As of April 2024, IBM X-Force is tracking new waves of Russian state-sponsored Hive0051 (aka UAC-0010, Gamaredon) activity featuring new iterations of Gamma malware first observed in November 2023. These discoveries follow late October 2023 findings, detailing Hive0051’s use of a novel multi-channel method of rapidly rotating C2 infrastructure (DNS Fluxing) to deliver new Gamma malware variants, facilitating more than a thousand infections in a single day.

An examination of a sample of the lures associated with the ongoing activity reveals a focus on regional military, police and civil government training centers across Ukraine. In addition to collecting against Ukrainian combat capabilities, it is possible Hive0051 may seek to utilize access to gain advanced insight into the status of new security agreements and partners providing military training and materiel support to Ukraine.

Key points:

  • X-Force observed Hive0051 demonstrating an increasingly aggressive infection approach leading to 3 separate malware branches and enabling near-immediate file exfiltration and hands-on-keyboard access
  • Frequent malware updates including improved USB worm control and new variants signal increasing malware development capabilities
  • X-Force uncovered a sample of 6 Ukrainian language lure documents predominately featuring Ukrainian military and government training centers
  • Hive0051 rotates infrastructure through synchronized DNS fluxing across multiple channels including Telegram, Telegraph and Rotations were almost exclusively observed during daytime in the Moscow time zone (6 AM-9 PM)
  • X-Force analysis shows a huge scale of operations with Hive0051 maintaining several active C2 clusters with different malware associations spanning hundreds of domains
  • GammaLoad resolves to IP addresses hosted by Global Internet Solutions (GIR – 207713) (83%), Kaopu Cloud HK (138915) (8%) and Global Connectivity Solutions (GCS – 215540) (16% as of March 2024). Similarities in domain registration, WHOIS data and webpages suggest that GIR and the newly created GCS are the same or related entities



In early March 2024, X-Force uncovered a sample set of 6 unique lure documents associated with the featured Hive0051 activity uploaded by Ukraine and Poland-based users between November 2023 and early March 2024. Consistent with previously observed Hive0051 activity, the Ukrainian-language documents appear to be authentic internal government, military and law enforcement-related documents likely affixed to phishing emails given Hive0051’s established methodology. Machine translation revealed the contents of the lures feature multiple regional military, police and civil government centers across Ukraine including Kherson, Dnipro, Lviv, Kyiv and Zaporizhzhia.

The majority of the documents appear to be associated with military training centers or the professional development of government civilians. Each of the documents appears to imitate authentic internal memos associated with legal and internal regulations, or the administrative operations to prompt user interaction. Likewise, several documents feature dates matching the day of the observed activity or occur just prior to it. It is highly likely the rapid fielding of what appear to be current documents in the execution of ongoing campaigns, is further evidence of the highly agile nature of Hive0051’s operational capabilities.

Given the ongoing Russia-Ukraine war, it is highly likely that Hive0051 will continue to place a high collection priority on sensitive information regarding the strength, effectiveness and combat capabilities of the Armed Forces of Ukraine. In addition, it is possible the increased engagement of Ukrainian assets with Western defense production programs may represent an additional high-value upstream target for Hive0051, one that may yield insight into the status of Ukraine’s Western security alliances.

Figure 1: Hive0051 Lure Document titled Place Advanced training.doc (Розмістити_Підвищення кваліфікації.doc)

Depending on the initial infection vector, there are two main infection chains currently observed leading to GammaLoad.

The first chain makes use of .HTA files (HTML Applications) that contain malicious VBScript code to drop and load the main backdoor. Another commonly used technique involves leveraging Office documents with remote templates (.DOT files) to inject VBA macros, which implement the same VBScript-based backdoor. In this technique, the associated subdomain patterns and random extensions of the remote template files have been consistently used since 2021 and are detailed in a 2022 report by Palo Alto.

Once GammaLoad successfully executes, the backdoor uses several dynamic DNS resolution techniques to resolve the IP addresses of intended C2 servers. Some of these are:

    • WMI ping
    • public DNS provider’s HTTP service
    • Telegram
    • Telegraph

Figure 2: GammaLoad infection vector diagram


The following section provides an in-depth look into malware used by Hive0051.

Notably, a single successful run of the GammaLoad backdoor may result in multiple possible follow-on payloads within the first few minutes of an infection. X-Force was able to identify at least 3 independent malware branches immediately installed on a single infected client which all feature independent C2 fallback channels, persistence mechanisms, file system artifacts and work to accomplish different objectives.

The table below highlights the volume of payloads deployed during an investigation of a single GammaLoad infection:





Dropped files


Initial VBS-based backdoor initiating the infection chain, with 3 beacons maximum before terminating

Apex: .logitrap[.]ru

IP: 62.133.62[.]118

Telegram channel: mksjek

Depends on the dropper

Two random filenames in %TEMP% to store IP address and Telegram channel


Similar to GammaLoad, but contains a hardcoded IP address and beacons in a loop to download and execute a series of payloads.

IP: 62.133.62[.]120



VBS Downloaders

Short VBS scripts, launching a PowerShell command to download and execute a single payload

Single download URLs:

http://157.245.55[.]151/login.php for GammaLoad.PS

http://157.245.55[.]151/getinfo.php for GammaInfo

http://5.252.178[.]181/fun/cmd.txt for ReverseShell




A short PowerShell-based enumeration script collecting various information from the host

Exfiltration: http://157.245.55[.]151/info.php


Screenshot: %APPDATA%\<formatted_date>.jpg


Similar to GammaLoad, but only supports .EXE payloads and establishes its own persistence. Likely used for active and confirmed infections

Apex: .kaelos[.]ru

IP: 62.133.62[.]120

Telegram channel: rkpwvlmryggyhg

Scheduled Task “SmartScreenSpecific”

Two random filenames in %TEMP% to store IP address and Telegram channel
GammaLoadPlus: %USERPROFILE%\deserter
Potential encrypted payload: %APPDATA%\<random_name>.ini
Potential decrypted payload: %APPDATA%\<random_name>.exe


PowerShell-based malware used to install GammaSteel and establish persistence via a VBScript loader

GammaSteel download URL: https://206.189.188[.]38/contact

Startup directory

%APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<file>.vbs


PowerShell-based malware to exfiltrate files from a victim based on an extension whitelist

DNS: www.windingroad[.]ru

IP: 167.99.104[.]97

C2 resolving: https://filetransfer[.]io/data-package/CWuEu3PW/download

Already established through GammaInstall

Split files in the directory under %APPDATA%

Database .TXT file under %APPDATA%


Fileless PowerShell implementation of GammaLoad, which lives in the registry.

Apex: .nutaral[.]ru

Telegraph: https://telegra[.]ph/test-01-10-259

Scheduled Task “<Win32_Bios.Manufacturer>”

Launcher: %ALLUSERSPROFILE%\<filename>.ps1
%TEMP%\<filename>.exe (potential payload)


Simple PowerShell-based reverse shell




Scroll to view full table

See the full chain for an individual GammaLoad-infected victim in the graph below. After receiving the GammaStager payload, the malware was observed installing three separate malware branches, GammaLoadPlus, GammaSteel and GammaLoad.PS. Each of them maintains its own persistence and C2 connection, allowing further payloads on each branch. In addition, GammaStager also downloads an enumeration script (GammaInfo) and a reverse shell.

Figure 3: Gamma follow-on stages infection diagram

The more the merrier

The initial infection vectors display a significant evolution in strategy. Stealth has not been a major focus of Gamma malware and infrastructure in recent years, but the most recent campaigns are Hive0051’s most boisterous to date. The chain above clearly demonstrates a new, aggressive, multi-layered approach, for rapidly deploying several independent malware branches.

The large number of C2 fallback options, persistence mechanisms and storage locations potentially underscore a strategy that is accepting of a higher chance of detection in favor of a redundant approach to infection. By avoiding a single point of failure, the malware may be more likely to provide Hive0051 operators with successful infections before the attack is detected and remediated. Similarly, the frequent development cycles of Gamma malware have resulted in a multitude of new variants, making detection more difficult.

Fifty shades of Gamma

The origins of Gamma malware show a continuous evolution over at least 2 years, from simple VBScript backdoors to highly obfuscated, persistent, multi-stage malware variants with fallback C2 channels and support for multiple payloads. As a result of this evolution, a wide variety of Gamma-related malware is known to the community under various names such as LitterDrifter or Ptero* (PteroScout, Pterodo, etc.). X-Force follows the “Gamma” naming pattern used by CERT-UA, thus adding the names below to the list of known variants. However, due to the quick development cycles of the malware, these may only be used for a couple of months before the next code release, usually resulting in short-lived names. For our discussion, all Gamma-related malware capable of retrieving and executing secondary payloads (EXE, VBS, PS1, etc.) will be referred to as GammaLoad*.

Although variants may exhibit different behaviors resulting in a high diversity of names, there is a set of distinctive similarities used by Gamma malware. Implementation is mostly done in VBScript (also featured as Office macros in template files or within .HTA files), or PowerShell. There have also been implementations in .NET or C++ (Pterodo), which are used far less in currently observed campaigns. The recently observed .EXE files X-Force analyzed all contained an encrypted GammaLoad.VBA payload which they would launch after dropping to a new directory in %HOME% or %USERPROFILE%. All Gamma variants (including VBS, PS, Steel, Install, Plus, Light or Stager variants) leverage HTTP for C2 communication, often using specifically hardcoded headers, paths and subdomains. These are likely used to profile and register infections and are created using wordlists or randomly generated values. GammaInstall and GammaSteel also use a distinct modulo-based string obfuscation technique, different from GammaLoad.VBS, which uses substitutions. To support multi-channel DNS fluxing via fallback channels, Gamma variants started featuring functionality to query and parse different services such as Telegram, Telegraph, and more.

In a departure from previous observations, X-Force did not observe Hive0051 deploying USB spreading capabilities in both the common VBS and PowerShell variants of GammaLoad. This may be due to the uncontrollable nature of malware spreading via USB devices and potentially indicates Hive0051’s consideration of controlling its intended victims. To a lesser extent, there have been new samples identified as “GammaLoadLight.PS”, which focus only on the USB worm-like functionality. This variant can be deployed selectively and carries a hardcoded ID, enabling the threat actor to control and track the campaign more precisely than before.


GammaStager is a new type of disposable Gamma malware X-Force observed in the wild, which is built on the fly for a specific infection. It contains various hardcoded values such as the IP address, headers and strings likely acting as an authentication towards the C2 server. Its only objective is to download and execute a series of Base64-encoded VBS payloads. Upon request, it expects a “200” or “400” HTTP status code and a payload. If the C2 fails to respond with one of those codes, it will exit its main loop and terminate after 7 failed beacons.

Figure 4: Network traffic of GammaStager downloading multiple payloads


GammaLoadPlus is a VBS-based malware with two components that are obfuscated via string substitution and Base64 encoding. The first component is designed to establish persistence. It also contains two initial hardcoded values for the current C2 IP address as well as the Telegram channel ID for fallback. These values are initially stored in two files within the %TEMP% directory. The malware begins by storing itself in the %USERPROFILE% directory and creating a scheduled task with an unobtrusive name, “SmartScreenSpecific” in this case. The configuration executes the following command every 10 minutes (note that some options do not have a purpose and differ between samples):

wscript.exe <malware_path>   //b   /as/icb/ato /tif //e:vbscript

Scroll to view full table

This will run the second component which is the backdoor. To resolve its C2 address, the observed variant can use Telegram, DNS via WMI pings or an HTTP request to CloudFlare ( or Google DNS (https:/ A payload received from the server is stored in a “.ini” file within the %APPDATA% directory. GammaLoadPlus decrypts it using a custom XOR-based algorithm and stores it with the “.exe” extension in the same directory. At the start of the next scheduled execution, the payload is executed via the WScript.Shell object.

GammaInstall & GammaSteel

GammaInstall is a short PowerShell script used as a loader for GammaSteel. It begins by downloading the GammaSteel payload, splitting it and writing it to disk with each fragment stored in a different .txt file inside a dedicated storage directory under %APPDATA%. All TXT files have the same hardcoded string name concatenated with an increasing integer to preserve their order. In this case, the list of files would look like this:









Scroll to view full table

After dropping the split payload, GammaInstall creates a short PowerShell loader script to read and combine the split files of the payload again and execute it. The resulting script is written into a VBS launcher file and dropped to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\<random_name>.vbs for persistence. The payload is then executed manually by GammaInstall.

Figure 5: Deobfuscated GammaInstall script

The observed payload was identified as GammaSteel and has been in use over the past year to exfiltrate files from infected systems. Its behavior bears similarities to the QuietSieve malware family used by the same group in 2022. It is capable of stealing files by recursively scanning through connected USB devices and existing drive letters.

GammaSteel maintains a blocklist to exclude folders containing the following strings:

  • prog
  • log
  • windows
  • appdata
  • local
  • roaming

Files are chosen if they match one of the following extensions:

  • .doc
  • .docx
  • .xls
  • .xlsx
  • .rtf
  • .odt
  • .txt
  • .jpg
  • .jpeg
  • .pdf
  • .ps1
  • .rar
  • .zip
  • .7z
  • .mdb

GammaSteel also maintains a database file storing the MD5 hash of all exfiltrated files and is used to prevent exfiltrating duplicates. The observed variant stored data in a .TXT file within %APPDATA% and used the hardcoded string “MZtxtMZdb00” as magic bytes for identification. Exfiltration is accomplished via HTTP POST requests.


GammaLoad.PS is a PowerShell implementation of GammaLoad, which lives in the registry. The latest version does not support USB spreading anymore, but added support for .EXE payloads. At the start of the execution, the main script begins by dumping a loader script into a .PS1 file under %ALLUSERSPROFILE%, which is used by the scheduled task, and serves the purpose of loading and executing code stored in the registry. The main install script continues by writing each PowerShell function into a new subkey with a random name, below a hardcoded parent key – in this case, “HKCU:\Printers”. Finally, the script creates a scheduled task with the name of the “Win32_Bios” WMI-Object’s “Manufacturer” field. The task is configured to run after 1 minute following the install script and execute the following command every 180 minutes:

During execution, GammaLoad.PS maintains a file containing the currently used C2 server, which is populated through one of its C2-resolving capabilities, DNS or Telegraph. The malware then communicates with the “/api.php” endpoint. The malware is capable of handling 3 different payload types:

  1. Responses starting with the string “http” will cause a download from the corresponding URL. The second payload is then XOR-decrypted, stored in %TEMP%\<random_name>.exe and executed.
  2. Responses starting with the string “!” are split by the starting separator and executed as PowerShell commands.
  3. All other responses are decrypted, Base64-decoded and launched as VBScript payloads directly in memory.


This PowerShell variant contains the USB spreader code, which has recently been removed from previous GammaLoad.PS variants. This allows it to spread to connected USB devices by dropping itself and a weaponized LNK file. It maintains persistence via the registry Run key and is stored within the %USERPROFILE% directory:


Scroll to view full table

To resolve its C2 address, it supports both regular DNS with an apex domain as well as Telegram. After connecting to its server’s “/sleep.php” endpoint, it sends a hardcoded integer ID and expects a PowerShell script in return. It will replace a specific string in the payload response with its current C2 IP and execute the script.

Reverse shell

The last payload downloaded by GammaStager was a PowerShell-based reverse shell, allowing immediate hands-on keyboard access. It connects to a remote server on port 9511.

Figure 6: Reverse shell deployed by Hive0051


X-Force has continued to study Hive0051 GammaLoad’s DNS fast flux infrastructure to deepen our understanding of the pace and scale the threat actor creates and rotates its domains. Looking at all GammaLoad domain registrations in 2023 through 2024, Hive0051 registered at least one domain (and often times more) a little over every 4 days on average, and as of January 15th, over 500 GammaLoad C2 domains had active registrations and were resolving to Hive0051 infrastructure. In terms of how Hive0051 rotates these domains to different IP addresses, X-Force identified several clusters of GammaLoad C2 that generally “travel” together. Specifically, there are 4 clusters of GammaLoad C2 domains that use the VBS variant for subdomain generation, one cluster related to the PowerShell variant for subdomain generation and one cluster related to GammaSteel. Between these 6 clusters, X-Force observed GammaLoad resolve to over 1000 IP addresses over a 3 month period. As other vendors have noted, Global Internet Solutions (GIR – 207713) remains Hive0051’s most used hosting provider, with 83% of GammaLoad C2s showing up within 40 of GIR’s netblocks. X-Force has also observed heavy usage of Kaopu Cloud HK(138915) and the recently created Global Connectivity Solutions (GCS – 215540). The latter was registered on February 9, 2024, and shares domain registration, WHOIS data and website landing page similarities with GIR.

Both domains have also been registered in Russia. These similarities, in addition to Hive0051’s usage of both providers, may indicate a relationship between GCS and GIR. As of March 2024, 16% of Hive0051’s C2 IPs belonged to GCS. This may be a result of GIR’s higher ASN risk score, which would impact Hive0051’s operations if used for IP reputation-based blocking.

Aside from those providers, GammaLoad has also been observed resolving to 12 other ASNs, albeit at a much smaller scale:
  • 29182
  • 14061
  • 208951
  • 44477
  • 207651
  • 20473
  • 49505
  • 59504
  • 198610
  • 216071
  • 35278
  • 216139

The breakdown of the VBA clusters by domain count and possible malware associations can be seen below.

Cluster  Names

Rough Count

Malware Associations






GammaStager, GammaLoadPlus_VBS













Scroll to view full table

To demonstrate how frequently these different clusters rotate, below is a representative day in January 2024 showing the IP address resolutions for all the different clusters, with changes in resolutions noted in yellow.

As illustrated above, X-Force has observed GammaLoad VBA clusters A, B, C and PowerShell rotate several times in a single day while GammaLoad VBA cluster D and GammaSteel rotate once every day or two. Additionally, there is a consistent lull in rotations for all GammaLoad clusters from 18:00 UTC to 03:00 UTC every day, or 8:00 PM to around 5:00 AM local time in Ukraine, where the majority of GammaLoad infections have been observed.


Given their established mission space, X-Force assesses with high confidence Hive0051 actors will continue to focus offensive operations against Ukraine and its allies. It is highly likely Hive0051’s consistent fielding of new tools, capabilities and methods for delivery facilitate an accelerated operations tempo. X-Force recommends all in theater and associated entities associated with the defense of Ukraine remain current on the most recent Hive0051 trends and toolsets for the foreseeable future.

To learn how IBM X-Force can help you with anything regarding cybersecurity including incident response, threat intelligence, or offensive security services schedule a meeting here.

If you are experiencing cybersecurity issues or an incident, contact X-Force to help: US hotline 1-888-241-9812 | Global hotline (+001) 312-212-8034.

Technical recommendations

X-Force recommends all individuals and entities associated with the defense of Ukraine to remain in a heightened state of defensive security and to:

  • Exercise caution with phishing emails and attachments used by Hive0051
    • .XHTML
    • .HTA
    • .VBS
    • .PS1
  • Monitor for suspicious documents using remote template injection
  • Consider limiting the use of wscript.exe in your environment or closely monitoring activity
  • Monitor and block network traffic relating to known Hive0051 domains and IP addresses
  • Monitor for HTTP traffic with a “User-Agent” (nocase) header ending with a string: “<uppercase_hex_8_chars>;;/.<some_keyword>/.”
    • Example: user-agent: mozilla/5.0 (windows nt 6.1; wow64) applewebkit/537.36 (khtml, like gecko) chrome/69.0.3497.81 safari/537.36;;JOHNS-PC_DEADBEEF;;/.jumper/.
  • Monitor network traffic for unusual or unsanctioned use of Telegram (http://t[.]me/s/*)
  • Monitor network traffic for unusual or unsanctioned use of public DNS over HTTP services
    • https://cloudflare-dns[.]com/dns-query
    • https:/8.8.8[.]8/resolve
  • Consider alerting on .TXT files starting with the string “MZtxtMZdb00″ as a potential indicator of a GammaSteel execution
  • Install and configure endpoint security software
  • Update relevant network security monitoring rules
  • Educate staff on the potential threats to the organization

Indicators of Compromise


Indicator Type




GammaLoad C2



GammaLoad C2



GammaLoad C2



Downloads GammaLoad.PS



Downloads GammaInfo



Downloads ReverseShell



GammaInfo Exfil



GammaLoad C2



Downloads GammaSteel



GammaSteel C2



GammaSteel C2



GammaSteel C2



GammaLoad.PS C2



GammaLoad.PS C2



ReverseShell C2



2024 рік 02.01.2024р.doc









Розмістити_Підвищення кваліфікації.docінф 3ї.doc



Відділом нагляду за додержанням законів регіональним органом безпеки Херсонської обласної прокуратури узагальнено інформацію.hta






Untitled Lure Document



Супровід в прокурат_.doc



Щодо фактів вимагання коштів з боку співробітника Служби безпеки України.hta



Archive File

Scroll to view full table

More from X-Force

Phishing kit trends and the top 10 spoofed brands of 2023

4 min read -  The 2024 IBM X-Force Threat Intelligence Index reported that phishing was one of the top initial access vectors observed last year, accounting for 30% of incidents. To carry out their phishing campaigns, attackers often use phishing kits: a collection of tools, resources and scripts that are designed and assembled to ease deployment. Each phishing kit deployment corresponds to a single phishing attack, and a kit could be redeployed many times during a phishing campaign. IBM X-Force has analyzed thousands of…

Grandoreiro banking trojan unleashed: X-Force observing emerging global campaigns

16 min read - Since March 2024, IBM X-Force has been tracking several large-scale phishing campaigns distributing the Grandoreiro banking trojan, which is likely operated as a Malware-as-a-Service (MaaS). Analysis of the malware revealed major updates within the string decryption and domain generating algorithm (DGA), as well as the ability to use Microsoft Outlook clients on infected hosts to spread further phishing emails. The latest malware variant also specifically targets over 1500 global banks, enabling attackers to perform banking fraud in over 60 countries…

Threat intelligence to protect vulnerable communities

2 min read - Key members of civil society—including journalists, political activists and human rights advocates—have long been in the cyber crosshairs of well-resourced nation-state threat actors but have scarce resources to protect themselves from cyber threats. On May 14, 2024, the Cybersecurity and Infrastructure Security Agency (CISA) released a High-Risk Communities Protection (HRCP) report developed through the Joint Cyber Defense Collaborative that addresses the threat to these vulnerable groups, with findings contributed by the X-Force Threat Intelligence team.Cyber criminals seek stolen credentialsThe HRCP…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today