, a Russian-linked risk artist known as Shuckworm, was the target of a cyberattack aimed at an Ukrainian military base with the intention of releasing an updated version of a known malware called GammaSteel.
According to the Symantec Threat Hunter team, the group had first indications of the nefarious activity on February 26, 2025, when it first discovered the military mission of a Western nation.
According to a statement shared with The Hacker News, the Broadcom-owned threat intelligence section stated that” the initial infection matrix used by the intruders appears to have been an infected removable drive.
The strike began with the development of a Windows Registry price under the UserAssist code, followed by the launch of “mshta.” using “explorer.” to execute. “exe” to release two files and start a multi-stage disease chain.
The second record, “NTUSER,” was. DAT. TMContainer00000000000000000001. Regtrans-ms,” which is used to establish communications with a command-and-control ( C2 ) server that is obtained by reaching out to specific URLs linked to legitimate services like Teletype, Telegram, and Telegraph, among others.
The following report, “NTUSER,” is. DAT. TMContainer00000000000000000002. Regtrans-ms, which is intended to infect any removable drives and network drives, is designed to create key files for each folder that the malicious “mshta” executs. “exe” control and cover it.
The text was run on March 1, 2025 to call a C2 site, exfiltrate system metadata, and get a Base64-encoded cargo before executing a PowerShell command engineered to get an obfuscated new version of the same script.
The text, for its part, connects to a hard-coded C2 server to retrieve two more Shell scripts, the first of which is a surveillance tool that can manage the systeminfo order, find out what surveillance software is running on the host, list files and folders in Desktop, and list running processes.
An improved version of , a well-known data stealer that can exfiltrate data from a target based on an extension allowlist found in the Desktop and Documents groups, is the second PowerShell text.
Shuckworm, which appears to be less skilled than other Russian actors, makes up for this with its unwavering focus on targets in Ukraine, according to Symantec.” This attack does mark something of an increase in sophistication for Shuckworm, which appears to be less skilled than other Russian actors,” it said.
Shuckworm does not appear to be using the same skill set as some other Russian organizations, but it does now appear to be trying to make up for it by constantly updating the code it uses, using obfuscation, and using legitimate web services in an effort to lower the risk of detection.