← Back to Pulse Feed
PULSE DETAIL
PULSE NAME
IOC - Gamaredon’s infection chain: Spoofed emails, GammaDrop and GammaLoad
WHITE celestre 2026-05-14 Modified: 2026-05-14
363
IOCs
HIGH VOLUME
Investigating Gamaredon’s abuse of CVE-2025-8088, we identified a dozen waves of spearphishing emails against Ukrainian state institutions in a campaign that is still active, dating back to September 2025. These emails – spoofed or sent from compromised government accounts – deliver persistent, multi-stage VBScript downloaders that profile the infected system.
cloudflareprimary c2ssl certsha1domainsgammadropappdatamalicious rargammaloadtempmalicious arjgammaload ddnsmaliciousgammadrop c2
MITRE ATT&CK & Malware Families
ATT&CK TECHNIQUES
Indicators of Compromise (4 / 363 total)
All IPv4 hostname FileHash-SHA1 domain FileHash-MD5 FileHash-SHA256
TYPEINDICATORDESCRIPTIONCREATED
FileHash-MD5 0f162de874f778c6807e4691208b5002 MD5 of 9b53a28d0435c3aaed88dcad1613be069c5b0a26e60be53e3288587a4954ccd6 2026-05-14
FileHash-MD5 2e8f2559f4f8e244ecb3a30aed7c3ebc MD5 of c6afe1a912548fcec511af5efb2c66e4267f71b46f5b4802bf02271b34a3f49a 2026-05-14
FileHash-MD5 54d3e7d804bd1f4bc9aa45ed9c2f4e6f MD5 of 4d0384aa2bc171c97d3ea10e1802185157452dc1590d7368a089d74d844fb21c 2026-05-14
FileHash-MD5 d8795fd010c1bff84808d35eacb522bc MD5 of 279e484dfb546e7ad84d5650572bb51d5180b431fdc8c0669e69e69d9a693bd5 2026-05-14
References (1)
↗ https://harfanglab.io/insidethelab/gamaredon-gammadrop-gammaload/