Stellar Discovery of A New Cluster of Andromeda/Gamarue C2

Cybereason observed an active Andromeda/Gamarue backdoor campaign targeting APAC manufacturing and logistics, using USB drop attacks and LNK-triggered rundll32 DLL execution to deploy droppers (trustedinstaller.exe) and backdoors that perform process injection and connect to a cluster of C2 servers (notably suckmycocklameavindustry.in and related IPs). The report provides IOCs (file hashes, domains, IPs, registry persistence keys), links to possible Turla activity (low–medium confidence), analysis of multiple cases including AutoIt masquerades and secondary malware (Pykspa), MITRE ATT&CK mappings, and detection/remediation recommendations.