Threat actor · all actors
Gamaredon GroupG0047 state
🇷🇺 RU
aka Gamaredon Group, IRON TILDEN, Primitive Bear, ACTINIUM, Armageddon, Shuckworm, DEV-0157, Aqua Blizzard, NastyShrew, Blue Otso, BlueAlpha, G0047, Trident Ursa, UAC-0010, Winterflounder
Last updated: 2026-07-03
About this actor
[Gamaredon Group](https://attack.mitre.org/groups/G0047) is a suspected Russian cyber espionage group that has targeted military, law enforcement, judiciary, non-profit, and non-governmental organizations in Ukraine since at least 2013. The name [Gamaredon Group](https://attack.mitre.org/groups/G0047) derives from a misspelling of the word "Armageddon," found in early campaigns.(Citation: Palo Alto Gamaredon Feb 2017)(Citation: TrendMicro Gamaredon April 2020)(Citation: ESET Gamaredon June 2020)(Citation: Symantec Shuckworm January 2022)(Citation: Microsoft Actinium February 2022) In November 2021, the Ukrainian government publicly attributed [Gamaredon Group](https://attack.mitre.org/groups/G0047) to Russia’s Federal Security Service (FSB) Center 18, an assessment later supported by multiple independent cybersecurity researchers. (Citation: Bleepingcomputer Gamardeon FSB November 2021)(Citation: Microsoft Actinium February 2022)
Source: MITRE ATT&CK
Activity timeline
- 2026 — 1 CVE published
Profile
| CVE | Risk | CVSS | EPSS | Published | Products |
|---|---|---|---|---|---|
CVE-2026-22813 | 3.5 | 6.1 | 0.0091 | 2026-01-12 | see CVE |
T1001T1005T1012T1016T1016.001T1020T1021T1021.005T1025T1027T1027.004T1027.010T1027.012T1027.015T1027.016T1033T1036T1036.005T1039T1041T1047T1053T1053.005T1055T1057T1059T1059.001T1059.003T1059.005T1070T1070.004T1071T1071.001T1080T1082T1083T1090T1090.003T1091T1095T1102T1102.002T1102.003T1105T1106T1112T1113T1119T1120T1137T1140T1204T1204.001T1204.002T1218T1218.005T1218.011T1221T1480T1491T1491.001T1497T1497.001T1518T1518.001T1534T1547T1547.001T1559T1559.001T1561T1561.001T1564T1564.003T1566T1566.001T1568T1568.001T1571T1583T1583.001T1583.003T1583.006T1587T1587.003T1588T1588.002T1608T1608.001T1620T1685
Mitigating controls (NIST 800-53)
| Control | Techniques covered | Coverage |
|---|---|---|
SI-4 | 50 / 91 | 55% |
SI-3 | 46 / 91 | 51% |
CM-2 | 43 / 91 | 47% |
CM-6 | 41 / 91 | 45% |
CM-7 | 32 / 91 | 35% |
AC-3 | 30 / 91 | 33% |
CA-7 | 29 / 91 | 32% |
AC-6 | 28 / 91 | 31% |
SC-7 | 25 / 91 | 27% |
SI-7 | 24 / 91 | 26% |
AC-4 | 22 / 91 | 24% |
AC-2 | 20 / 91 | 22% |
SI-10 | 19 / 91 | 21% |
RA-5 | 15 / 91 | 16% |
SI-2 | 14 / 91 | 15% |
Co-occurring actors
- Mustang Panda 1 shared CVEs
- MuddyWater 1 shared CVEs
- Kimsuky 1 shared CVEs
- Volt Typhoon 1 shared CVEs
Similar actors
Similar TTPs
- FIN7 0.36
- MuddyWater 0.36
- TA2541 0.36
- Frankenstein 0.34
- Kimsuky 0.34
Overlapping CVEs
- MuddyWater 0.50
- Mustang Panda 0.50
- Kimsuky 0.33
- Volt Typhoon 0.25
Active in same years
- Operation Dream Job 1.00
- SolarWinds Compromise 1.00
- C0027 1.00
- SharePoint ToolShell Exploitation 1.00
- Ke3chang 1.00
Same nation-state
Same category
- Night Dragon 1.00
- FunnyDream 1.00
- C0011 1.00
- Operation Wocao 1.00
- Operation Dream Job 1.00