Gamaredon shifts to Telegraph dead-drop resolution and Microsoft Dev Tunnels for C2 stealth
Technical Analysis
Summary
Hide ▲
Show ▼
Gamaredon's C2 tradecraft now uses Telegraph dead-drop resolution and Microsoft Dev Tunnels, reducing direct traceability and enabling rapid infrastructure rotation. The setup masks the original server IP behind relays, making reputation-based tracking and disruption harder across operations. The change supports a low-exposure model that blends into trusted cloud traffic while complicating defender visibility.
Related Happenings
APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel
Malware Activity
First: 10.03.2026 12:55
Last: 10.03.2026 12:55
Sources 1
About this happening:
The **APT28** operation has expanded into **BEARDSHELL** and **COVENANT** implants used for **long-term surveillance** of **Ukrainian military personnel**, indicating an active es...
APT28 BEARDSHELL and COVENANT surveillance activity against Ukrainian military personnel
Malware ActivityAbout this happening: The **APT28** operation has expanded into **BEARDSHELL** and **COVENANT** implants used for **long-term surveillance** of **Ukrainian military personnel**, indicating an active es...
FINALDRAFT and ShadowPad toolchain activity
Malware Activity
First: 17.12.2025 13:12
Last: 17.12.2025 13:12
Sources 1
About this happening:
A new **FINALDRAFT** malware variant and **ShadowPad** tooling are being used to increase stealth and **exfiltration throughput** inside compromised networks. The activity support...
FINALDRAFT and ShadowPad toolchain activity
Malware ActivityAbout this happening: A new **FINALDRAFT** malware variant and **ShadowPad** tooling are being used to increase stealth and **exfiltration throughput** inside compromised networks. The activity support...
Russian GRU critical infrastructure edge-device targeting campaign
Campaign
First: 16.12.2025 14:15
Last: 16.12.2025 14:15
Sources 1
About this happening:
A Russian GRU-linked campaign targeted Western critical infrastructure and shifted in 2025 from exploiting vulnerabilities in products such as WatchGuard, Confluence, and Veeam to...
Russian GRU critical infrastructure edge-device targeting campaign
CampaignAbout this happening: A Russian GRU-linked campaign targeted Western critical infrastructure and shifted in 2025 from exploiting vulnerabilities in products such as WatchGuard, Confluence, and Veeam to...
Latest development: 16.12.2025 22:13
The operation initially relied on **WatchGuard**, **Confluence**, and **Veeam** vulnerabilities for initial access, combining zero-days and known flaws. That foothold phase later gave way to targeting **misconfigured edge devices** with exposed management interfaces.
Wild Moose emerges from stealth as an AI SRE platform for cloud outage response
Security Tool/Service
First: 30.10.2025 16:21
Last: 30.10.2025 16:21
Sources 1
About this happening:
**Wild Moose** emerged from stealth this week as an **AI-powered site reliability engineering platform**, adding a new tool for **cloud outage** diagnosis and response. The launch...
Wild Moose emerges from stealth as an AI SRE platform for cloud outage response
Security Tool/ServiceAbout this happening: **Wild Moose** emerged from stealth this week as an **AI-powered site reliability engineering platform**, adding a new tool for **cloud outage** diagnosis and response. The launch...
CISA/FBI/NSA PRC network persistence mitigation advisory
Advisory/Mitigation
First: 28.08.2025 23:10
Last: 28.08.2025 23:10
Sources 1
About this happening:
**CISA**, the **FBI**, and the **NSA** issued **mitigation guidance** for defenders facing **PRC-linked** actors that persist inside networks and move laterally through routers an...
CISA/FBI/NSA PRC network persistence mitigation advisory
Advisory/MitigationAbout this happening: **CISA**, the **FBI**, and the **NSA** issued **mitigation guidance** for defenders facing **PRC-linked** actors that persist inside networks and move laterally through routers an...
Timeline
-
04.09.2025 21:10 2 articles · 8mo ago
Gamaredon uses Telegraph dead-drop resolution and Microsoft Dev Tunnels for C2 stealth
Technical Analysis Update360 Threat Intelligence Center details Gamaredon's evolving command-and-control tradecraft, including Telegram-owned Telegraph as a dead-drop resolver and Microsoft Dev Tunnels (devtunnels.ms) as C2 domains to add stealth. The technique masks the original C2 server IP behind Microsoft relay nodes and supports rapid domain rotation to hinder traceback and visibility.
Show sources
- Russian APT28 Deploys “NotDoor” Outlook Backdoor Against Companies in NATO Countries — thehackernews.com — 04.09.2025 21:10
- Russian APT28 Deploys “NotDoor” Outlook Backdoor Against Companies in NATO Countries — thehackernews.com — 04.09.2025 21:10