Gamaredon Exploits WinRAR Vulnerability to Deploy GammaWorm and GammaSteel Against Ukraine

The Russian state-sponsored threat group Gamaredon has deployed a sophisticated multi-stage malware framework exploiting a WinRAR vulnerability to conduct espionage operations against Ukrainian targets. Research from Sekoia reveals the FSB-linked group weaponized CVE-2025-8088, a path traversal vulnerability in WinRAR, to deliver an interconnected chain of malware tools designed for persistence, propagation, and data exfiltration.

The infection chain begins with weaponized RAR archives exploiting the path traversal flaw to launch GammaPhish, an HTML Application payload. This initial dropper retrieves GammaLoad, a VBScript downloader that fingerprints victim systems, modifies registry network configurations using dead drop resolvers, and fetches additional VBScript payloads from command-and-control infrastructure. Sekoia identified this activity in January 2026, demonstrating continued evolution in Gamaredon's targeting of Ukrainian government, military, and critical infrastructure entities.

GammaWorm: USB and Network Share Propagation

GammaWorm represents a particularly concerning component of the operation. This VBScript worm establishes persistence through scheduled tasks and employs a deceptive technique that hides legitimate directories on network shares and USB drives, replacing them with malicious Windows Shortcut (LNK) files. When users attempt to access what appears to be their legitimate files, they instead execute arbitrary code retrieved from attacker-controlled servers.

The worm's command-and-control resolution mechanism demonstrates operational sophistication. GammaWorm initiates GET requests via curl to hard-coded public Telegram channels, leveraging the legitimate messaging platform to blend with normal network traffic and evade detection. This technique allows Gamaredon to maintain long-term access while avoiding traditional C2 detection methods. Additionally, the malware conceals its core modules using NTFS Alternate Data Streams (ADS), making forensic analysis more difficult.

GammaSteel: Modular Data Exfiltration

The GammaLoad downloader also delivers GammaSteel, a modular information stealer designed for targeted data theft. This component searches compromised systems for files matching specific extensions and exfiltrates collected data to Amazon Web Services S3 buckets. The use of AWS infrastructure provides attackers with reliable, high-bandwidth exfiltration channels that blend with legitimate cloud service traffic. When S3 access fails, GammaSteel falls back to direct connections with attacker-controlled servers, ensuring operational continuity.

Sekoia assesses with high confidence that the infection architecture is designed to deploy GammaPhish first, which then loads GammaLoad as the primary distribution mechanism. However, the exact deployment vector for GammaWorm remains ambiguous—it may be dropped concurrently by GammaLoad or introduced independently through users executing weaponized USB drives. This modular approach provides operational flexibility, allowing attackers to deploy different malware combinations based on specific objectives, including the destructive GammaWipe (GamaWiper) wiper malware.

Concurrent Ukrainian-Targeting Campaigns

The Gamaredon campaign is part of a broader pattern of intensified cyber operations against Ukraine. Threat cluster UAC-0184 has targeted Ukrainian military-related entities to deliver executables associated with PassMark BurnInTest through LNK lures. Meanwhile, UAC-0247 (previously UAC-0244) has focused on drone operators, deploying HTML Application droppers via ZIP archives and backdoors capable of establishing reverse shells to attacker infrastructure.

Separately, threat intelligence teams have documented the evolution of PixyNetLoader, a malware loader attributed to Russian APT28. According to ExaTrack, PixyNetLoader has been active since December 2024, with recent variants detected as late as April 15, 2026. These campaigns exploit Microsoft Office vulnerability CVE-2026-21509 to extract COVENANT Grunt implants, demonstrating coordinated efforts by multiple Russian threat groups to compromise Ukrainian targets through diverse attack vectors.

Detection and Mitigation Strategies

Defense against this threat requires layered detection capabilities. Monitor for WinRAR exploitation attempts targeting CVE-2025-8088, particularly RAR archives delivered via spear-phishing emails. Implement behavioral detection for HTML Application executions followed by VBScript activity, especially processes making registry modifications to network configurations. Network monitoring should flag unusual curl requests to Telegram API endpoints and identify outbound connections to AWS S3 buckets from unauthorized processes.

• Deploy endpoint detection rules for NTFS Alternate Data Streams creation in system directories and executable paths
• Implement USB device controls with mandatory scanning before allowing removable media access on sensitive systems
• Monitor scheduled task creation, particularly those executing VBScript or referencing network share paths
• Establish baseline patterns for cloud service usage and alert on S3 API calls from unexpected processes or user accounts
• Review LNK file creation on network shares and USB drives, especially when legitimate directories are simultaneously hidden
• Analyze registry modifications to network configuration keys, particularly those initiated by script interpreters

Strategic Threat Assessment

Gamaredon's continued activity demonstrates the persistent threat facing Ukrainian organizations from Russian state-sponsored groups. The FSB attribution and consistent targeting patterns indicate strategic intelligence collection objectives aligned with geopolitical interests. The group's willingness to exploit recently disclosed vulnerabilities, leverage legitimate cloud infrastructure, and develop modular malware frameworks reflects sophisticated threat actor capabilities with sustained resources.

Security teams should recognize that traditional perimeter defenses prove insufficient against these operations. The combination of social engineering via spear-phishing, rapid exploitation of disclosed vulnerabilities, abuse of trusted platforms for C2, and legitimate cloud services for exfiltration requires comprehensive detection engineering. Organizations within potential targeting scope must prioritize threat intelligence integration, behavioral analytics, and incident response capabilities specifically calibrated to nation-state adversary tactics.