{ "type": "URL", "indicator": "https://quitethepastry.ru", "general": { "sections": [ "general", "url_list", "http_scans", "screenshot" ], "indicator": "https://quitethepastry.ru", "type": "url", "type_title": "URL", "validation": [], "base_indicator": { "id": 4389548590, "indicator": "https://quitethepastry.ru", "type": "URL", "title": "", "description": "", "content": "", "access_type": "public", "access_reason": "" }, "pulse_info": { "count": 3, "pulses": [ { "id": "6a1dde0927ce7587f79534ee", "name": "FSB\u2019s matryoshka #1/3 \u2013 Gamaredon\u2019s gifts that keeps unpacking \u2013 GammaPhish and GammaWorm", "description": "Gamaredon, a cyberespionage group operated by Russia's FSB, conducts long-term intrusion operations targeting Ukrainian government, military, and critical infrastructure. This analysis documents their 2026 infection chain, which uses HTML smuggling with weaponized xHTML files delivering RAR archives that exploit CVE-2025-8088 to extract HTA files into Windows Startup directories. The chain deploys GammaPhish for initial access, GammaLoad for staging, GammaWorm for propagation via USB and network drives, and GammaSteal for exfiltration. The architecture is nearly fileless, leveraging NTFS Alternate Data Streams to conceal modules and using Dead Drop Resolvers on legitimate platforms like Telegram and Cloudflare for C2 infrastructure. Every stage functions as an independent backdoor capable of executing arbitrary VBScript, representing a shift from their historical Pteranodon framework to a modular ecosystem designed for persistent espionage.", "modified": "2026-06-02T09:24:58.011000", "created": "2026-06-01T19:31:21.077000", "tags": [ "gammaworm", "gammaload", "pteranodon", "gamaredon", "gammasteal", "gammaphish", "fsb" ], "references": [ "https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "GammaPhish", "display_name": "GammaPhish", "target": null }, { "id": "GammaLoad", "display_name": "GammaLoad", "target": null }, { "id": "GammaWorm", "display_name": "GammaWorm", "target": null }, { "id": "GammaSteal", "display_name": "GammaSteal", "target": null }, { "id": "Pteranodon - S0147", "display_name": "Pteranodon - S0147", "target": null }, { "id": "Pterodo", "display_name": "Pterodo", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1564.004", "name": "NTFS File Attributes", "display_name": "T1564.004 - NTFS File Attributes" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "IPv4": 1, "URL": 3, "domain": 1, "hostname": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 387021, "modified_text": "21 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1e65e0dbbeb5ee8804848e", "name": "FSB\u2019s matryoshka #1/3: Inside Gamaredon Cyber Operations", "description": "", "modified": "2026-06-02T05:10:56.608000", "created": "2026-06-02T05:10:56.608000", "tags": [ "gammaworm", "gamaredon", "gammaload", "pteranodon", "userprofile", "gammasteel", "c2 server", "user", "separator", "windows", "telegram", "ukraine", "desktop", "quietsieve", "litterdrifter", "gamawiper", "stream", "armageddon", "service", "ultravnc", "pterodo", "gamma", "usbstealer", "initial access", "exfiltration", "winrar", "august", "turla", "path", "first", "next", "matryoshka", "drop" ], "references": [ "https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "IPv4": 1, "URL": 4, "domain": 1, "email": 1, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1e3921d5b96f6f7b9c6e8a", "name": "IOC - FSB\u2019s matryoshka #1/3 \u2013 Gamaredon\u2019s gifts that keeps unpacking \u2013 GammaPhish and GammaWorm", "description": "Sekoia.io\u2019s Threat Detection & Research (TDR) team closely monitors the activities of Russian Advanced Persistent Threats (APT). In late December 2025, we deployed an opportunistic YARA rule designed to uncover novel initial access vectors. By January 2026, this rule had generated a dozen hits, prompting an in-depth investigation. While we successfully identified the early stages of a Gamaredon infection chain, unknown restrictions prevented us from fully detonating the sequence to observe the final payloads.", "modified": "2026-06-02T02:00:01.222000", "created": "2026-06-02T02:00:01.222000", "tags": [ "gammaworm", "dead drop", "resolvers" ], "references": [ "https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/#h-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "IPv4": 1, "URL": 1, "domain": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "references": [ "https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/#h-iocs", "https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/" ], "related": { "alienvault": { "adversary": [ "Gamaredon" ], "malware_families": [ "Gammasteal", "Gammaworm", "Pteranodon - s0147", "Pterodo", "Gammaphish", "Gammaload" ], "industries": [ "Defense", "Government" ], "unique_indicators": 12 }, "other": { "adversary": [], "malware_families": [], "industries": [], "unique_indicators": 13 } } }, "false_positive": [], "alexa": "http://www.alexa.com/siteinfo/quitethepastry.ru", "whois": "http://whois.domaintools.com/quitethepastry.ru", "domain": "quitethepastry.ru", "hostname": "Unavailable" }, "geo": {}, "geo_ipapicom": {}, "pulse_count": 3, "pulses": [ { "id": "6a1dde0927ce7587f79534ee", "name": "FSB\u2019s matryoshka #1/3 \u2013 Gamaredon\u2019s gifts that keeps unpacking \u2013 GammaPhish and GammaWorm", "description": "Gamaredon, a cyberespionage group operated by Russia's FSB, conducts long-term intrusion operations targeting Ukrainian government, military, and critical infrastructure. This analysis documents their 2026 infection chain, which uses HTML smuggling with weaponized xHTML files delivering RAR archives that exploit CVE-2025-8088 to extract HTA files into Windows Startup directories. The chain deploys GammaPhish for initial access, GammaLoad for staging, GammaWorm for propagation via USB and network drives, and GammaSteal for exfiltration. The architecture is nearly fileless, leveraging NTFS Alternate Data Streams to conceal modules and using Dead Drop Resolvers on legitimate platforms like Telegram and Cloudflare for C2 infrastructure. Every stage functions as an independent backdoor capable of executing arbitrary VBScript, representing a shift from their historical Pteranodon framework to a modular ecosystem designed for persistent espionage.", "modified": "2026-06-02T09:24:58.011000", "created": "2026-06-01T19:31:21.077000", "tags": [ "gammaworm", "gammaload", "pteranodon", "gamaredon", "gammasteal", "gammaphish", "fsb" ], "references": [ "https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/" ], "public": 1, "adversary": "Gamaredon", "targeted_countries": [ "Ukraine" ], "malware_families": [ { "id": "GammaPhish", "display_name": "GammaPhish", "target": null }, { "id": "GammaLoad", "display_name": "GammaLoad", "target": null }, { "id": "GammaWorm", "display_name": "GammaWorm", "target": null }, { "id": "GammaSteal", "display_name": "GammaSteal", "target": null }, { "id": "Pteranodon - S0147", "display_name": "Pteranodon - S0147", "target": null }, { "id": "Pterodo", "display_name": "Pterodo", "target": null } ], "attack_ids": [ { "id": "T1053.005", "name": "Scheduled Task", "display_name": "T1053.005 - Scheduled Task" }, { "id": "T1132.001", "name": "Standard Encoding", "display_name": "T1132.001 - Standard Encoding" }, { "id": "T1204.002", "name": "Malicious File", "display_name": "T1204.002 - Malicious File" }, { "id": "T1566.001", "name": "Spearphishing Attachment", "display_name": "T1566.001 - Spearphishing Attachment" }, { "id": "T1082", "name": "System Information Discovery", "display_name": "T1082 - System Information Discovery" }, { "id": "T1091", "name": "Replication Through Removable Media", "display_name": "T1091 - Replication Through Removable Media" }, { "id": "T1005", "name": "Data from Local System", "display_name": "T1005 - Data from Local System" }, { "id": "T1547.009", "name": "Shortcut Modification", "display_name": "T1547.009 - Shortcut Modification" }, { "id": "T1112", "name": "Modify Registry", "display_name": "T1112 - Modify Registry" }, { "id": "T1020", "name": "Automated Exfiltration", "display_name": "T1020 - Automated Exfiltration" }, { "id": "T1547.001", "name": "Registry Run Keys / Startup Folder", "display_name": "T1547.001 - Registry Run Keys / Startup Folder" }, { "id": "T1027", "name": "Obfuscated Files or Information", "display_name": "T1027 - Obfuscated Files or Information" }, { "id": "T1573", "name": "Encrypted Channel", "display_name": "T1573 - Encrypted Channel" }, { "id": "T1102.002", "name": "Bidirectional Communication", "display_name": "T1102.002 - Bidirectional Communication" }, { "id": "T1071.001", "name": "Web Protocols", "display_name": "T1071.001 - Web Protocols" }, { "id": "T1059.005", "name": "Visual Basic", "display_name": "T1059.005 - Visual Basic" }, { "id": "T1204.001", "name": "Malicious Link", "display_name": "T1204.001 - Malicious Link" }, { "id": "T1564.004", "name": "NTFS File Attributes", "display_name": "T1564.004 - NTFS File Attributes" }, { "id": "T1102.001", "name": "Dead Drop Resolver", "display_name": "T1102.001 - Dead Drop Resolver" } ], "industries": [ "Government", "Defense" ], "TLP": "white", "cloned_from": null, "export_count": 6, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "api", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "AlienVault", "id": "2", "avatar_url": "/otxapi/users/avatar_image/media/avatars/user_2/resized/80/avatar_dacfad0ca8.png", "is_subscribed": true, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "IPv4": 1, "URL": 3, "domain": 1, "hostname": 3 }, "indicator_count": 12, "is_author": false, "is_subscribing": null, "subscriber_count": 387021, "modified_text": "21 hours ago ", "is_modified": true, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1e65e0dbbeb5ee8804848e", "name": "FSB\u2019s matryoshka #1/3: Inside Gamaredon Cyber Operations", "description": "", "modified": "2026-06-02T05:10:56.608000", "created": "2026-06-02T05:10:56.608000", "tags": [ "gammaworm", "gamaredon", "gammaload", "pteranodon", "userprofile", "gammasteel", "c2 server", "user", "separator", "windows", "telegram", "ukraine", "desktop", "quietsieve", "litterdrifter", "gamawiper", "stream", "armageddon", "service", "ultravnc", "pterodo", "gamma", "usbstealer", "initial access", "exfiltration", "winrar", "august", "turla", "path", "first", "next", "matryoshka", "drop" ], "references": [ "https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "Tr1sa111", "id": "192483", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "CVE": 2, "FileHash-MD5": 2, "IPv4": 1, "URL": 4, "domain": 1, "email": 1, "hostname": 2 }, "indicator_count": 13, "is_author": false, "is_subscribing": null, "subscriber_count": 280, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 }, { "id": "6a1e3921d5b96f6f7b9c6e8a", "name": "IOC - FSB\u2019s matryoshka #1/3 \u2013 Gamaredon\u2019s gifts that keeps unpacking \u2013 GammaPhish and GammaWorm", "description": "Sekoia.io\u2019s Threat Detection & Research (TDR) team closely monitors the activities of Russian Advanced Persistent Threats (APT). In late December 2025, we deployed an opportunistic YARA rule designed to uncover novel initial access vectors. By January 2026, this rule had generated a dozen hits, prompting an in-depth investigation. While we successfully identified the early stages of a Gamaredon infection chain, unknown restrictions prevented us from fully detonating the sequence to observe the final payloads.", "modified": "2026-06-02T02:00:01.222000", "created": "2026-06-02T02:00:01.222000", "tags": [ "gammaworm", "dead drop", "resolvers" ], "references": [ "https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/#h-iocs" ], "public": 1, "adversary": "", "targeted_countries": [], "malware_families": [], "attack_ids": [], "industries": [], "TLP": "white", "cloned_from": null, "export_count": 1, "upvotes_count": 0, "downvotes_count": 0, "votes_count": 0, "locked": false, "pulse_source": "web", "validator_count": 0, "comment_count": 0, "follower_count": 0, "vote": 0, "author": { "username": "celestre", "id": "295357", "avatar_url": "https://otx.alienvault.com/assets/images/default-avatar.png", "is_subscribed": false, "is_following": false }, "indicator_type_counts": { "FileHash-MD5": 2, "IPv4": 1, "URL": 1, "domain": 1 }, "indicator_count": 5, "is_author": false, "is_subscribing": null, "subscriber_count": 143, "modified_text": "1 day ago ", "is_modified": false, "groups": [], "in_group": false, "threat_hunter_scannable": true, "threat_hunter_has_agents": 1, "related_indicator_type": "URL", "related_indicator_is_active": 1 } ], "error": null, "vt": { "error": "VirusTotal rate limit reached. Try again shortly.", "indicator": "https://quitethepastry.ru", "type": "URL" }, "abuseipdb": null, "urlhaus": { "indicator": "https://quitethepastry.ru", "type": "URL", "found": false, "verdict": "clean", "error": null }, "from_cache": true, "_cached_at": 1780468433.6430585 }