{"description": "Enterprise techniques used by Gamaredon Group, ATT&CK group G0047 (v3.2)", "name": "Gamaredon Group (G0047)", "domain": "enterprise-attack", "versions": {"layer": "4.5", "attack": "18", "navigator": "5.2.0"}, "techniques": [{"techniqueID": "T1583", "showSubtechniques": true}, {"techniqueID": "T1583.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has registered multiple domains to facilitate payload staging and C2.(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: ESET Gamaredon Sept2024)(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.003", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used VPS hosting providers for infrastructure outside of Russia.(Citation: unit42_gamaredon_dec2022)(Citation: ESET Gamaredon Sept2024)(Citation: Huntio_GamaredonFlux_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1583.006", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used Cloudflare\u2019s TryClouldflare service to obtain C2 nodes.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1071", "showSubtechniques": true}, {"techniqueID": "T1071.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used HTTP and HTTPS for C2 communications.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)(Citation: Unit 42 Gamaredon February 2022)(Citation: unit42_gamaredon_dec2022)(Citation: ESET Gamaredon Sept2024)(Citation: VenereCiscoTalos_Gamaredon_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1119", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has deployed scripts on compromised systems that automatically scan for interesting documents.(Citation: ESET Gamaredon June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1020", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used modules that automatically upload gathered documents to the C2 server.(Citation: ESET Gamaredon June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1547", "showSubtechniques": true}, {"techniqueID": "T1547.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools have registered Run keys in the registry to give malicious VBS files persistence.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: unit42_gamaredon_dec2022)(Citation: ESET Gamaredon Sept2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059", "showSubtechniques": true}, {"techniqueID": "T1059.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used obfuscated PowerShell scripts for staging.(Citation: Microsoft Actinium February 2022)(Citation: ESET Gamaredon Sept2024) Additionally, (LinkById\u202f: G0047) has used PowerShell based tools later in its attack chain.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) Additionally, [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used the PowerShell cmdlet `Get-Command` to download and execute the next stage payload.(Citation: VenereCiscoTalos_Gamaredon_Mar2025)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.003", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used various batch scripts to establish C2 and download additional files. [Gamaredon Group](https://attack.mitre.org/groups/G0047)'s backdoor malware has also been written to a batch file.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Unit 42 Gamaredon February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1059.005", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has embedded malicious macros in document templates, which executed VBScript. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also delivered Microsoft Outlook VBA projects with embedded macros.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Secureworks IRON TILDEN Profile)(Citation: ESET Gamaredon Sept2024) Additionally, [Gamaredon Group](https://attack.mitre.org/groups/G0047) has executed VBScript files using wscript.exe.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1005", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has collected files from infected systems and uploaded them to a C2 server.(Citation: ESET Gamaredon June 2020)(Citation: ESET Gamaredon Sept2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1039", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has collected Microsoft Office documents from mapped network drives.(Citation: ESET Gamaredon June 2020)(Citation: ESET Gamaredon Sept2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1025", "comment": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer has the capability to steal data from newly connected logical volumes on a system, including USB drives.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)(Citation: ESET Gamaredon Sept2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used obfuscated VBScripts with randomly generated variable names and concatenated strings.(Citation: unit42_gamaredon_dec2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1491", "showSubtechniques": true}, {"techniqueID": "T1491.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has left taunting images and messages on the victims' desktops as proof of system access.(Citation: CERT-EE Gamaredon January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1140", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools decrypted additional payloads from the C2. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also decoded Base64-encoded source code of a downloader.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: ESET Gamaredon Sept2024)  Additionally, [Gamaredon Group](https://attack.mitre.org/groups/G0047) has decoded Telegram content to reveal the IP address for C2 communications.(Citation: unit42_gamaredon_dec2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1587", "showSubtechniques": true}, {"techniqueID": "T1587.003", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used the same TLS certificate across its infrastructure.(Citation: Huntio_GamaredonFlux_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1561", "showSubtechniques": true}, {"techniqueID": "T1561.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used tools to delete files and folders from victims' desktops and profiles.(Citation: CERT-EE Gamaredon January 2021)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1568", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has incorporated dynamic DNS domains in its infrastructure.(Citation: Unit 42 Gamaredon February 2022)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1568.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used fast flux DNS to mask their command and control channel behind rotating IP addresses.(Citation: unit42_gamaredon_dec2022)(Citation: ESET Gamaredon Sept2024)(Citation: SilentPush_GamaredonFastFlux_Sept2023) Additionally, [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used a low-frequency variant of the single-flux method.(Citation: Huntio_GamaredonFlux_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1480", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used geoblocking to limit downloads of the malicious file to specific geographic locations.(Citation: unit42_gamaredon_dec2022)(Citation: VenereCiscoTalos_Gamaredon_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1041", "comment": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can transfer collected files to a hardcoded C2 server.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon Sept2024)(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1083", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) macros can scan for Microsoft Word and Excel files to inject with additional malicious macros. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also used its backdoors to automatically list interesting files (such as Office documents) found on a system.(Citation: ESET Gamaredon June 2020)(Citation: Unit 42 Gamaredon February 2022)(Citation: ESET Gamaredon Sept2024) Gamaredon Group has also identified directory trees, folders and files on the compromised host.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1564", "showSubtechniques": true}, {"techniqueID": "T1564.003", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used hidcon to run batch files in a hidden console window.(Citation: Unit 42 Gamaredon February 2022) [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also executed PowerShell in a hidden window.(Citation: VenereCiscoTalos_Gamaredon_Mar2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1562", "showSubtechniques": true}, {"techniqueID": "T1562.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered macros which can tamper with Microsoft Office security settings.(Citation: ESET Gamaredon June 2020)(Citation: ESET Gamaredon Sept2024) \t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1070", "showSubtechniques": true}, {"techniqueID": "T1070.004", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools can delete files used during an operation.(Citation: TrendMicro Gamaredon April 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)(Citation: ESET Gamaredon Sept2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1105", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has downloaded additional malware and tools onto a compromised host.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Microsoft Actinium February 2022)(Citation: ESET Gamaredon Sept2024)(Citation: VenereCiscoTalos_Gamaredon_Mar2025) For example, [Gamaredon Group](https://attack.mitre.org/groups/G0047) uses a backdoor script to retrieve and decode additional payloads once in victim environments.(Citation: unit42_gamaredon_dec2022) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1559", "showSubtechniques": true}, {"techniqueID": "T1559.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware can insert malicious macros into documents using a Microsoft.Office.Interop object.(Citation: ESET Gamaredon June 2020)(Citation: ESET Gamaredon Sept2024) \t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1534", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used an Outlook VBA module on infected systems to send phishing emails with malicious attachments to other employees within the organization.(Citation: ESET Gamaredon June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1036", "showSubtechniques": true}, {"techniqueID": "T1036.005", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used legitimate process names to hide malware including svchosst.(Citation: Unit 42 Gamaredon February 2022) Additionally, [Gamaredon Group](https://attack.mitre.org/groups/G0047) disguised malicious ZIP archives as Office documents that are related to the invasion.(Citation: VenereCiscoTalos_Gamaredon_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1112", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has removed security settings for VBA macro execution by changing registry values HKCU\\Software\\Microsoft\\Office\\<version>\\<product>\\Security\\VBAWarnings and HKCU\\Software\\Microsoft\\Office\\<version>\\<product>\\Security\\AccessVBOM.(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: ESET Gamaredon Sept2024) [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also modified Registry keys to hide folders and system files and to add the C2 address under `HKEY_CURRENT_USER\\Console\\WindowsUpdate`. (Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1106", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has used CreateProcess to launch additional malicious components.(Citation: ESET Gamaredon June 2020)(Citation: ESET Gamaredon Sept2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1095", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used SOCKS5 over port 9050 for C2 communication.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1571", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used port 6856 for C2 communications.(Citation: VenereCiscoTalos_Gamaredon_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1027", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered self-extracting 7z archive files within malicious document attachments.(Citation: ESET Gamaredon June 2020) Additionally, [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used an obfuscated .drv file.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1027.004", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has compiled the source code for a downloader directly on the infected system using the built-in Microsoft.CSharp.CSharpCodeProvider class.(Citation: ESET Gamaredon June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.010", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used obfuscated or encrypted scripts.(Citation: ESET Gamaredon June 2020)(Citation: Microsoft Actinium February 2022)(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025)(Citation: ESET Gamaredon Sept2024)   ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.012", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used LNK files to hide malicious scripts for execution.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025)(Citation: VenereCiscoTalos_Gamaredon_Mar2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.015", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered malicious payloads within compressed archives and zip files. (Citation: VenereCiscoTalos_Gamaredon_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1027.016", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has obfuscated .NET executables by inserting junk code.(Citation: ESET Gamaredon June 2020)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1588", "showSubtechniques": true}, {"techniqueID": "T1588.002", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used various legitimate tools, such as `mshta.exe` and [Reg](https://attack.mitre.org/software/S0075), and services during operations.(Citation: unit42_gamaredon_dec2022)(Citation: ESET Gamaredon Sept2024)      ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1137", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has inserted malicious macros into existing documents, providing persistence when they are reopened. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has loaded the group's previously delivered VBA project by relaunching Microsoft Outlook with the /altvba option, once the Application.Startup event is received.(Citation: ESET Gamaredon June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1120", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) tools have contained an application to check performance of USB flash drives. [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also used malware to scan for removable drives.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: ESET Gamaredon June 2020)(Citation: ESET Gamaredon Sept2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1566", "showSubtechniques": true}, {"techniqueID": "T1566.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has delivered spearphishing emails with malicious attachments to targets.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: Secureworks IRON TILDEN Profile)(Citation: unit42_gamaredon_dec2022)(Citation: ESET Gamaredon Sept2024)(Citation: SilentPush_GamaredonFastFlux_Sept2023) Additionally, [Gamaredon Group](https://attack.mitre.org/groups/G0047) has distributed malicious LNK files compressed in ZIP archives.(Citation: VenereCiscoTalos_Gamaredon_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1057", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used tools to enumerate processes on target hosts including Process Explorer.(Citation: Symantec Shuckworm January 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1055", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has injected [Remcos](https://attack.mitre.org/software/S0332) into explorer.exe.(Citation: VenereCiscoTalos_Gamaredon_Mar2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1090", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used the Cloudflare Tunnel client to proxy C2 traffic.(Citation: ESET Gamaredon Sept2024)", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1090.003", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used [Tor](https://attack.mitre.org/software/S0183) for C2 traffic.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1012", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has queried ` HKEY_CURRENT_USER\\\\Console\\\\WindowsUpdates` to obtain the C2 addresses.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) [Gamaredon Group](https://attack.mitre.org/groups/G0047) has queried ` HKEY_CURRENT_USER\\\\Console\\\\WindowsUpdates` to obtain the C2 addresses.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1620", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used an obfuscated PowerShell script that used `System.Reflection.Assembly` to gather and send victim information to the C2.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1021", "showSubtechniques": true}, {"techniqueID": "T1021.005", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used VNC tools, including UltraVNC, to remotely interact with compromised hosts.(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1091", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has replicated to removable media by leveraging the User Assist Reg Key and creating LNKs on all network and removable drives available on the infected host.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1053", "showSubtechniques": true}, {"techniqueID": "T1053.005", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has created scheduled tasks to launch executables after a designated number of minutes have passed.(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: unit42_gamaredon_dec2022)\t", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1113", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047)'s malware can take screenshots of the compromised computer every minute.(Citation: ESET Gamaredon June 2020)(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025)(Citation: ESET Gamaredon Sept2024)   \t", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1518", "showSubtechniques": true}, {"techniqueID": "T1518.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used PowerShell scripts to identify security software on the victim machine.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1608", "showSubtechniques": true}, {"techniqueID": "T1608.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has registered domains to stage payloads.(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218", "showSubtechniques": true}, {"techniqueID": "T1218.005", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used `mshta.exe` to execute malicious files.(Citation: Symantec Shuckworm January 2022)(Citation: unit42_gamaredon_dec2022)(Citation: ESET Gamaredon Sept2024)(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1218.011", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) malware has used rundll32 to launch additional malicious components.(Citation: ESET Gamaredon June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1082", "comment": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can gather the victim's computer name and drive serial numbers to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025)(Citation: ESET Gamaredon Sept2024) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1016", "showSubtechniques": true}, {"techniqueID": "T1016.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has tested connectivity between a compromised machine and a C2 server using [Ping](https://attack.mitre.org/software/S0097) with commands such as `CSIDL_SYSTEM\\cmd.exe /c ping -n 1`.(Citation: Symantec Shuckworm January 2022) [Gamaredon Group](https://attack.mitre.org/groups/G0047) has searched the ping records to obtain the C2 address and has used ping to search for the C2\u2019s status.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1033", "comment": "A [Gamaredon Group](https://attack.mitre.org/groups/G0047) file stealer can gather the victim's username to send to a C2 server.(Citation: Palo Alto Gamaredon Feb 2017)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1080", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has injected malicious macros into all Word and Excel documents on mapped network drives.(Citation: ESET Gamaredon June 2020)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1221", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used DOCX files to download malicious DOT document templates and has used RTF template injection to download malicious payloads.(Citation: Proofpoint RTF Injection) [Gamaredon Group](https://attack.mitre.org/groups/G0047) can also inject malicious macros or remote templates into documents already present on compromised systems.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: Secureworks IRON TILDEN Profile)(Citation: ESET Gamaredon Sept2024)", "score": 1, "color": "#66b1ff", "showSubtechniques": false}, {"techniqueID": "T1204", "showSubtechniques": true}, {"techniqueID": "T1204.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has attempted to get users to click on a link pointing to a malicious HTML file leading to follow-on malicious content.(Citation: unit42_gamaredon_dec2022)(Citation: ESET Gamaredon Sept2024)  ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1204.002", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has attempted to get users to click on Office attachments with malicious macros embedded.(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: CERT-EE Gamaredon January 2021)(Citation: Microsoft Actinium February 2022)(Citation: Unit 42 Gamaredon February 2022)(Citation: Secureworks IRON TILDEN Profile)(Citation: unit42_gamaredon_dec2022) [Gamaredon Group](https://attack.mitre.org/groups/G0047) has also attempted to get users to click on thematically named files.(Citation: VenereCiscoTalos_Gamaredon_Mar2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1497", "showSubtechniques": true}, {"techniqueID": "T1497.001", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has checked existing conditions, such as geographic location, device type, or system specification, before the victim is sent a malicious Word document.(Citation: SilentPush_GamaredonFastFlux_Sept2023)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used GitHub repositories for downloaders which will be obtained by the group's .NET executable on the compromised system.(Citation: ESET Gamaredon June 2020)\t", "score": 1, "showSubtechniques": true}, {"techniqueID": "T1102.002", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used several ways to try to resolve the C2 server, including: public third-party websites, an adversary-operated Telegraph channel, the [ngrok](https://attack.mitre.org/software/S0508) utility and the TXT record of a hardcoded C2 domain.(Citation: ESET Gamaredon Sept2024)(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1102.003", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used Telegram Messenger content to discover the IP address for C2 communications.(Citation: unit42_gamaredon_dec2022)", "score": 1, "color": "#66b1ff", "showSubtechniques": true}, {"techniqueID": "T1047", "comment": "[Gamaredon Group](https://attack.mitre.org/groups/G0047) has used WMI to execute scripts used for discovery and for determining the C2 IP address.(Citation: CERT-EE Gamaredon January 2021)(Citation: unit42_gamaredon_dec2022)(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025)(Citation: ESET Gamaredon Sept2024) [Gamaredon Group](https://attack.mitre.org/groups/G0047) has used the following WMI query to search for a ping record: `Select * From Win32_PingStatus where Address = 'mil.gov.ua'`.(Citation: SymantecCarbonBlack_ShuckwormUSB_Apr2025) ", "score": 1, "color": "#66b1ff", "showSubtechniques": false}], "gradient": {"colors": ["#ffffff", "#66b1ff"], "minValue": 0, "maxValue": 1}, "legendItems": [{"label": "used by Gamaredon Group", "color": "#66b1ff"}]}