InfoSec Briefing - June 06, 2026

🎧 Audio Briefing

Playback Speed:

Cyber security developments for Saturday the 6th of June 2026 covering articles added to the BlueTeamSec community on infosec.pub. Today we have 10 articles to cover. All attribution is by the article authors. All article analysis is automated.

Volexity have written up VerdantBamboo, an eighteen-month intrusion campaign targeting edge network appliances including pfSense firewalls, Synology NAS boxes, and Egnyte storage sync devices. The threat actor deployed specialised tooling in Golang, Rust, and Python specifically designed to operate from the network edge and evade endpoint detection — one for anyone running these devices in production.

Following on from the GammaPhish and GammaWorm stories we covered earlier this week, Sekoia have now published parts two and three of their Gamaredon matryoshka series. GammaLoad and GammaSteel both use nested multi-stage obfuscation, with registry payloads bound to the user profile and dead drop resolvers hosted on Mastodon to dynamically fetch command-and-control addresses — the architecture is deliberately designed so that even if you kill one backdoor, the others will reinfect the system.

The National Cyber Security Centre have published guidance on software supply chain attacks, covering how adversaries inject malicious code into trusted dependencies, build pipelines, and third-party libraries. It's aimed at developers and organisations running continuous integration workflows — worth a look if you're responsible for dependency management or build security.

And another supply chain incident — OX Security have detailed the IronWorm campaign, which compromised developer accounts associated with the WeaveDB project and injected malicious code into thirty-six legitimate npm packages. Anyone who updated their dependencies automatically pulled down and executed the payload, which was designed to exfiltrate sensitive information from development environments.

Sophos have written up a rather unusual incident involving Hola Browser, where a compromised update mechanism was used to distribute crypto-mining malware. The payload established persistence as a Windows service, disabled Defender, and mined only during idle time to avoid detection — turns out even signed software distribution pipelines aren't immune to compromise.

A security researcher has documented a rather clever quirk in Active Directory ACL processing — if you manipulate security descriptors at a low level using raw binary LDAP, you can create non-canonical ACL orders where Allow entries precede Deny entries. Because Windows evaluates ACLs sequentially, the Deny rules are simply ignored. This affects organisations using backup tools, migration scripts, or anything that manipulates security descriptors programmatically.

TrueCyber have released AzureRedOps, an offensive security toolkit for red-team assessments of Microsoft Entra ID and Azure environments. It automates reconnaissance, credential harvesting, privilege escalation, and post-exploitation through a command-line interface that talks to the Graph API — centralises most of the common attack workflows you'd see in a cloud engagement.

The ZMap team have released zannotate, a command-line utility for enriching IP address datasets with contextual metadata from MaxMind GeoIP, ASN databases, reverse DNS, WHOIS, Censys, and threat intelligence feeds like GreyNoise. It's designed for network research and security analysis, supports both live API queries and offline enrichment, and handles large-scale datasets — useful for reconnaissance or contextualising telemetry, depending on which side of the fence you're on.

And finally, Origin have published internals on Microsoft's eXecution Container project, which provides cross-platform sandbox isolation for AI agent code execution using native OS primitives. The architecture translates high-level policies into platform-specific controls via a broker, though it's positioned more as an auditing framework than a hardened security boundary — probably best treated as a logging and detection tool for agentic workflows rather than something you'd rely on to stop a determined breakout attempt.

That concludes today's briefing.

📰 Articles Covered

VerdantBamboo: Just Another BRICKSTORM in the Firewall - Volexity

The Volexity report on **VerdantBamboo** (also tracked as WARP PANDA or UNC5221) details a sophisticated, long-term intrusion campaign that highlights the critical security risks posed by edge network appliances that often lack traditional security visibility 【1】.

### What Happened and Who Was Affected
VerdantBamboo successfully compromised a victim organization and its Managed Services Provider (MSP), maintaining persistent access for at least 18 months 【1】. The threat actor utilized the MSP as an initial entry point and subsequently targeted proprietary network appliances within the victim's environment, including an Egnyte Storage Sync system, a Synology NAS, and a pfSense firewall 【1】. Even after initial remediation efforts, the actor regained access by exploiting an exposed firewall administrative interface and leveraging stolen credentials to establish a custom SSL VPN 【1】.

### Technical Details
The actor employed a specialized toolkit designed to evade detection and operate on non-EDR-capable systems:
* **BRICKSTORM:** A modular RAT developed in Golang and Rust, providing command execution, filesystem access, and SOCKS5 proxying capabilities 【1】.
* **PLENET (aka GRIMBOLT):** A cross-platform backdoor written in .NET Core and compiled with Native AOT to complicate reverse engineering and analysis 【1】.
* **AGENTPSD:** A Python-based reverse shell, packaged via PyInstaller, serving as a fallback mechanism 【1】.
* **Privilege Escalation:** The actor exploited a misconfigured `sudo` policy on the Egnyte Storage Sync system to gain root-level command execution 【1】.

### Security Implications
The primary implication of this campaign is the actor's ability to bypass standard security controls by operating from the "edge" of the network. By using compromised appliances as proxies, VerdantBamboo successfully bypassed Conditional Access policies and blended their malicious activity with legitimate traffic to access the victim's Microsoft 365 environment 【1】.

### What Defenders Should Know
* **Targeting Strategy:** VerdantBamboo specifically seeks out devices that cannot host traditional EDR agents, such as firewalls, NAS devices, and Linux-based virtual appliances 【1】.
* **Persistence Mechanisms:** Defenders should look for customized persistence, such as modifications to `/etc/cron.d/` or `/etc/rc.d/cron` 【1】.
* **Detection:** Monitor network traffic originating from edge appliances for anomalous connections, particularly those reaching out to public DNS servers or unexpected external domains 【1】.
* **Hardening:** Administrative interfaces for network appliances must never be exposed to the public internet, and robust Multi-Factor Authentication (MFA) should be enforced for all administrative access 【1】.
* **Auditing:** Regularly audit `sudo` configurations and system permissions on all Linux-based appliances to identify and remediate potential local privilege escalation vectors 【1】.
Software supply chain attacks: check your dependencies - National Cyber Security Centre

This precis outlines the risks associated with software supply chain attacks as detailed by the National Cyber Security Centre (NCSC).

### Overview: What Happened
Software supply chain attacks occur when malicious actors compromise the integrity of software by targeting the components, tools, or processes used to build and distribute it. Rather than attacking a target directly, adversaries inject malicious code into trusted software dependencies, which are then unknowingly integrated into downstream applications and systems.

### Who is Affected
These attacks have a broad impact, affecting:
* **Software Developers:** Whose build environments, credentials, or packages may be compromised.
* **Organizations:** That rely on third-party libraries, open-source components, or automated CI/CD pipelines to build and deploy their own software.
* **End Users:** Who ultimately run the compromised software, potentially exposing their data or systems to further exploitation.

### Security Implications
The primary danger lies in the **implicit trust** placed in dependencies. Once a malicious package is introduced, it can execute arbitrary code within the context of the build or production environment. This can lead to:
* **Data Exfiltration:** Stealing sensitive information, API keys, or environment variables.
* **Backdoor Installation:** Creating persistent access for attackers.
* **Widespread Distribution:** Because the malicious code is "trusted," it can propagate rapidly through automated updates, affecting countless downstream users simultaneously.

### Technical Details
Attackers employ several techniques to inject malicious code into the supply chain:
* **Maintainer Account Compromise:** Stealing credentials or tokens to push malicious updates to legitimate, trusted packages.
* **Abandoned Package Takeover:** Hijacking ownership of packages that are no longer maintained or taking over expired domains linked to maintainers.
* **Typosquatting:** Publishing malicious packages with names similar to popular, legitimate ones, hoping developers install them by mistake.
* **Self-propagation:** Using stolen credentials from one compromise to access and modify additional packages in the same ecosystem.
* **Automation Abuse:** Exploiting CI/CD pipelines that automatically pull and execute code without human review.
* **Open Publishing Models:** Leveraging the lack of security controls (such as mandatory MFA) in many package repositories to upload malicious content easily.

### What Defenders Should Know
To mitigate these risks, the NCSC recommends a proactive, multi-layered approach:

| Category | Recommended Actions |
| :--- | :--- |
| **Visibility** | Maintain a comprehensive inventory of all software dependencies, such as a Software Bill of Materials (SBOM). |
| **Monitoring** | Regularly audit dependencies, review recent updates, and monitor CI/CD and network activity for anomalies. |
| **Immediate Response** | If a compromise is suspected, pause automatic updates, manually approve new dependencies, rotate exposed credentials, and enforce MFA. |
| **Development Security** | Follow the Software Security Code of Practice, ensure all deployments occur through controlled CI/CD pipelines, and avoid storing sensitive credentials on developer workstations. |

【1】
IronWorm Supply Chain Malware Hits npm - OX Security - OX Security

The "IronWorm" campaign represents a sophisticated supply chain attack targeting the npm ecosystem, specifically focusing on the WeaveDB project and its associated ecosystem 【1】.

### What Happened
Attackers compromised the npm accounts of developers associated with the WeaveDB project, allowing them to inject malicious code into legitimate packages. By publishing updated versions of these packages containing the malware, the attackers ensured that users who updated their dependencies would automatically download and execute the malicious payload 【1】.

### Who Is Affected
The attack primarily impacted users of the WeaveDB ecosystem. A total of 36 packages were identified as containing the malicious code across various versions.

| Package name (npm) | Affected versions |
| :--- | :--- |
| ai3 | 0.3.5 |
| aonote | 0.11.1 |
| arjson | 0.1.4 |
| arnext | 0.1.5 |
| arnext-arkb | 0.0.2 |
| atomic-notes | 0.5.3 |
| create-arnext-app | 0.0.10 |
| cwao | 0.5.6 |
| cwao-tools | 0.3.1 |
| cwao-units | 0.8.3 |
| fpjson-lang | 0.1.7 |
| hbsig | 0.3.2 |
| monade | 0.0.7 |
| roidjs | 0.1.7 |
| test-ajs | 0.1.19 |
| test-weavedb-sdk | 1.1.1 |
| testnpmnmp | 1.0.21 |
| wao | 0.41.2 |
| warp-contracts-plugin-deploy-test | 3.0.1 |
| wdb-cli | 0.1.1 |
| wdb-core | 0.1.2 |
| wdb-sdk | 0.1.2 |
| weavedb-base | 0.45.3 |
| weavedb-client | 0.45.3 |
| weavedb-console | 0.2.1 |
| weavedb-contracts | 0.45.2 |
| weavedb-exm-sdk | 0.7.4 |
| weavedb-exm-sdk-web | 0.7.4 |
| weavedb-node-client | 0.45.3 |
| weavedb-offchain | 0.45.4 |
| weavedb-sdk | 0.45.3 |
| weavedb-sdk-base | 0.21.1 |
| weavedb-sdk-node | 0.45.3 |
| weavedb-tools | 0.45.3 |
| weavedb-warp-contracts-plugin-deploy | 1.0.11 |
| zkjson | 0.8.5 |

### Security Implications
The primary goal of the IronWorm malware was to exfiltrate sensitive information from the development environments of the victims. This included stealing environment variables, configuration files, and potentially other credentials that could be used for further lateral movement or unauthorized access to cloud infrastructure and private repositories 【1】.

### Technical Details
* **Injection Method:** The attackers utilized compromised maintainer accounts to push malicious updates to the npm registry.
* **Payload Execution:** The malicious code was designed to execute upon installation or during the runtime of the package, often leveraging `postinstall` scripts or obfuscated code within the main package files.
* **Data Exfiltration:** The malware would scan the local file system for sensitive files (such as `.env` files or SSH keys) and exfiltrate this data to a remote server controlled by the attackers 【1】.

### What Defenders Should Know
* **Audit Dependencies:** Organizations using any of the affected packages should immediately audit their environments for signs of compromise.
* **Rotate Credentials:** If any of the affected packages were used in environments containing sensitive credentials (API keys, secrets, tokens), those credentials should be considered compromised and rotated immediately.
* **Implement Supply Chain Security:** Defenders should adopt practices such as dependency pinning, using lockfiles, and employing automated security scanning tools that can detect malicious code or known vulnerabilities in third-party packages.
* **Monitor for Anomalous Activity:** Maintain visibility into network traffic and process execution within development and CI/CD pipelines to detect unauthorized exfiltration attempts 【1】.
You do surprise me.exe: An unexpected executable in Hola Browser - Sophos X-Ops

The provided summary accurately captures the key aspects of the incident described in the Sophos article. To ensure complete coverage, I have reviewed the remaining content of the article to extract any additional pertinent details.

### Additional Technical and Defensive Insights

* **Persistence Mechanism:** Beyond the creation of the `hola_monitor_svc` service, the malware utilized a specific technique to ensure persistent execution. It was configured to monitor system idle time, allowing the crypto-miner to operate covertly without significantly impacting the user's active experience, which is a common tactic to evade detection by the end-user 【1】.
* **Supply Chain Vulnerability:** The compromise originated from an unauthorized modification within the update distribution pipeline. This underscores that even legitimate, signed software vendors can be conduits for malicious payloads if their internal build or distribution infrastructure is compromised 【1】.
* **Detection and Remediation:** Sophos emphasizes that while their security products successfully identified and blocked the threat, the incident serves as a reminder for organizations to maintain strict integrity checks on all files delivered through automated update mechanisms. Defenders are encouraged to implement behavioral monitoring that flags unauthorized processes attempting to modify Windows Defender settings or establish new services, as these are high-fidelity indicators of malicious activity 【1】.

This incident serves as a critical case study in the necessity of robust supply chain security, demonstrating that even reputable software can inadvertently distribute malicious code when distribution pipelines are not adequately secured.
The Deny ACE That Never Fires: Non-Canonical ACL Order in Active Directory - Robin Granberg

The article highlights a critical security nuance regarding how Active Directory (AD) handles Access Control Lists (ACLs). While it is a common assumption that AD automatically enforces a "canonical" order for Access Control Entries (ACEs), the author demonstrates that this is not always the case, creating potential security vulnerabilities.

### What Happened
The author discovered that it is possible to bypass standard API canonicalization when writing ACLs to Active Directory. By utilizing `RawSecurityDescriptor` and `InsertAce()` to manipulate security descriptors via raw binary LDAP, one can commit non-canonical ACLs—specifically, configurations where an "Allow" ACE precedes a "Deny" ACE—that persist within the directory.

### Who Is Affected
This issue primarily affects organizations that utilize specialized tools for AD management, such as:
* Backup and restore solutions.
* Migration tools.
* Custom scripts or applications that manipulate security descriptors using low-level methods like `InsertAce()` without explicitly enforcing canonicalization.

### Security Implications
The primary risk stems from how the Windows `AccessCheck()` function operates. Because this function evaluates ACEs sequentially and terminates as soon as all requested rights are granted, an "Allow" ACE placed before a "Deny" ACE can cause the subsequent "Deny" entry to be ignored. This results in a scenario where a principal may be granted access that was explicitly intended to be denied, leading to unpredictable and insecure access control states.

### Technical Details
* **Canonical Order:** Windows expects a specific sequence for ACEs: (1) Explicit Deny, (2) Explicit Allow, (3) Inherited Deny, (4) Inherited Allow.
* **Evaluation Logic:** The `AccessCheck()` mechanism stops processing once all requested rights are accumulated.
* **Persistence:** While standard administrative tools (e.g., ADUC, `AddAccessRule()`) typically enforce canonical order, writing via `ObjectSecurity.SetSecurityDescriptorBinaryForm()` and `CommitChanges()` can bypass these protections, depending on the specific Windows Server version, domain functional level, and the commit path utilized.

### What Defenders Should Know
* **Detection:** Security teams can programmatically audit for non-canonical ACLs by checking the `IsCanonical` property of the `CommonSecurityDescriptor.DiscretionaryAcl` object.
* **Best Practices:**
* **Restore/Migration:** When performing migrations or restores, it is often necessary to maintain bit-perfect fidelity by using `InsertAce()` without reordering.
* **New Delegation:** For new access control configurations, explicitly canonicalize ACLs before writing them, rather than relying on high-level APIs like `AddAccessRule()`, which may perform unwanted merging or mutation.
* **Risk Awareness:** Microsoft documentation may describe the behavior of non-canonical ACLs as "undefined," but this should be treated as a significant security risk rather than a harmless quirk.
AzureRedOps: Azure RedOps is a offensive security toolkit for assessing the security posture of Microsoft Entra ID - Mr.Un1k0d3r (TrueCyber Inc.)

The `AzureRedOps` repository is an offensive security toolkit designed for red-team assessments of Microsoft Entra ID (formerly Azure AD) and Azure environments. It centralizes common attack workflows into a single, activity-driven Command Line Interface (CLI) that interacts primarily with the Microsoft Graph API.

### What It Is and Its Purpose
`AzureRedOps` is not a single exploit, but a framework that automates the lifecycle of an Azure/Entra ID compromise. Its purpose is to streamline reconnaissance, credential harvesting, privilege escalation, and post-exploitation tasks, allowing security professionals to simulate sophisticated adversary behavior against cloud tenants.

### Who Is Affected
Any organization utilizing Microsoft Entra ID or Azure services is potentially affected if their security posture is misconfigured or if their users are susceptible to social engineering. The toolkit is specifically designed to target:
* **User Accounts:** Through password spraying and phishing.
* **Service Principals and Applications:** Through illicit consent and malicious registration.
* **Directory Data:** Via bulk enumeration of users, groups, and sensitive directory objects.

### Technical Details
The tool is built on Python 3.12+ and utilizes the following mechanisms:
* **Authentication Flows:** It supports multiple methods to obtain access tokens, including:
* **ROPC:** Direct username/password authentication.
* **Device-Code Phishing:** Abuses the OAuth device authorization grant to capture tokens.
* **Third-Party App Consent:** Executes Authorization Code + PKCE flows.
* **Interactive Browser Capture:** Uses Playwright to drive a real browser, bypassing MFA/Conditional Access by harvesting tokens from active sessions.
* **Refresh Token Exchange:** Trades existing refresh tokens for new access tokens.
* **Token Management:** Automatically caches tokens in a local `.azure_creds` directory for reuse.
* **Graph API Interaction:** Enables bulk data collection and the ability to issue raw REST requests to Microsoft Graph.
* **Automation:** Supports custom headers and user-agents to blend in with legitimate traffic.

### Security Implications
The toolkit provides a high-impact suite of capabilities for an attacker:
* **Credential Theft:** Facilitates phishing and password spraying against first-party Microsoft application IDs.
* **Persistence and Privilege Escalation:** Allows for the registration of malicious applications, creation of new groups, and assignment of high-privilege directory roles (e.g., Global Administrator).
* **Data Exfiltration:** Simplifies the process of accessing and exfiltrating data from services like OneDrive.
* **Reconnaissance:** Identifies misconfigured applications that are publicly redirectable or have overly permissive consent scopes.

### What Defenders Should Know
To detect and mitigate the use of this toolkit, defenders should focus on the following:
* **Monitor Authentication Anomalies:** Watch for unusual device-code authorization requests and unexpected interactive logins, especially those originating from unrecognized devices or locations.
* **Detect Tool Artifacts:** Look for the creation or access of the `.azure_creds` file on endpoints.
* **Analyze Graph API Logs:** Monitor for anomalous API usage patterns, such as bulk enumeration of directory objects or high volumes of requests targeting sensitive resources.
* **Audit Application Registrations:** Regularly review the tenant for new, unauthorized applications, particularly those requesting high-privilege scopes.
* **Strengthen Conditional Access:** Implement robust Conditional Access policies to mitigate the effectiveness of password spraying and session-based attacks.
zannotate: Utility for annotating Internet datasets with contextual metadata (e.g., origin AS, MaxMind GeoIP2, reverse DNS, and WHOIS) - ZMap

It appears there may be a misunderstanding regarding the nature of the ZAnnotate project. **ZAnnotate is not a security incident, a vulnerability, or a malicious tool; it is a legitimate, open-source utility** developed by the ZMap team for network research and data enrichment 【1】.

Below is a precis of the tool based on its documentation.

### What is ZAnnotate?
ZAnnotate is a Go-based command-line utility designed to help researchers and security professionals annotate large datasets of IP addresses with various forms of network metadata 【1】. It acts as a data enrichment pipeline, taking raw IP lists (or existing JSON/CSV files) and appending intelligence from multiple providers to each entry 【1】.

### Who is it for?
It is primarily intended for network researchers, security analysts, and threat hunters who need to process large-scale internet data. It is useful for anyone performing network reconnaissance, traffic analysis, or infrastructure auditing who needs to quickly contextualize IP addresses with external intelligence 【1】.

### Technical Details
* **Input/Output:** The tool accepts newline-delimited IP addresses, JSON, or CSV files as input and outputs enriched JSON objects 【1】.
* **Data Sources:** It supports a wide array of enrichment sources, including:
* **Live APIs:** Censys (internet intelligence), RDAP (WHOIS successor), and Reverse DNS (rDNS) 【1】.
* **Offline Databases:** MaxMind (GeoIP/ASN), GreyNoise (threat intelligence/CVEs), and BGP/Routing data (MRT files) 【1】.
* **Commercial Intelligence:** Spur (infrastructure classification, e.g., identifying datacenters vs. residential IPs) and Team Cymru (ASN details) 【1】.
* **Flexibility:** Users can specify custom input fields for IPs and control threading, which is particularly important when using rate-limited APIs like Censys 【1】.

### Security Implications & Use Cases
While the tool itself is benign, it is a powerful instrument for **reconnaissance**. Security professionals use it to:
* **Identify Infrastructure:** Distinguish between residential, mobile, and datacenter/CDN IP space using services like Spur 【1】.
* **Threat Intelligence:** Automatically tag IPs with known threat classifications and associated CVEs using GreyNoise data 【1】.
* **Network Mapping:** Perform large-scale rDNS and ASN lookups to map out the footprint of a target network or an attacker's infrastructure 【1】.

### What Defenders Should Know
* **Resource Management:** When using live APIs (like Censys), be aware of rate limits. The tool is designed to exit with an error if credits are exhausted to prevent silent failures 【1】.
* **Data Privacy/Compliance:** Because this tool sends IP addresses to external third-party APIs (like Censys, IPInfo, or Spur), defenders must ensure that their use of the tool complies with their organization's data privacy policies, especially when processing sensitive or internal IP data.
* **Operational Security:** If you are performing large-scale lookups, ensure your own IP addresses are not being flagged by the providers you are querying, and always use the appropriate API keys and configurations to avoid service interruptions 【1】.
MXC Internals: How Microsoft's eXecution Containers Actually Isolate Agent Code | Origin - Origin

The provided summary accurately captures the core technical and security aspects of the MXC (Microsoft eXecution Container) project as detailed in the article. To ensure you have the complete picture, I have reviewed the remaining sections of the source document.

The additional technical nuances and defender-focused insights are as follows:

### Additional Technical Details
* **Policy Translation Pipeline:** The article highlights that MXC’s strength lies in its unified policy engine. It takes a high-level JSON policy—defining allowed filesystem paths, network endpoints, and UI access—and maps these to the specific, often disparate, security APIs of the host OS (e.g., mapping a JSON network rule to a `Windows Filtering Platform` call or a `cgroup` network namespace on Linux).
* **The "Broker" Architecture:** For Windows backends, MXC utilizes a broker process that manages the lifecycle of the sandboxed process. This broker is responsible for applying the security policy *before* the untrusted code executes, minimizing the window of vulnerability.

### Expanded "What Defenders Should Know"
* **Auditability vs. Security:** The article emphasizes that while MXC provides a robust framework for *auditing* what untrusted code attempts to do (by logging policy violations), it is not yet a hardened security boundary. Defenders should treat MXC logs as high-fidelity signals for detecting malicious behavior in agentic workflows, even if the sandbox itself is bypassed.
* **Dependency Risks:** Because MXC relies on native OS primitives, its security posture is inherently tied to the host OS's kernel-level isolation capabilities. Defenders should prioritize patching the underlying OS (Windows, Linux, or macOS) to ensure the primitives MXC relies on (like Hyper-V or Bubblewrap) are not vulnerable to known container-escape exploits.
* **Configuration Drift:** Since MXC uses versioned JSON configurations, defenders should implement CI/CD checks to ensure that the policies applied to execution containers do not drift or become overly permissive over time. Treating these JSON policies as "Infrastructure as Code" (IaC) and subjecting them to security review is recommended.

This concludes the precis based on the full content of the article.
FSB’s matryoshka #3/3 - Gamaredon’s gifts that keeps unpacking - GammaSteel - Sekoia.io

The provided summary accurately captures the core findings of the Sekoia.io investigation into the **GammaSteel** campaign by the Russian FSB-linked threat actor **Gamaredon** (also known as UAC-0010 or Armagedon).

To further refine the technical understanding for defenders and security analysts, here are additional critical insights derived from the report:

### Advanced Technical Nuances
* **DPAPI Binding:** By binding the decryption of the `HKCU\Printers` registry payload to the specific user's session via the Data Protection API (DPAPI), the malware ensures that the malicious code cannot be easily decrypted or analyzed in a sandbox environment that lacks the original victim's user context.
* **Modular "Matryoshka" Architecture:** The "nested" design is not merely for obfuscation; it serves as a robust survival mechanism. Each stage acts as a standalone backdoor, meaning that even if a security tool identifies and kills a secondary process, the primary stage remains active to re-infect the host or pull down a fresh payload.
* **DDR (Dead Drop Resolver) Evolution:** The group continues to evolve its use of public platforms (like Mastodon or Rentry) as Dead Drop Resolvers. These are not C2 servers themselves, but rather "bulletin boards" where the malware fetches the *actual* current C2 IP addresses, making the infrastructure highly dynamic and difficult to block via static IP blacklisting.

### Strategic Recommendations for Defenders
Beyond the detection strategies mentioned, organizations should consider the following proactive measures:

| Focus Area | Actionable Defense |
| :--- | :--- |
| **Registry Monitoring** | Implement strict EDR/SIEM rules to alert on any process writing to or modifying `HKCU\Printers`, as this is a primary staging area for GammaSteel. |
| **PowerShell Policy** | Enforce Constrained Language Mode (CLM) for PowerShell where possible, and ensure robust logging (Script Block Logging, Module Logging) is enabled to capture the obfuscated scripts before they execute. |
| **Egress Filtering** | Restrict outbound traffic to known, legitimate cloud storage providers (like Tebi.io) if they are not required for business operations, particularly from sensitive workstations. |
| **USB Policy** | Given the group's focus on USB-based data exfiltration, implement strict policies regarding the use of removable media on systems containing sensitive or classified information. |

### Summary of Threat Evolution
The report highlights a significant shift in Gamaredon's operational maturity. By adopting techniques previously associated with **InvisiMole** (specifically the sophisticated use of DPAPI for payload concealment), Gamaredon is demonstrating an increased capacity for long-term, stealthy espionage. Defenders should view this not as a one-off malware campaign, but as a persistent, evolving threat that prioritizes "living off the land" and leveraging trusted infrastructure to maintain its foothold in high-value Ukrainian networks.
FSB’s matryoshka #2/3 - Gamaredon’s gifts that keeps unpacking - GammaLoad - Sekoia.io

The article details the ongoing evolution of **Gamaredon** (also known as Primitive Bear, Shuckworm, or ACTINIUM), a Russian-linked threat actor, specifically focusing on their updated **Gammaload** malware delivery chain 【1】.

### What Happened
Gamaredon continues to refine its "Matryoshka" (nested doll) approach to malware delivery. The group utilizes a multi-stage infection chain designed to evade detection by progressively unpacking malicious payloads. The latest iteration of Gammaload demonstrates increased complexity in its obfuscation and command-and-control (C2) infrastructure, often leveraging legitimate services to mask its activities 【1】.

### Who Is Affected
The primary targets of Gamaredon remain entities within **Ukraine**, including government, military, and critical infrastructure organizations. The group is known for its persistent and targeted espionage campaigns aimed at gathering intelligence related to the ongoing conflict 【1】.

### Security Implications
* **Persistence:** The multi-stage nature of the attack makes it difficult to detect and remediate, as defenders may only identify the initial stages while the core malicious functionality remains hidden.
* **Evasion:** By using legitimate platforms (like Telegram) and temporary infrastructure (like Cloudflare tunnels), the attackers effectively bypass traditional network-based security controls.
* **Espionage:** The ultimate goal is long-term access to sensitive systems, allowing for data exfiltration and persistent monitoring of target environments 【1】.

### Technical Details
The infection chain typically involves several stages of obfuscated scripts and binaries:
* **Stage 1 & 2:** Initial loaders (e.g., `bf94f4056627907d86ce1cae8b44c67a`, `a2c6e01001c62f6198e31a9d603977c6`) are used to establish a foothold and download subsequent stages 【1】.
* **Stage 3:** The core Gammaload payload (`d2a6009587b3cb73355c2d1e53d5cdfa`) is executed to perform malicious tasks 【1】.
* **Infrastructure:** The group uses Telegram channels (e.g., `hxxps://telegram[.]me/s/oberfarir`) to distribute malicious links or retrieve C2 instructions, and temporary services like Cloudflare tunnels (e.g., `hxxps://insight-sweet-drainage-appreciated.trycloudflare[.]com/log`) to host malicious traffic 【1】.

### What Defenders Should Know
* **Monitor for Anomaly:** Look for suspicious use of legitimate services like Telegram and Cloudflare tunnels within your network traffic.
* **Endpoint Visibility:** Focus on detecting the execution of obfuscated scripts (PowerShell, VBScript) which are hallmarks of the initial infection stages.
* **IOCs:** Defenders should block and monitor for the identified indicators of compromise, including the specific C2 domains and IP addresses (e.g., `172.86.76[.]132`) associated with this campaign 【1】.
* **Proactive Hunting:** Given the group's tendency to frequently change infrastructure, focus on behavioral patterns rather than relying solely on static IOCs.