Actors
Naming registry
Threats
Is my stack targeted?
Campaigns
Track campaigns
Compare
Attribution by source
Search
Full text search
RussiaWidely attributedUnknownMITRE G0047

Gamaredon Group

Gamaredon Group is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name Gamaredon Group derives from a misspelling of the word "Armageddon," found in early campaigns. In November 2021, the Ukrainian government publicly attributed Gamaredon Group to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers.

Compare attribution across sources →

Attribution signal

?Score = mentions × confidence weight, summed across all attributed sources. Higher source diversity increases the score.≥ 10 High≥ 3 Moderate< 3 Low
6.9
Moderate signal strength
Mentions10
Sources2
High conf.7
Last seenJun 2026
First observed
2017-05-31
Last active
Origin
Russia
Aliases
9
Techniques
70
Campaigns
1
Russia

Attribution signals

10 mentions · 2 sources
#1documentedhigh
Infrastructure
security-affairs
Jun 2026

"Google's Threat Intelligence Group documented the same CVE being exploited by Sandworm, Turla, and Gamaredon in the same timeframe"

#2known ashigh
Unspecified
curated-intel
Jun 2026

"Phishing emails with malicious attachments containing malware by the Crimea-based Russian FSB group known as Gamaredon (aka Shuckworm or PrimitiveBear)"

#3was used to deployhigh
MalwareTTP match
sentinelone
Jun 2026

"Gamaredon tooling, including PteroGraphin and PteroOdd, was used to deploy Turla's Kazuar backdoor and, in at least one case, restore Turla's access after the group appeared to have lost its foothold."

#4one of the most activehigh
VictimologyTTP match
sentinelone
Jun 2026

"Still one of the most active espionage actors targeting Ukraine, the group relies on relentless spearphishing, lightweight custom tooling, and fast operational tempo to compromise military and government organizations."

#5provide evidence ofhigh
TTP matchInfrastructure
sentinelone
Jun 2026

"The researchers' provide evidence of direct operational collaboration between Gamaredon and Turla, detailing concrete cases in which Gamaredon activity enabled Turla operations on already compromised systems."

#6formally tied tohigh
HUMINT
infosecurity-magazine
Jun 2026

"the worm is the latest tool of Gamaredon, a long-running espionage group that Ukraine's security service has formally tied to Russia's Federal Security Service (FSB)"

#7actively facilitatedhigh
TTP matchInfrastructure
sentinelone
Jun 2026

"Gamaredon actively facilitated Turla's access to high-value Ukrainian targets in Ukraine."

#8tied tomoderate
HUMINT
security-affairs
Jun 2026

"The group was tied to the FSB by Ukraine's Security Service"

#9Russia-linkedmoderate
GeopoliticalVictimology
security-affairs
Jun 2026

"Russia-linked APT group Gamaredon (a.k.a. Armageddon, Primitive Bear, ACTINIUM, Callisto) has been active since 2014 and its activity focuses on Ukraine"

#10unspecifiedunspecified
TTP matchMalware
wechat-qax-ti
May 2026

"Gamaredon infection chain: spoofed emails, GammaDrop and GammaLoad"

Hedge terms observed

actively facilitateddocumentedformally tied toknown asone of the most activeprovide evidence ofRussia-linkedtied tounspecifiedwas used to deploy