society targets since at least 2013. Tradecraft centers on spearphishing, document/template macro abuse (VBA/VBS), rapid C2/domain rotation (incl. fast-flux), and automated collection/exfiltration rather than stealthy long-term intrusion. In Nov 2021, Ukraine publicly attributed the group to the FSB (Center 18); activity has remained intense through the war, with 2024–2025 research detailing evolved “Gamma” malware, DNS fluxing, and continued macro/PowerShell playbooks. Capability: medium, tempo/volume: very high. Confidence: high (multi-source).

Assessed to be FSB-aligned; MITRE notes Ukraine’s public attribution to FSB Center 18. Vendors track overlapping labels due to analytic schema differences (e.g., ACTINIUM/Aqua Blizzard by Microsoft; UAC-0010/Hive0051 by CERT-UA/IBM).


Full strategic intelligence is available in Analyst and Premium plans.
Executive Analyst Brief for CISO
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Executive brief now
Saved successfully.
Hunting Playbook
Empty Limited preview
No content yet.
Tip: Hover the section title to learn what’s included in Analyst / Premium plans.
Hunting Playbook now
Saved successfully.
IOC Appendix
Empty Limited preview
No content yet.
IOC Appendix now
Saved successfully.
OSINT Library
Empty Limited preview
No content yet.
OSINT Library now
Saved successfully.
Social Medial & Communication
SOCMINT integrated: 0/0
No social links registered for this profile.
Notes: preview mode hides sensitive social/contact details.
Reference Images/Associated Evidence Limited
No images found for this threat.