Summary: A recent report from Knownsec 404 highlights the emergence of GamaCopy, a cyber espionage group imitating Gamaredon APT, targeting Russian defense and critical infrastructure. GamaCopy uses military-themed documents as bait, employing obfuscated scripts and open-source tools like UltraVNC to minimize detection. The group’s tactics reveal a sophisticated approach to cyber espionage, complicating attribution and showcasing a false flag operation.
Threat Actor: GamaCopy | GamaCopy
Victim: Russian defense and critical infrastructure sectors | Russian defense and critical infrastructure sectors
Keypoints :
- GamaCopy mimics Gamaredon APT but focuses on Russian-language materials and targets.
- The group uses military-related documents as bait, embedded in 7z SFX archives to deliver payloads.
- GamaCopy employs UltraVNC, disguising it as common system processes to evade detection.
- Key differences from Gamaredon include port usage and attack chain variations.
- First identified in June 2023, GamaCopy has likely been active since at least August 2021.