The following are the main APT groups and their cases based on the analysis reports released by security companies and organizations in January 2025.

 

1.   Andariel

 

The Andariel group has executed an attack using the RID Hijacking technique to escalate account privileges and create hidden accounts.[1] RID Hijacking involves manipulating the Security Account Manager (SAM) database to change the RID value of a low-privilege account to that of an administrator account.

 

The attackers used PsExec to remotely execute malicious files and created hidden accounts, adding them to the Remote Desktop Users and Administrators groups. They modified specific offset values in the SAM registry keys related to accounts to alter the RID.

 

To carry out the RID Hijacking attack, the Andariel group used custom-made malicious files and the open-source tool CreateHiddenAccount. This tool uses the REGINI program to modify SAM registry access permissions and can operate with administrative privileges.

 

After the RID Hijacking, the attackers extracted account-related registry keys, deleted the accounts, and re-registered the registry using the extracted REG files.

 

 

2.   Callisto (Star Blizzard)

 

In mid-November 2024, the Callisto group (Star Blizzard) conducted a spear-phishing attack targeting WhatsApp accounts.[2] This was the first time Callisto used WhatsApp for their attacks, although the characteristics were similar to traditional spear-phishing. They targeted government and diplomatic officials, researchers on Russian defense policies, and individuals involved in supporting Ukraine.

 

The attack began with an email impersonating a U.S. government official, containing a QR code inviting the target to a WhatsApp group related to Ukrainian NGO support. The fake QR code was used to lure the target into responding. Those who responded received a follow-up email with a link to a fake WhatsApp web portal, which the attackers used to steal messages and data.

 

 

3.    GamaCopy

 

The GamaCopy group has been imitating the Gamaredon group to carry out continuous attacks targeting Russian defense and critical infrastructure.[3] They used documents related to Russian Ministry of Defense policies and internal orders from major Russian companies as bait, distributing malicious payloads via 7z-SFX (Self-Extracting Program).

 

They conducted additional attacks using the open-source remote desktop tool UltraVNC, disguising process names to evade detection.

 

While mimicking Gamaredon’s attack methods, GamaCopy showed some differences. Gamaredon primarily uses macros and VBS scripts, whereas GamaCopy employs 7Zip SFX files and obfuscated delayed variables. Gamaredon typically uses port 5612, while GamaCopy uses port 443. Gamaredon uses Ukrainian-language documents as bait, whereas GamaCopy uses Russian-language documents.

 

GamaCopy’s strategy of using open-source tools to complicate analysis and evade detection is considered a sophisticated false flag operation. Some security firms have mistakenly attributed these attacks to the Gamaredon group.

 

---

[1] https://asec.ahnlab.com/en/85942/

[2] https://www.microsoft.com/en-us/security/blog/2025/01/16/new-star-blizzard-spear-phishing-campaign-targets-whatsapp-accounts/

[3] https://medium.com/@knownsec404team/love-and-hate-under-war-the-gamacopy-organization-which-imitates-the-russian-gamaredon-uses-560ba5e633fa