{"error":null,"mode":"plain","query":"Gamaredon","results":[{"actor":"UAC-0010","chain_id":"gamaredon.2025.zero-click-rar.pteranodon","confidence":"confirmed","description":"IIM chain for the November 2025 Gamaredon zero-click delivery path: a Ukraine-themed RAR archive abuses CVE-2025-6218/CVE-2025-8088 style archive delivery to place an HTA in the Windows Startup folder. The HTA/loader reaches DynDNS-backed delivery infrastructure, retrieves/launches Pteranodon, and then uses Telegram/graph.org dead-drop resolver infrastructure plus DynDNS/Fast-Flux C2 nodes for tasking and payload rotation.","digest":[{"role":"entry","techniques":["IIM-T024"],"type":"file","value":"6aa9741f8b8629d0398049fa91dc5e7c28fd0d63bc76b3fd9be2dc196265263f.rar"},{"role":"entry","techniques":[],"type":"file","value":"\u041f\u0435\u0440\u0435\u0434\u0430\u0442\u0438 \u0437\u0430\u0441\u043e\u0431\u0430\u043c\u0438 \u0410\u0421\u0423 \u0414\u043d\u0456\u043f\u0440\u043e_2_1_1_7755_11.11.2025.pdf"},{"role":"staging","techniques":["IIM-T024"],"type":"file","value":"%APPDATA%\\Microsoft\\Windows\\Start Menu\\Programs\\Startup\\2_1_1_7755_11.11.2025.HTA"},{"role":"staging","techniques":["IIM-T008","IIM-T019","IIM-T020","IIM-T021"],"type":"url","value":"hxxp://president.gov[.]ua@readers.serveirc[.]com?/gss_11.11.2025/kidneyfih/broadlyrQZ.pdf"},{"role":"payload","techniques":[],"type":"file","value":"Pteranodon Stage-2 loader"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/natural_blood"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://www.telegram[.]me/s/oberfarir"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://telegram[.]me/s/teotori"},{"role":"redirector","techniques":["IIM-T006","IIM-T013"],"type":"url","value":"hxxps://graph[.]org/vryivzphxwc-11-11"},{"role":"staging","techniques":["IIM-T010","IIM-T013"],"type":"url","value":"hxxps://www.bitdefender[.]com@weliveditwell[.]online/mammon"}],"entity_count":13,"feed_url":"https://feed.iim.malwarebox.eu/chain/gamaredon.2025.zero-click-rar.pteranodon","matches":[],"published_at":"2026-05-27 12:22:36.950024","raw_url":"https://feed.iim.malwarebox.eu/api/chains/gamaredon.2025.zero-click-rar.pteranodon/raw","relation_count":13,"roles":["entry","entry","staging","staging","payload","redirector","redirector","redirector","redirector","staging","redirector","c2","c2"],"score":5,"source_links":[{"label":"Synaptic Security Blog - Inside Gamaredon 2025: Zero-Click Espionage at Scale","url":"https://blog.synapticsystems.de/inside-gamaredon-2025-zero-click-espionage-at-scale/"}],"techniques":["IIM-T002","IIM-T003","IIM-T006","IIM-T007","IIM-T008","IIM-T010","IIM-T011","IIM-T013","IIM-T019","IIM-T020","IIM-T021","IIM-T024"],"title":"Gamaredon 2025 zero-click RAR to Pteranodon and rotating C2 infrastructure"}],"stats":{"actors":19,"chains":39,"entities":406,"latest":"2026-05-31 19:22:26.947823","relations":[["connect",96],["drops",89],["references",73],["download",61],["execute",52],["communicates-with",30],["resolves-to",30],["redirect",8]],"roles":[["staging",116],["c2",110],["payload",95],["entry",51],["redirector",34]],"techniques":[["IIM-T024",18],["IIM-T006",15],["IIM-T011",14],["IIM-T002",9],["IIM-T010",7],["IIM-T018",6],["IIM-T019",6],["IIM-T004",5],["IIM-T013",5],["IIM-T021",5]]},"total_matches":1,"total_rows":1}
