Security Threat Researchers at Symantec have published details about malware being put out by the “Gamaredon” threat group (who have been tied to Russian Federal Security Service), responsible for attacks in the Ukraine since 2013.

Keeping an eye on new malware can help us understand how the attack surface is changing based on how cybercriminals are modifying their tactics. A new report from Symantec’s Threat Hunter team showcases eight specific pieces of malware they’ve found, including the methods used to infect their target victim endpoints.

While worth a read, the overarching activity theming involves the heavy reliance on VB scripts, dropping staged payloads, and hosting files in the %TEMP%, %PUBLIC%, and %USERPROFILE% folders.

What makes this news so important is that we’re not just seeing one method of infection; we have a single cybercriminal group using eight different methods of attack – and not just testing them; but actually using them in the field. That means they’ve passed muster in testing and are equally dangerous.

The evolution of cybercrime to date has felt mostly linear in its growth. The “as a Service” model has seen crimeware grow at a much faster rate. But 8 pieces of malware at once? That feels a bit like exponential growth to me.

I hope we don’t see this kind of thing too often.

According to Symantec, all 8 start with a phishing attack – which means there’s a strong opportunity for your users to stop these and any other forms of malware by simply seeing the phishing attack for what it is. Security Awareness Training is the most effective way to ensure users remain on notice when interacting with email and the web.