Back

Gamaredon Worm Exploits Windows Features for Espionage Against Ukraine

Severity: Critical (Score: 80.1)

Sources: Cybersecuritynews, Infosecurity-Magazine, blog.sekoia.io

Published: 2026-06-02 · Updated: 2026-06-02

Keywords: windows, gamaredon, hides, worm, features, cloud, group

Severity indicators: apt, pla, malware, worm

Summary

Gamaredon, a Russian state-linked espionage group, is deploying a new worm that hides its components in NTFS Alternate Data Streams, allowing it to infiltrate Ukrainian networks with minimal detection. The worm, identified as GammaWorm, utilizes a booby-trapped xHTML file to exploit CVE-2025-8088, a path traversal flaw in WinRAR, to gain initial access. Once inside, it establishes persistence through scheduled tasks and uses cloud services for command-and-control operations. The worm targets government, military, and critical infrastructure in Ukraine, and its stealthy nature makes it particularly dangerous. Organizations are advised to fully wipe infected systems and update WinRAR to version 7.13 or later to mitigate the risk. This campaign reflects a significant evolution in Gamaredon's tactics, emphasizing stealth and resilience. Key Points: • Gamaredon exploits CVE-2025-8088 to gain access via a malicious xHTML file. • The worm hides its components in NTFS Alternate Data Streams, evading detection. • Organizations are urged to update WinRAR and consider full system wipes if infected.

Detailed Analysis

**Impact** The campaign targets Ukrainian government, military, and critical infrastructure sectors, aiming to steal documents and maintain long-term access. The infection chain has been active since at least January 2026, affecting multiple organizations across Ukraine. The worm’s stealth and persistence mechanisms increase the risk of prolonged espionage and operational disruption. **Technical Details** Initial access is gained via a booby-trapped xHTML file delivering a malicious RAR archive exploiting CVE-2025-8088, a WinRAR path traversal vulnerability. The malware, a fileless VBScript worm named GammaWorm, hides its components in NTFS Alternate Data Streams and establishes persistence through scheduled tasks and registry modifications. It propagates via USB drives and network shares using malicious shortcuts with Ukrainian-language lure filenames. Command-and-control communication uses legitimate public services like Telegram and Cloudflare as dead drops, with C2 details stored in the registry. **Recommended Response** Apply the WinRAR patch to version 7.13 or later immediately to close CVE-2025-8088. Monitor for scheduled tasks and registry changes related to file visibility and persistence mechanisms. Block or inspect traffic to Telegram and Cloudflare domains used for dead drop resolvers. In case of infection, perform a full system wipe due to the malware’s ability to restore itself via dead drop resolvers.

Source articles (3)

  • FSB Group Gamaredon Hides Worm in Windows Data Streams — Infosecurity-Magazine · 2026-06-01
    A Russian state-linked worm has been observed hiding its components inside a little-used Windows file feature, allowing it to spread across Ukrainian networks while leaving almost no trace on infected…
  • Gamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2 — Cybersecuritynews · 2026-06-02
    Gamaredon, a Russian state-backed espionage group, is deploying a new VBScript worm that hides inside native Windows features while using popular cloud services as covert command-and-control (C2) chan…
  • Fsbs Matryoshka 1 3 Gamaredons Gifts That Keeps Unpacking Gammaphish And Gammaworm — blog.sekoia.io · 2026-06-01

Timeline

  • 2025-08-08 — CVE-2025-8088 published: A path traversal vulnerability in WinRAR was disclosed, allowing potential exploitation.
  • 2025-08-12 — CVE-2025-8088 added to CISA KEV: CISA classified the vulnerability as actively exploited, raising awareness among organizations.
  • 2026-01-01 — GammaWorm campaign observed: Sekoia reported on the ongoing GammaWorm campaign targeting Ukrainian networks with advanced stealth techniques.
  • 2026-06-01 — New analysis published: Sekoia released findings on Gamaredon's use of NTFS data streams and cloud services for C2.
  • 2026-06-02 — Ongoing campaign confirmed: Cybersecuritynews reported on the continued deployment of the GammaWorm against Ukrainian targets.

CVEs

  • CVE-2025-8088

Related entities

  • Gamaredon (Apt Group)
  • Malware (Attack Type)
  • Worm (Attack Type)
  • GammaPhish (Campaign)
  • Russia (Country)
  • Ukraine (Country)
  • CWE-22 - Path Traversal (Cwe)
  • Government (Industry)
  • GammaWorm (Malware)
  • T1053 - Scheduled Task/Job (Mitre Attack)
  • T1059.005 - Visual Basic (Mitre Attack)
  • T1059.007 - JavaScript (Mitre Attack)
  • T1071 - Application Layer Protocol (Mitre Attack)
  • T1547 - Boot Or Logon Autostart Execution (Mitre Attack)
  • Windows (Platform)
  • Telegram (Platform)
  • WinRar (Tool)
  • VBScript (Tool)
  • Cloudflare (Company)
  • Path Traversal (Vulnerability)
Loading threat details...

Threat Not Found

The threat cluster you're looking for doesn't exist or has been removed.

Return to Feed