Infosecurity-Magazine
Gamaredon Exploits WinRAR Vulnerability in Ongoing Ukraine Campaign
Ask AI about this cluster
Analyzing cluster data...
Referenced clusters:
Something went wrong. Please try again.
Cluster AI
Ask questions about this threat cluster with AI-powered analysis.
Get Researcher $29.99/moArticle Content
Gamaredon, a Russian state-backed APT group, is actively exploiting a WinRAR vulnerability (CVE-2025-8088) to deploy malware against Ukrainian government and military targets. The attack begins with a spearphishing email containing a malicious HTML Application payload known as GammaPhish, which retrieves a VBScript downloader called GammaLoad. This downloader fetches the GammaWorm, a self-propagating worm that hides its components in NTFS Alternate Data Streams, allowing it to evade detection. The malware uses legitimate services like Telegram and Cloudflare for command-and-control operations. The campaign has been ongoing since at least January 2026, with a focus on long-term access to critical infrastructure. Sekoia's analysis indicates that the safest remediation is a full system rebuild due to the malware's ability to continuously fetch new payloads. Organizations are advised to update WinRAR and implement strict scanning controls on email attachments.
Key Points: • Gamaredon exploits CVE-2025-8088 in ongoing attacks against Ukrainian targets. • The malware uses NTFS Alternate Data Streams to evade detection and maintain persistence. • Full system rebuilds are recommended for effective remediation due to the malware's resilience.