GamaCopy is a threat actor first discovered in June 2023, known for launching cyberattacks against Russia’s defense and critical infrastructure sectors by mimicking the TTPs of Gamaredon. The organization has been active since at least August 2021 and primarily uses Russian-language bait documents related to military facilities. Analysis of attack samples shows considerable overlap in code structure and tactics, including the use of 7z-SFX documentation to install UltraVNC and connecting via port 443. GamaCopy employs open-source tools to obfuscate its activities while targeting sensitive information in the context of the Russia-Ukraine conflict.