Russian Espionage Group ‘Shuckworm’ Deploys New Malware to Spy on Western Forces in Ukraine

A Decade of Digital Espionage

A Russian-backed hacking group called Shuckworm has launched a new cyberattack. This time, they targeted a foreign military mission in Ukraine. Shuckworm is also known as Gamaredon or Armageddon. The group has been active since 2013. They mostly attack Ukrainian government offices, defense systems, and law enforcement agencies. Experts say Shuckworm works for the Russian Federal Security Service (FSB). Their cyberattacks have continued during the Russia-Ukraine war. This latest attack shows they are still very active and dangerous.

The latest campaign was discovered by cybersecurity experts at Symantec, who reported that the attack began on February 26 and extended into March. What makes this campaign stand out is its target—a Western military mission on Ukrainian soil—indicating a bold step in Shuckworm’s espionage goals.

Shuckworm used a new version of its malware called GammaSteel in this attack. GammaSteel is made to steal data without being seen. It was written in PowerShell, a tool used in Windows systems. This let the hackers sneak into computers, look for important files, and send the stolen data back to their own servers. They did all this while avoiding most security programs.

How the Attack Unfolded

The attack began in a simple yet deceptive way. Shuckworm used an infected removable drive containing a file labeled “D:\files.lnk.” When this shortcut file was opened, it triggered a process that altered the Windows Registry, enabling the malware to automatically run every time the computer was restarted. This gave the hackers a way in.

From there, they ran a file named mishta.exe to bypass standard security checks. They followed this up with a series of hidden commands using a built-in Windows tool called wscript.exe. These commands allowed them to connect the infected computer to their Command and Control server, which acts as a headquarters for the hackers, allowing them to issue more commands and retrieve stolen data.

Critical Vulnerabilities: The Dark Side of Pacemaker Technology

After gaining access, Shuckworm expanded its reach. It methodically moved through the computer system, infecting all connected USB drives and shared network folders. This made sure the malware spread beyond a single device and into other parts of the organization’s infrastructure.

On March 1, the hackers were observed carrying out a wave of activity on the compromised server. They launched tools to gather information about the system and created two new backup servers to maintain control in case their primary access point was blocked. These moves show how organized and persistent Shuckworm is in its operations.

Military Documents and Methods of Theft

What the hackers wanted became clear soon. Security experts found a group of stolen files. The file names showed they were linked to military plans and battlefield actions. Some files had titles about inspection steps, air defense orders, and troop movements. Others mentioned wound reports and casualty details. The exact content is not confirmed. But the names suggest the hackers were after secret military information.

Once they had the files, the group found ways to smuggle the data out. They used a public website called write.as to upload the stolen files. As a backup, they used cURL, a tool that moves data online. They also used Tor, a network that hides who you are and where you’re from. These tools helped them stay hidden and avoid being tracked.

How Cyber Attacks on Industrial Control Systems Can Endanger Lives ?

According to the security researchers, this campaign showed that Shuckworm has become more skilled. They relied more heavily on PowerShell tools, made minor but effective changes to their malware code, and used legitimate-looking services to avoid drawing attention. This made the entire attack chain more complicated and harder to detect, signaling an increase in the group’s capabilities.

This latest hacking operation is a reminder of the ongoing cyber war tied to the physical conflict in Ukraine. While soldiers fight on the ground, digital attackers like Shuckworm operate in the shadows, stealing secrets and undermining operations with a few lines of code.

Mohit Kumbhar
Mohit Kumbhar
Hey I am Mohit. I am the editor of the Newsinterpretation. Writing is my passion and financial column writing is my hobby.

TOP 10 TRENDING ON NEWSINTERPRETATION

Kristi Noem’s aide escalates immigration row into Hollywood-level drama with Kim Kardashian

In a collision of celebrity power and political fire,...

Gavin Newsom mocks Melania Trump with AI Vanity Fair cover calling himself “The American King”

California governor Gavin Newsom has taken his social media...

Kristi Noem fires FEMA’s 24 IT staff after massive cybersecurity breach

Homeland Security Secretary Kristi Noem has taken a dramatic...

2.5 Billion Gmail Users on Alert as Google Issues Urgent Security Warning

Google has issued an urgent warning to 2.5 billion...

Gavin Newsom mocks JD Vance’s “tiny brain” in fiery social media clash

A sharp war of words has broken out online...

Tesla hacker restores missing crash logs exposing Autopilot pedestrian collision

In April 2019, a tragic accident took place in...

Gavin Newsom slams Trump’s troop deployments as dangerous militarization of U.S. cities

California Governor Gavin Newsom has raised sharp concerns about...

Epstein donations raise new questions after report links Dalai Lama to Manhattan visits

When people talk about the people who visited Jeffrey...

TransUnion confirms data breach affecting 4.4 million consumers through third party system

Credit bureau TransUnion has confirmed that the personal data...

Related Articles

Popular Categories

error: Content is protected !!