Back

Gamaredon Exploits WinRAR Vulnerability in Ongoing Ukraine Campaign

Severity: High (Score: 79.5)

Sources: Infosecurity-Magazine, Socprime, Cybersecuritynews, blog.sekoia.io, Scworld

Published: 2026-06-02 · Updated: 2026-06-03

Keywords: windows, gamaredon, hides, worm, features, cloud, group

Severity indicators: apt, pla, malware, worm

Summary

Gamaredon, a Russian state-backed APT group, is actively exploiting a WinRAR vulnerability (CVE-2025-8088) to deploy malware against Ukrainian government and military targets. The attack begins with a spearphishing email containing a malicious HTML Application payload known as GammaPhish, which retrieves a VBScript downloader called GammaLoad. This downloader fetches the GammaWorm, a self-propagating worm that hides its components in NTFS Alternate Data Streams, allowing it to evade detection. The malware uses legitimate services like Telegram and Cloudflare for command-and-control operations. The campaign has been ongoing since at least January 2026, with a focus on long-term access to critical infrastructure. Sekoia's analysis indicates that the safest remediation is a full system rebuild due to the malware's ability to continuously fetch new payloads. Organizations are advised to update WinRAR and implement strict scanning controls on email attachments. Key Points: • Gamaredon exploits CVE-2025-8088 in ongoing attacks against Ukrainian targets. • The malware uses NTFS Alternate Data Streams to evade detection and maintain persistence. • Full system rebuilds are recommended for effective remediation due to the malware's resilience.

Detailed Analysis

**Impact** The campaign targets Ukrainian government institutions, military bodies, and critical infrastructure, aiming to steal sensitive documents and maintain long-term espionage access. The infection chain has been active since at least January 2026, affecting multiple organizations within Ukraine. The modular malware families deployed enable data theft and network propagation, posing operational risks and potential compromise of classified or critical data. **Technical Details** The attack exploits CVE-2025-8088, a WinRAR path traversal vulnerability, via spearphishing emails containing malicious RAR archives. Initial access is gained through a weaponized HTML Application payload (GammaPhish), which downloads VBScript loaders (GammaLoad) and a self-propagating worm (GammaWorm) that uses NTFS Alternate Data Streams and scheduled tasks for stealth and persistence. Command-and-control communications leverage legitimate cloud services such as Telegram, Cloudflare, and Supabase as dead-drop resolvers. Additional malware includes GammaSteel, a PowerShell stealer that exfiltrates data to AWS S3 buckets. Indicators of compromise include alternate data stream creation with “:GTR” suffixes, RunOnce registry modifications, suspicious scheduled tasks, and outbound traffic to known resolver domains. **Recommended Response** Apply WinRAR updates to version 7.13 or later to remediate the exploited vulnerability. Deploy detections for alternate data stream creation, RunOnce registry changes, and unusual scheduled tasks, and monitor outbound connections to identified dead-drop resolver domains. Block known command-and-control IPs and domains at the network perimeter. Upon detection, isolate affected hosts, collect volatile data, perform full forensic analysis, remove hidden ADS files, delete malicious registry entries, and disable related scheduled tasks. A full system rebuild is advised due to the malware’s persistence mechanisms.

Source articles (6)

  • FSB Group Gamaredon Hides Worm in Windows Data Streams — Infosecurity-Magazine · 2026-06-01
    A Russian state-linked worm has been observed hiding its components inside a little-used Windows file feature, allowing it to spread across Ukrainian networks while leaving almost no trace on infected…
  • Gamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2 — Cybersecuritynews · 2026-06-02
    Gamaredon, a Russian state-backed espionage group, is deploying a new VBScript worm that hides inside native Windows features while using popular cloud services as covert command-and-control (C2) chan…
  • Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine — Thehackernews · 2026-06-02
    The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per S…
  • Russian hackers exploit WinRAR vulnerability for data theft | brief — Scworld · 2026-06-02
    As reported by The Hacker News, the Russian hacking group Gamaredon is actively exploiting a WinRAR vulnerability, CVE-2025-8088, to deploy various malware families for data theft and network propagat…
  • Gamaredon Uses GammaPhish and GammaWorm in Ukraine — Socprime · 2026-06-02
    Gamaredon, a Russian state-backed APT group, continues to run long-term espionage operations against Ukrainian government institutions, military bodies, and critical infrastructure. Its modular infect…
  • Fsbs Matryoshka 1 3 Gamaredons Gifts That Keeps Unpacking Gammaphish And Gammaworm — blog.sekoia.io · 2026-06-01

Timeline

  • 2025-08-08 — CVE-2025-8088 published: A path traversal vulnerability in WinRAR was disclosed, allowing potential exploitation.
  • 2025-08-12 — CVE-2025-8088 added to CISA KEV: CISA classified the vulnerability as actively exploited, prompting heightened awareness.
  • 2026-01-01 — Gamaredon campaign identified: Sekoia reconstructed the infection chain, revealing ongoing operations against Ukrainian entities.
  • 2026-06-01 — Current activity reported: Gamaredon's operations are still active, focusing on espionage against Ukraine's critical infrastructure.
  • 2026-06-02 — Malware analysis published: Sekoia detailed the modular infection chain and the use of fileless techniques in the campaign.

CVEs

  • CVE-2025-8088

Related entities

  • Gamaredon (Apt Group)
  • Data Breach (Attack Type)
  • Malware (Attack Type)
  • Phishing (Attack Type)
  • Worm (Attack Type)
  • GammaPhish (Campaign)
  • Russia (Country)
  • Ukraine (Country)
  • CWE-22 - Path Traversal (Cwe)
  • Government (Industry)
  • GammaLoad (Malware)
  • GammaSteel (Malware)
  • GammaWipe (Malware)
  • GammaWorm (Malware)
  • T1053.005 - Scheduled Task (Mitre Attack)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1059.001 - PowerShell (Mitre Attack)
  • T1059.005 - Visual Basic (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1071.001 - Web Protocols (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1082 - System Information Discovery (Mitre Attack)
  • T1218.005 - Mshta (Mitre Attack)
  • T1547.001 - Registry Run Keys / Startup Folder (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • T1564.007 - VBA Stomping (Mitre Attack)
  • T1564 - Hide Artifacts (Mitre Attack)
  • T1566.001 - Spearphishing Attachment (Mitre Attack)
  • T1567.002 - Exfiltration to Cloud Storage (Mitre Attack)
  • AWS (Company)
  • Cloudflare (Company)
  • Telegram (Platform)
  • Windows (Platform)
  • Supabase (Platform)
  • WinRar (Tool)
  • PowerShell (Tool)
  • VBScript (Tool)
  • Path Traversal (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed