GAMEFISH (which also goes by the name Downrage) is a tool that belongs to the infamous hacking group Fancy Bear, also known as APT28 (Advanced Persistent Threat) and Sofacy. Fancy Bear is believed to originate from Russia and is known to have been active since 2004 so that it is fair to say that they are not new to this. These cyber crooks have a particular taste for high-profile political targets. This has lead malware experts to believe that Fancy Bear may be linked to the Russian Government and is likely operating on their behalf, to further Russian interests globally. One of Fancy Bear’s big-scale operations that took place rather recently was their attack launched against certain French political actors before the presidential elections in France in 2018.
It is likely that the GAMEFISH tool is used in the first stage of an attack as its features include the ability to collect network and system data regarding the infiltrated host and forward it to the attackers. The GAMEFISH loader also is capable of receiving commands, which would then set it off to download and execute a second threat. Cybersecurity experts have detected several other threats, which have been used as a secondary payload in previous campaigns involving the GAMEFISH tool. Among them are Xagent, Usbstealer, XTunnel and Downdelph. These hacking tools are known to be a part of the vast arsenal of Fancy Bear.
As Fancy Bear is not known for discarding its tools after one campaign, it is likely that it will continue to employ the GAMEFISH tool in future operations. Prominent hacking groups like Fancy Bear also tend to improve and update their hacking tools so the GAMEFISH loader may become even more threatening in the future.