Trusted Design

Gamarue/Andromeda Comeback

概要

Gamarue/Andromeda botnet was discovered in 2011 and was at its peak in 2013 as a worm propagating in the network using autorun mechanisms. It seems that there has been a recent rise in its infections (Reference: https://blog.avast.com/andromeda-under-the-microscope) . The attack vector is still widely USB infection, using lnk shortcuts to drop and run malicious dll files from temp folder, which in turns drops a file ms[***].exe (itself) in the hidden programdata folder and create persistence to run this payload in programdata folder. The samples I am analyzing are mainly dll files with format like _-_-__---_{Some CLSID format}, which are dropped into temp folders with a .tmp extension and executed using rundll32.exe.

Created: 2026-02-23

Indicators

Indicatorsは見つかっていない。

類似Pulses

• GamaPoS: The Andromeda Botnet Connection (score: 0.63)
• Gamarue dropping Lethic bot (score: 0.62)
• Worm:Win32/Folstart (score: 0.57)
• Sandworm to Blacken: The SCADA Connection (score: 0.57)
• BadRabbit - Ukranian Metro, Airport hit with ransomware (score: 0.57)

このPulseに関連する脅威アクター (事実ベース)

このPulseに関連する脅威アクター (推論ベース)

Related CVEs

このPulseに見つかったCVEはありません。

Pulse – 脅威アクター グラフ

---

← Pulse一覧に戻る