Gamaredon Exploits WinRAR Vulnerability in Ongoing Ukraine Campaign

Gamaredon Exploits WinRAR Vulnerability in Ongoing Ukraine Campaign

First seen 2 Jun 2026, 07:22 UTC Infosecurity-MagazineCybersecuritynewsThehackernewsScworldSocprime+1 82% similarity 79.5

Article Content

Browse articles
ThreatCluster

Gamaredon, a Russian state-backed APT group, is actively exploiting a WinRAR vulnerability (CVE-2025-8088) to deploy malware against Ukrainian government and military targets. The attack begins with a spearphishing email containing a malicious HTML Application payload known as GammaPhish, which retrieves a VBScript downloader called GammaLoad. This downloader fetches the GammaWorm, a self-propagating worm that hides its components in NTFS Alternate Data Streams, allowing it to evade detection. The malware uses legitimate services like Telegram and Cloudflare for command-and-control operations. The campaign has been ongoing since at least January 2026, with a focus on long-term access to critical infrastructure. Sekoia's analysis indicates that the safest remediation is a full system rebuild due to the malware's ability to continuously fetch new payloads. Organizations are advised to update WinRAR and implement strict scanning controls on email attachments.

Key Points: • Gamaredon exploits CVE-2025-8088 in ongoing attacks against Ukrainian targets. • The malware uses NTFS Alternate Data Streams to evade detection and maintain persistence. • Full system rebuilds are recommended for effective remediation due to the malware's resilience.

ThreatCluster AI

Timeline

2025-08-08
CVE-2025-8088 published
A path traversal vulnerability in WinRAR was disclosed, allowing potential exploitation.
Socprime
2025-08-12
CVE-2025-8088 added to CISA KEV
CISA classified the vulnerability as actively exploited, prompting heightened awareness.
Infosecurity-Magazine
2026-01-01
Gamaredon campaign identified
Sekoia reconstructed the infection chain, revealing ongoing operations against Ukrainian entities.
Scworld
2026-06-01
Current activity reported
Gamaredon's operations are still active, focusing on espionage against Ukraine's critical infrastructure.
Infosecurity-Magazine
2026-06-02
Malware analysis published
Sekoia detailed the modular infection chain and the use of fileless techniques in the campaign.
Socprime

Community

Browse all →