Back

Gamaredon Exploits WinRAR Vulnerability for Data Theft Targeting Ukraine

Severity: High (Score: 77.9)

Sources: Scworld, Thehackernews

Published: 2026-06-02 · Updated: 2026-06-03

Keywords: winrar, russian, vulnerability, data, theft, gamaredon, deliver

Severity indicators: vulnerability, data theft

Summary

The Russian hacking group Gamaredon is exploiting the WinRAR vulnerability CVE-2025-8088 to deploy malware aimed at data theft and network propagation. The attack begins with a weaponized HTML Application payload called GammaPhish, which retrieves VBScript downloaders known as GammaLoad. These scripts fingerprint host systems and fetch malicious payloads from command-and-control servers. One payload, GammaWorm, establishes persistence and evades detection using legitimate platforms like Telegram. Another malware, GammaSteel, captures and exfiltrates sensitive files. Gamaredon, linked to Russia's FSB, has a history of targeting Ukrainian entities, particularly government and critical infrastructure. The exploitation of this vulnerability highlights the group's sophisticated and modular attack design, indicating potential for future operations. Key Points: • Gamaredon exploits CVE-2025-8088 in WinRAR for data theft and malware deployment. • The attack utilizes a multi-stage infection chain involving GammaPhish, GammaLoad, and GammaWorm. • Targeted entities include Ukrainian government and critical infrastructure, with ongoing threats.

Detailed Analysis

**Impact** The primary targets are Ukrainian government and critical infrastructure entities. The attack facilitates data theft and network propagation, risking sensitive government and operational data. The scope includes multiple malware families deployed to exfiltrate files, potentially impacting numerous systems within these sectors. No specific numbers of affected systems or data volumes were provided. **Technical Details** The attack exploits CVE-2025-8088, a path traversal vulnerability in WinRAR, to deliver a weaponized HTML Application payload called GammaPhish. This payload downloads VBScript loaders (GammaLoad) that fingerprint hosts, update network settings, and retrieve additional VBScript payloads such as GammaWorm and GammaSteel. GammaWorm establishes persistence via scheduled tasks and uses NTFS Alternate Data Streams and Telegram for command-and-control communication. GammaSteel is a modular information stealer that exfiltrates data to AWS S3 buckets or fallback servers. The infection chain is modular and adaptable, with potential deployment of other malware like GammaWipe. The group is linked to Russia’s FSB. **Recommended Response** Apply patches or mitigations addressing CVE-2025-8088 in WinRAR immediately. Deploy detections for GammaPhish HTML Application payloads, GammaLoad and GammaWorm VBScript activities, and monitor for unusual scheduled tasks and NTFS Alternate Data Stream usage. Block known C2 infrastructure, including Telegram-based communications and AWS S3 exfiltration endpoints linked to this campaign. Increase monitoring for spear-phishing attempts involving malicious RAR archives targeting Ukrainian sectors.

Source articles (2)

  • Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine — Thehackernews · 2026-06-02
    The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per S…
  • Russian hackers exploit WinRAR vulnerability for data theft | brief — Scworld · 2026-06-02
    As reported by The Hacker News, the Russian hacking group Gamaredon is actively exploiting a WinRAR vulnerability, CVE-2025-8088, to deploy various malware families for data theft and network propagat…

Timeline

  • 2025-08-08 — CVE-2025-8088 published: A path traversal vulnerability in WinRAR was disclosed, allowing exploitation for malware delivery.
  • 2025-08-12 — CVE-2025-8088 added to CISA KEV: CISA listed the vulnerability as actively exploited, indicating a significant threat level.
  • 2026-06-02 — Gamaredon exploits WinRAR vulnerability: The group is actively using the vulnerability to deploy GammaPhish and other malware against Ukrainian targets.

CVEs

  • CVE-2025-8088

Related entities

  • Gamaredon (Apt Group)
  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Worm (Attack Type)
  • Ukraine (Country)
  • CWE-22 - Path Traversal (Cwe)
  • Government (Industry)
  • GammaLoad (Malware)
  • GammaSteel (Malware)
  • GammaWipe (Malware)
  • GammaWorm (Malware)
  • GammaPhish (Campaign)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1082 - System Information Discovery (Mitre Attack)
  • T1218.005 - Mshta (Mitre Attack)
  • T1564 - Hide Artifacts (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
  • AWS (Company)
  • Telegram (Platform)
  • WinRar (Tool)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed