yankywilson

yankywilson / gamybear

Public

First public reverse engineering of GAMYBEAR, the Go backdoor used by UAC-0241 against Ukrainian education and state-authority targets. Static + dynamic analysis with 15 findings extending CERT-UA#18329, including a persistence correction and the http.DefaultClient TLS failure. IOCs, YARA, Suricata, Snort, STIX.

apt gamybear malware-analysis reverse-engineering
17
17
100% credibility
Found Jun 01, 2026 at 17 stars -- GitGems finds repos before they trend. Get early access to the next one.
Sign Up Free
AI Analysis
Go
AI Summary

GAMYBEAR is a publicly available malware analysis project that reverse-engineers a Russian-linked backdoor program (attributed to UAC-0241) that targeted Ukrainian education and government organizations. The repository provides detailed technical analysis of the malware's functionality, corrections to official government advisories, and defensive detection tools including YARA rules, network signatures, and host-based indicators. The analysis is educational and defensive in purpose, helping security professionals understand and detect this specific threat.

How It Works

1
πŸ” Discovering GAMYBEAR

A security researcher encounters a suspicious file targeting Ukrainian schools and decides to investigate it.

2
πŸ“‚ Finding the Analysis Package

The repository contains a complete breakdown of the malware including reconstructed code, detection rules, and detailed findings.

3
πŸ”¬ Understanding the Attacker's Mistakes

The analysis reveals how the attacker left debug information in the code, embedded their username, and used a broken connection method that doesn't work on normal computers.

4
πŸ›‘οΈ Getting Detection Rules

The researcher downloads ready-to-use detection rules for security tools like YARA, Suricata, and Snort to find this threat in their network.

5
πŸ“‹ Reviewing Attack Indicators

The package includes a list of file hashes, server addresses, and file paths that indicate a computer has been compromised.

6
Choosing Your Path
🏒
For Enterprise Defenders

Use the Sigma rules and EDR queries to search your organization's computers for signs of this attack

πŸŽ“
For Researchers

Study the technical findings and corrections to CERT-UA's original report to understand the full attack chain

βœ… Protected and Informed

Security teams now have the knowledge and tools to detect, block, and respond to this threat targeting education institutions.

Sign up to see the full architecture

5 more

Sign Up Free

Star Growth

See how this repo grew from 17 to 17 stars Sign Up Free
Repurpose This Repo

Repurpose is a Pro feature

Generate ready-to-use prompts for X threads, LinkedIn posts, blog posts, YouTube scripts, and more -- with full repo context baked in.

Unlock Repurpose
AI-Generated Review

What is gamybear?

GAMYBEAR is a first public reverse engineering analysis of a Go-based backdoor attributed to the UAC-0241 threat cluster, which has targeted Ukrainian education and state entities. The project provides static and dynamic analysis of the malware binary, including reconstructed source code, network protocol documentation, and empirical detonation results. Defenders get a complete breakdown of how the backdoor communicates with its C2 server, how it persists on infected systems, and where its detection can be improved over the original CERT-UA advisory.

Why is it gaining traction?

The analysis surfaces a critical flaw: the backdoor uses Go's default HTTP client with strict TLS validation, but its C2 serves a self-signed certificate. On any clean Windows host, the malware cannot complete a TLS handshake and is effectively broken. This finding gives defenders a high-fidelity detection opportunity even when the malware fails to run. The project also corrects CERT-UA's persistence attribution, provides working YARA rules, Suricata and Snort signatures, and a STIX bundle for automated threat intelligence workflows.

Who should use this?

Threat intelligence analysts hunting UAC-0241 activity will find the IOC list and network detection rules immediately useful. Incident responders investigating GAMYBEAR infections can use the Sigma rules and host-based indicators to scope their investigations. Security engineers building detection pipelines will appreciate the STIX bundle for automated ingestion. This is not a tool for beginnersβ€”it assumes familiarity with malware analysis concepts and threat actor attribution.

Verdict

This is a solid, well-documented malware analysis from an individual researcher, but the 1.0% credibility score and single-digit star count reflect its newness and limited community validation. The analysis itself is thorough and the detection artifacts are production-ready, but treat the findings as a starting point rather than gospel until the community has had time to vet them.

Sign up to read the full AI review Sign Up Free

Similar repos coming soon.