Russian-Aligned Shuckworm Infiltrates Ukrainian Military Systems Via Removable Media

Russian APT group Shuckworm (also tracked as Aqua Blizzard and Primitive Bear) continues to actively target Ukrainian interests in 2025, with Symantec attributing a February 2025 campaign aimed at the military mission of a Western nation operating in the region. The ongoing espionage operation centers around the deployment of an updated version of the GammaSteel infostealer. According to Symantec telemetry, activity was first observed on February 26, 2025, and featured several layers of obfuscation and living-off-the-land binaries (LOLBins) such as "mshta.exe," "wscript.exe," "powershell.exe," "certutil.exe," and "curl.exe." The initial infection was likely initiated via an infected removable drive containing a malicious LNK file designed to execute the attack chain.

Investigation of the observed intrusion chain began with a UserAssist registry key indicating interaction with an LNK file: "D:\files.lnk." Subsequent execution of "mshta.exe" via "explorer.exe" triggered a JavaScript payload that launched both a decoy and a malicious script using "wscript.exe." The VBScript ".drv" led to the creation and execution of two key files. The first file attempted to ping the C2 domain via WMI to verify connectivity; if unsuccessful, execution would terminate. Upon successful validation, the malware attempted to resolve its C2 infrastructure using multiple public services.

The second file manipulated multiple registry keys to disable the display of hidden files, file extensions, and system files, including values "Hidden," "ShowSuperHidden," and "HideFileExt"." The malware also propagated itself to removable and network drives by creating shortcut (.lnk) files that re-executed the initial malicious "mshta.exe" command. Additional activity was seen on March 1, when the same VBScript was re-executed via "wscript.exe," reaching out to a new C2 endpoint and exfiltrating host data using customized HTTP headers. Persistence was maintained by storing the C2 URL under "HKEY_CURRENT_USER\Console\WindowsUpdates," and PowerShell was used to download and execute follow-on scripts.

The follow-up PowerShell scripts received from the C2 server performed a range of reconnaissance functions, including capturing screenshots, collecting disk metadata, enumerating installed software, and gathering active process lists. All gathered information was exfiltrated via HTTP POST to an IP-based endpoint. The final payload involved a new PowerShell-based variant of GammaSteel that queried and exfiltrated document types, including ".doc," ".pdf," and ".xls" from user directories. Files were hashed using "certutil.exe" before exfiltration. If the HTTP transfer failed, "curl.exe" was invoked through a Tor SOCKS5 proxy to ensure data delivery. GammaSteel further stored obfuscated script components within registry values and leveraged the Run key at "HKEY_CURRENT_USER\Software\Microsoft\Windows\CurrentVersion\Run[USERNAME]" to maintain persistence across reboots.

Symantec's report warns of a slight uptick in technical capability for Shuckworm. "This attack does mark something of an increase in sophistication for Shuckworm, which appears to be less skilled than other Russian actors, though it compensates for this with its relentless focus on targets in Ukraine," warns Symantec. Further assessment finds the group compensates for these limitations with an aggressive and consistent operational focus on Ukrainian defense and governmental sectors. The use of multiple native Windows utilities and open web services like write[.]as, Telegram and Cloudflare tunnels illustrate Shuckworm's evolving TTPs to maintain operational effectiveness.