ESET Research released a report on June 25, 2026, detailing the 2025 operations of the Russia-aligned Gamaredon threat group, which exclusively targeted Ukrainian governmental and military institutions. The group focused on exfiltrating sensitive information to support Russian interests in the ongoing war. Gamaredon's activities remained closely aligned with Russia's geopolitical objectives, aiming to gain an intelligence advantage through cyberespionage.

Throughout 2025, Gamaredon operators developed and deployed six new malicious PowerShell tools: PteroDee, PteroCache, PteroDum, PteroOdd, PteroPaste, and PteroEffigy. PteroPaste stood out for its complexity, combining a downloader, a USB weaponizer, and a runner component for persistence. The group also resurrected an old VBScript weaponizer, PteroSetup, which first appeared in 2021.

Gamaredon collaborated with Turla, another Russia-aligned threat actor, in early 2025, underscoring potential coordination among cyberespionage groups. ESET researcher Zoltán Rusnák noted that Gamaredon took a short operational break in January 2025 but remained highly active afterward, with updates often timed around major Russian and Crimean holidays. The group is attributed by the Security Service of Ukraine to the 18th Center of Information Security of Russia’s FSB.

The group shifted its tactics in the second half of 2025, launching larger and more frequent spear phishing campaigns. Beyond phishing, Gamaredon used custom weaponizers for lateral movement, targeting USB drives, mapped network drives, and software installers to spread within or across organizations.

Gamaredon increasingly relied on legitimate third-party services to hide its command and control (C&C) infrastructure and stolen data. The group abused messaging, social media, and blogging services like Telegram, Dropbox, DEV Community, and Mastodon as dead drops for resolving C&C servers and distributing payloads. Additionally, C&C servers were hidden behind tunnels, workers, dynamic DNS (DDNS), and platform as a service (PaaS) solutions.

On the data-exfiltration front, Gamaredon upgraded its file stealers, PteroPSDoor and PteroVDoor, to support S3-compatible cloud storage services like Wasabi, Tebi, and Intercolo. This shift reduced the need for the group to maintain its own infrastructure and helped malicious traffic blend in with legitimate storage providers. PteroBox continued to upload files to Dropbox.

New Tools Introduced by Gamaredon in 2025

Cloud Storage Services Used for Exfiltration

Trump has stated that a meeting between Ukrainian President Zelenskyy and Russian President Putin would be ideal, adding that both sides must make certain compromises to bring an end to the ongoing Ukraine-Russia war. The remarks represent a stronger diplomatic signal compared to his earlier position of simply welcoming such a meeting.

Trump's Statement on Zelenskyy-Putin Talks

Trump's updated remarks go beyond expressing openness to direct dialogue, now explicitly framing a Zelenskyy-Putin meeting as ideal and calling on both parties to engage in compromise. The statement underscores a position that favors negotiated resolution to the conflict, though no specific conditions, venue, or timeline for such a meeting were outlined in the available information.

Key Details

The development is being closely watched by international observers given the significance of any potential direct engagement between the Ukrainian and Russian leaders. No additional context regarding the circumstances or format of a prospective meeting was available in the source data.