top of page
  • Clipeus

Primitive Bear's LitterDrifter

Checkpoint details a Primitive Bear (a.k.a. Gamaredon / Armagedon)-attributed campaign leveraging LitterDrifter malware via USB, a self-spreading USB worm. According to a separate report released by the Ukrainian Security Services, the threat actor can be linked to the Russian Federal Security Service (FSB). Checkpoint reported evidence of infections across the globe, including in the United States, Germany, Poland, and Hong Kong. Such large distribution may be due to the capability of the USB worm to spread beyond the intended target, which, based on available metrics, appears to be Ukraine - where the largest majority of the attacks in the wild were observed. LitterDrifter has a modular implant comprised of a spreader module which checks for a specific mediatype and infects the systems prioritizing portable pendrive drivers, and a command-and-control (C2) module with the ability to generate a built-in C2 or retrieve the C2 information from Telegram.

Recent Posts

See All

AcidPour Wiper Targets Linux Devices in Ukraine

A new iteration of the AcidRain wiper malware, dubbed AcidPour, has been identified by SentinelOne's threat intelligence division, SentinelLabs. AcidRain, linked to Russian military intelligence, gain


Commenting has been turned off.

If you are interested in specifics or additional insights on the threats above or any other threat, please visit our dedicated service page or reach out to with your inquiry. We would be glad to assist you

bottom of page