![[The AI Show Episode 144]: ChatGPT’s New Memory, Shopify CEO’s Leaked “AI First” Memo, Google Cloud Next Releases, o3 and o4-mini Coming Soon & Llama 4’s Rocky Launch](https://www.marketingaiinstitute.com/hubfs/ep%20144%20cover.png)
.jpg?width=1920&height=1920&fit=bounds&quality=70&format=jpg&auto=webp#)
.png?#)
.webp?#)
![Leaker vaguely comments on under-screen camera in iPhone Fold [U]](https://i0.wp.com/9to5mac.com/wp-content/uploads/sites/6/2025/04/iPhone-Fold-will-have-Face-ID-embedded-in-the-display-%E2%80%93-leaker.webp?resize=1200%2C628&quality=82&strip=all&ssl=1)
![[Fixed] Gemini app is failing to generate Audio Overviews](https://i0.wp.com/9to5google.com/wp-content/uploads/sites/4/2025/03/Gemini-Audio-Overview-cover.jpg?resize=1200%2C628&quality=82&strip=all&ssl=1)
![Apple Seeds tvOS 18.5 Beta 2 to Developers [Download]](https://www.iclarified.com/images/news/97011/97011/97011-640.jpg)
![Apple Releases macOS Sequoia 15.5 Beta 2 to Developers [Download]](https://www.iclarified.com/images/news/97014/97014/97014-640.jpg)
Russian hackers hit military mission in Ukraine with info-stealing malware on external drives
The GammaSteel infostealer was found on infected devices belonging to a Western military operation in Ukraine.
- Symantec says it found GammaSteel on devices belonging to a military operation in Ukraine
- GammaSteel is an infostealer built by Russian cyber-outfit Gamaredon
- Gamaredon is one of many groups on GRU's payroll
A “military mission of a Western country”, located in Ukraine, was the target of a Russian cyber-espionage attack according to cybersecurity researchers Symantec, who said they identified an attack that started in February 2025 and likely continued until March.
As per the researchers, the attack started with an infected removable drive. This device contained a malicious .LNK file that triggered an infection chain which resulted in the deployment of GammaSteel.
GammaSteel is an infostealer malware, capable of exfiltrating documents in various formats, such as .DOCX, .PDF, .XLS, .TXT, and more. It was most likely built and deployed by a Russian state-sponsored threat actor known as Gamaredon (or Shuckworm).
Monitor your credit score with TransUnion starting at $29.95/month
TransUnion is a credit monitoring service that helps you stay on top of your financial health. With real-time alerts, credit score tracking, and identity theft protection, it ensures you never miss important changes. You'll benefit from a customizable online interface with clear insights into your credit profile. Businesses also benefit from TransUnion’s advanced risk assessment tools.
Preferred partner (What does this mean?)View Deal
Infected removable drives
Besides stealing files, it can also take screenshots of the infected device, and gather vital information about things like installed antivirus tools, running processes, and more.
Finally, the tool establishes persistence on the compromised endpoints via a new Windows registry entry. The researchers said that the threat actors changed their tactics a bit to better hide the payload.
Symantec did not say whose military mission was compromised, or what kind of information - if any - was stolen in the attack. It is safe to assume that the attack is part of a broader cyber-war effort since Russia invaded Ukraine more than three years ago.
Russian aggression has shown just how much warfare changed and turned digital. The digital world became an entire front, with Russian cyber-infantry targeting communications satellites, government endpoints, electrical substations, and more.
The Ukrainians responded by hacking Russian TV and radio to broadcast anti-war messages, manipulated a taxi app to send dozens of cars to a single location in Moscow, and leaked gigabytes of data from Russian entities, including the private military Wagner Group.
Gamaredon is just one of many groups actively involved in the war, next to Conti, or Sandworm. All are apparently part of GRU, Russia’s military intelligence unit.
Via BleepingComputer
You might also like
- One year into Russia's war in Ukraine, "all is not quiet on the cyber front"
- Take a look at our guide to the best authenticator app
- We've rounded up the best password managers
