Russia's Gamaredon group, linked to the FSB, has modified its tactics to target Ukraine, incorporating new malware families and infrastructure strategies. The group has launched numerous spear-phishing campaigns and leveraged legitimate cloud services, tunneling protocols, and social media platforms to disguise its command and control infrastructure, facilitating data exfiltration and sustained espionage operations. This adaptation enables Gamaredon to maintain a covert presence, complicating detection and mitigation efforts. The employment of legitimate services for malicious purposes underscores the evolving nature of state-aligned threats1. The shift from traditional criminal activity to geopolitically motivated operations necessitates a revised threat model, as the motivations and tactics differ significantly. This change in approach has significant implications for defenders, as it requires a distinct set of countermeasures to effectively combat state-sponsored threats.