Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine

Summary

Russian state-sponsored group Gamaredon has been weaponizing CVE-2025-8088, a WinRAR path traversal vulnerability, to deliver multiple malware families including GammaWorm and GammaSteel targeting Ukrainian government, military, and critical infrastructure. The infection chain uses GammaPhish (HTA payload) to retrieve GammaLoad (VBScript downloader), which then deploys data-stealing and worm-spreading malware that uses Telegram channels for C2 communication and NTFS Alternate Data Streams for evasion. This modular, obfuscated architecture demonstrates Gamaredon's resilience and ability to adapt for sustained espionage operations.

Full text

Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine Ravie LakshmananJun 02, 2026Threat Intelligence / Malware The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per Sekoia, the activity involves the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used to retrieve an intermediate Visual Basic Script (VBScript) downloaders codenamed GammaLoad. The infection chain was observed by the French cybersecurity company in January 2026. "Their primary objectives are to fingerprint the host system, update the network configuration in the registry using dead drop resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers," Sekoia said. One of the payloads is a VBScript worm known as GammaWorm that establishes persistence via scheduled tasks and is designed to hide legitimate directories in network shares and USB drives and replace with malicious Windows Shortcut (LNK) files, resulting in the execution of arbitrary code retrieved from a command-and-control (C2) server. To resolve its C2, GammaWorm initiates a GET request via curl to a hard-coded public Telegram channel. By using legitimate platforms like Telegram, the idea is to blend in with regular traffic, avoid detection, and sustain long-term espionage operations. GammaWorm also relies on NTFS Alternate Data Streams (ADS) technique to conceal its core modules. Another malware family delivered via GammaLoad is a modular information stealer codenamed GammaSteel that captures files matching certain extensions and exfiltrates them to an Amazon Web Services (AWS) S3 bucket or an attacker-controlled server as a fallback mechanism. Sekoia said the infection sequences could be used to distribute other malware families, such as GammaWipe (aka GamaWiper), depending on the threat actor's objectives. "The exact deployment vector for GammaWorm remains ambiguous; it could be dropped concurrently by GammaLoad, or introduced independently via a user executing a weaponized USB drive," it noted. "In addition, assessing the global execution flow, we assess with high confidence that GammaPhish is designed to deploy GammaLoad first." Gamaredon, a Russian state-sponsored intrusion-set officially linked to the Federal Security Service (FSB), has a history of targeting Ukraine, particularly government, military, and critical infrastructure entities, using spear-phishing emails containing malicious attachments, in this booby-trapped RAR archives. "This infection chain reveals a resilient, massive, and highly obfuscated modular design," Sekoia said. "Because of its adaptability and the operator's ability to update configurations on the fly, it is highly likely that this architecture will be reused in the future." The development coincides with UAC-0184's targeting of Ukrainian military-related targets to deliver an executable associated with a legitimate program called PassMark BurnInTest via LNK lures. A second threat activity cluster that has targeted Ukraine is UAC-0247 (previously tracked as UAC-0244), which has singled out drone operators to deploy HTML Application (HTA) droppers through ZIP archives and a backdoor capable of establishing a reverse shell to attacker-controlled infrastructure. Threat hunters have also charted the evolution of PixyNetLoader, a malware loader attributed to APT28 in connection with campaigns exploiting a Microsoft Office vulnerability (CVE-2026-21509), to extract a COVENANT Grunt implant. According to ExaTrack, the malware family has been detected in the wild since December 2024, with recent iterations discovered as recently as April 15, 2026. Found this article interesting? Follow us on Google News, Twitter and LinkedIn to read more exclusive content we post. SHARE     Tweet Share Share Share SHARE  cyber espionage, cybersecurity, Information Stealer, Malware, Phishing, Threat Intelligence ⚡ Top Stories This Week Claude Mythos AI Finds 10,000 High-Severity Flaws in Widely Used Software Megalodon GitHub Attack Targets 5,561 Repos with Malicious CI/CD Workflows ThreatsDay Bulletin: Linux Rootkits, Router 0-Day, AI Intrusions, Scam Kits and 25 New Stories Microsoft Warns of Two Actively Exploited Defender Vulnerabilities 9-Year-Old Linux Kernel Flaw Enables Root Command Execution on Major Distros GitHub Internal Repositories Breached via Malicious Nx Console VS Code Extension GitHub Breached — Employee Device Hack Led to Exfiltration of 3,800+ Internal Repos Microsoft Releases Mitigation for YellowKey BitLocker Bypass CVE-2026-45585 Exploit DirtyDecrypt PoC Released for Linux Kernel CVE-2026-31635 LPE Vulnerability ⚡ Weekly Recap: Exchange 0-Day, npm Worm, Fake AI Repo, Cisco Exploit and More Ivanti, Fortinet, SAP, VMware, n8n Patch RCE, SQL Injection, Privilege Escalation Flaws MiniPlasma Windows 0-Day Enables SYSTEM Privilege Escalation on Fully Patched Systems NGINX CVE-2026-42945 Exploited in the Wild, Causing Worker Crashes and Possible RCE Making Vulnerable Drivers Exploitable Without Hardware - The BYOVD Perspective The New Phishing Click: How OAuth Consent Bypasses MFA Developer Workstations Are Now Part of the Software Supply Chain ⭐ Featured Resources Claim ANY.RUN Anniversary Offer for Faster Malware Analysis [Guide] Learn to Detect AI Typosquatting Risks in Your Domain [Guide] Get Key Identity Security Insights From 2026 Snapshot Discover How to Navigate the Era of Constant Cyber Exposure

Indicators of Compromise

• cve — CVE-2025-8088
• cve — CVE-2026-21509
• malware — GammaPhish
• malware — GammaLoad
• malware — GammaWorm
• malware — GammaSteel
• malware — GammaWipe
• malware — PixyNetLoader

Entities