NAME:
Gamaredon Group

Description:
Gamaredon is labeled by Palo Alto and has been active since at least 2013. It primarily makes use of compromised domains, dynamic DNS providers, Russian and Ukrainian country code top-level domains (ccTLDs), and Russian hosting providers to distribute their custom-built malware. The attack group heavily relies on off-the-shelf tools in the beginning, then makes a shift to custom-developed malware which indicates the improvement of technical capabilities.

References:
https://researchcenter.paloaltonetworks.com/2017/02/unit-42-title-gamaredon-group-toolset-evolution/
https://www.lookingglasscyber.com/operation-armageddon-registration/
https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-ukrainian-mod-campaign/
https://blog.yoroi.company/research/the-russian-shadow-in-eastern-europe-a-month-later/