The worm needs no military clearance—it just breaks In

In a breach that bypassed conventional defenses and slipped through with minimal effort, the Russia-linked threat group Gamaredon (also known as Shuckworm) successfully compromised a Western military mission in Ukraine using nothing more than a USB drive.

The payload? An enhanced variant of GammaSteel—a known information-stealer now retooled with added obfuscation, new PowerShell scripts, and legitimate cloud platforms like Telegram and Telegraph used as command-and-control (C2) infrastructure.

Militargets: Profiles in exposure

The targets in this operation weren’t average users. They were foreign military personnel embedded in Ukraine: officers, intelligence analysts, and operational support teams tasked with handling classified coordination, logistics, and real-time information exchange.

Their work demands agility. In such environments, removable media remains common, especially for offline data transfers in field conditions or air-gapped contexts. That operational necessity became a cybersecurity blind spot. Gamaredon exploited this routine to go straight to the core, without relying on phishing, exploits, or brute force.

An invasion that starts with a USB

The infection chain began as soon as the malicious drive was connected. Windows Registry values were altered, and mshta.exe was launched via explorer.exe. From there, GammaSteel spread to connected drives by dropping shortcut files that masked the actual malware execution logic.

To evade detection, it established communication with C2 servers via trusted services—including Telegram, Telegraph, and Teletype—bypassing filters that might flag conventional outbound traffic. Once connected, the malware received further payloads via Base64-encoded PowerShell scripts, which then triggered an updated GammaSteel component.

The malware performed active reconnaissance, including:

• Capturing screenshots

• Scanning installed software

• Listing running processes

• Indexing Desktop and Documents folders

• Exfiltrating files with specific extensions

All of this occurred without triggering obvious red flags, leveraging trusted services and common Windows tools for stealth and persistence.

Dispel the Invader

To prevent intrusions like this—especially in military, diplomatic, or field operations—organizations must treat USB use and local trust with the same caution as external network access:

• Disable autorun and default script execution on removable media

• Restrict USB usage in sensitive or high-security areas

• Monitor Registry changes and PowerShell activity, especially involving mshta.exe

• Block or monitor traffic to cloud services frequently abused for C2

• Train personnel on the risks of removable media

• Log all device connections and enforce tight access policies

https://thehackernews.com/2025/04/gamaredon-uses-infected-removable.html