APT-C-53, also known as Gamaredon, is a Russian state-sponsored threat group active since 2013, targeting Ukrainian government and military entities. The group has upgraded its attack techniques, focusing on dynamic cloud-based C2 infrastructure and targeted delivery of cloud storage tools. In 2025, they conducted high-density intelligence theft activities against Ukrainian government agencies. The attack chain involves dynamic changes in infrastructure, abuse of Microsoft Dev Tunnels, and sophisticated data exfiltration techniques. The group employs white-listed domain camouflage, domain shadowing, and weaponization of cloud tunnel services to evade detection. Their data theft process includes registry-based persistence, multi-stage payload delivery via Cloudflare Workers, and exfiltration through legitimate cloud tools like Dropbox.