Primitive Bear, also known as Gamaredon, is one of the most aggressive and fast-moving threat groups active today. Active since around 2013, it has launched large-scale campaigns that compromise networks with remarkable speed and adaptability.

Their operations run across three infrastructure clusters with constantly shifting domains and IPs, ensuring phishing links, credential theft, and data exfiltration slip past signature-based defenses. This industrialized approach creates an ever-moving target that overwhelms traditional security.

Though first observed in operations tied to Russia and Ukraine, the group’s tactics have spread more broadly, shaping the playbooks of attackers worldwide. Any organization with complex supply chains or distributed systems now faces similar risks from this fast-evolving model of persistent attack.

Primitive Bear matters to security leaders because its operations highlight how modern threat actors adapt to bypass conventional defenses. The group rotates hundreds of domains daily, often using disposable TLDs like .online, .xyz, and .space, with recycled SSL certificates masking newly created servers. This allows campaigns to launch in hours, faster than blocklists or intel feeds can adapt.

In recent years, Primitive Bear has scaled activity, flooding targets with phishing lures, downloader pivots, and custom malware. Unlike stealthier groups, it values speed and saturation, overwhelming inboxes and systems before defenders can react. These patterns are no longer regional; they provide a blueprint that opportunistic actors worldwide are already adopting. Organizations relying on static rules remain exposed. Recognizing these tactics early is key to neutralizing their advantage.

Here’s what you need to know about Primitive Bear attack patterns:

Primitive Bear floods target inboxes with convincing emails that look like they come from government or military sources. Each message arrives from newly created addresses, written in proper Ukrainian, and contains dangerous attachments like Word files with hidden code, shortcuts, or compressed folders. When people open these files, they automatically download more dangerous software from popular cloud storage services like OneDrive or Dropbox.

The group stays successful by constantly changing file names and web addresses, making it impossible for security systems to keep up with all the variations. Their fake messages exploit wartime urgency, switching between cease-fire updates and military orders while using real government logos to pressure people into clicking dangerous links or enabling hidden code.

Traditional security tools struggle because each attack looks different on the surface. However, smart analysis can spot these campaigns by noticing unusual email patterns, small language mistakes, or sudden increases in suspicious attachments. Advanced monitoring systems reveal the hidden structure behind these attacks, catching them before the dangerous software can connect back to the attackers' control systems.

Primitive Bear runs a fast-moving network that security researchers call Cluster 1, designed to keep working even when individual websites get blocked. The group regains access within hours by setting up hundreds of cheap websites across different hosting services, creating a system that traditional blocking methods cannot effectively stop.

These websites typically use domains ending in .online, .xyz, .ru, .site, or .space, appearing and disappearing almost daily in coordinated waves. Security researchers have seen campaigns create several websites within a single week, all connecting back to fewer than ten hosting locations before being recycled and moved elsewhere.

The attack starts when email attachments run small scripts that download the real dangerous software from this shifting network. While the websites themselves are throwaway, attackers often reuse security certificates across multiple sites. This creates an opportunity for defenders who track these certificates to expose entire networks that would otherwise stay hidden. Combining certificate tracking with smart analysis that spots unusual connections to newly created or rarely seen websites gives defenders significant advantages against these shifting attacks.

Cluster 2 specializes in stealing login information and extracting sensitive files while staying hidden from traditional security systems. After phishing emails deliver the initial trap, malicious documents run lightweight programs that download remote scripts designed to work entirely in computer memory, avoiding detection by file-scanning security tools.

These scripts quietly collect valuable login data including saved browser passwords, cached credentials, wireless network information, and Windows password storage. With stolen login information, attackers move through networks using remote desktop connections and file sharing protocols, gaining higher access levels without triggering the warning signs that usually alert security systems.

The malicious software systematically searches local computer drives and network folders, compresses important files, and sends them to servers that frequently change locations. Built-in checks help the software avoid analysis in security testing environments, extending how long it can operate within compromised systems.

Defense against these hidden operations requires identity-focused security including mandatory two-factor authentication for important accounts, disabling outdated login methods, and continuous monitoring of login activities for unusual patterns. Smart analysis that learns normal patterns for remote access, file sharing, and script usage can reveal subtle changes indicating compromise.

Primitive Bear maintains long-term network access through Pteranodon, a sophisticated remote-control tool specifically built for spying operations and avoiding security detection. This software typically arrives through phishing campaigns as small program files that establish persistent connections to command servers before spreading throughout compromised systems.

Once running, Pteranodon executes system commands, downloads additional software components, and takes screenshots for intelligence gathering. The threat group often runs multiple versions simultaneously on single computers, with each version connecting to different command servers, making complete removal extremely difficult and turning cleanup into a race against time.

Pteranodon changes daily as developers continuously modify its packaging, settings, and structure to avoid antivirus detection. Advanced versions hide within legitimate applications, change file dates to appear older, and operate entirely in memory to avoid leaving evidence. The supporting command infrastructure rotates rapidly, using websites registered on throwaway domains that typically disappear within days.

Effective defense requires behavior-based detection rather than signature matching. Security teams should watch for suspicious program chains, detect multiple persistence methods, and identify unusual encrypted traffic patterns to rarely seen websites.

Primitive Bear maintains network access for months by setting up multiple overlapping backdoors while stealing data through encrypted pieces that blend with normal network traffic. After initial compromise, the group establishes persistence across multiple system locations including startup registry entries, scheduled tasks, and malicious email rules that automatically forward messages to attacker-controlled accounts.

This layered approach ensures continued access because each method connects to different systems, meaning removing individual pieces rarely stops the broader intrusion. Data theft happens gradually over months, using custom tools to archive files, break them into small pieces, and send them over encrypted web connections disguised as normal browsing activity.

The group maintains backup theft channels through domain name system tunneling, hiding stolen data in text records hosted on attacker websites that were registered years in advance to appear legitimate. This patient approach allows massive data theft to occur beneath the detection level of security systems that only watch for large data movements.

Detection requires moving beyond signature-based approaches to establish comprehensive traffic monitoring that can identify subtle but persistent data flows, unusual domain name activity, or unexpected increases in encrypted sessions.

Abnormal’s Behavioral AI Engine learns normal communication patterns within your organization and flags subtle deviations that may signal advanced attacks. This early detection provides warning against spear phishing, credential theft, custom malware, and long-term data theft.

For phishing attempts, the AI applies natural language processing and relationship mapping to detect suspicious emails before they reach inboxes. Against downloader infrastructure and shifting domains, it highlights unusual sender behavior, rare file types, and abnormal file-sharing activity. Credential theft is exposed through monitoring of risky OAuth grants and unusual login locations. Even custom tools are revealed through abnormal execution behavior and suspicious command traffic.

The system also watches for slow, hidden exfiltration by spotting irregular DNS requests and low-volume transfers. With API-based, agentless deployment, integration is seamless and requires no extra hardware. Abnormal delivers proactive protection, helping organizations stop threats early. Request a demo to see how it works.