Hunt.io Insights: Gamaredon’s Flux-Like Infrastructure and a Look at Recent ShadowPad Activity

This Hunt.io intelligence brief describes two distinct clusters of internet-facing infrastructure linked to state-sponsored actors: Gamaredon (Russian-linked) using low-frequency fast-flux DNS patterns across many .ru domains and a separate cluster with reused spoofed TLS certificates and a ShadowPad backdoor (Dvx.zip) showing overlaps with RedFoxtrot. The report details observed TTPs—short DNS TTLs, wildcard A records, DLL side-loading, dynamic DNS abuse, and certificate reuse—and provides extensive IOCs (IP addresses, domains, and file hashes) to support detection and mitigation.