Russia-linked Gamaredon (Shuckworm) targeted a foreign military mission in Ukraine with a multi-stage attack starting on February 26, 2025. The attack used an infected removable drive to execute malicious scripts, establish communication with command-and-control servers, and deploy an updated version of GammaSteel malware. The malware, which exfiltrates files from specific folders, is part of a more sophisticated approach by Gamaredon, which uses obfuscation and legitimate web services to avoid detection.

‍