The Russian hacking group often known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to ship a number of malware households geared toward knowledge theft and propagation.
Per Sekoia, the exercise entails the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML Software payload dubbed GammaPhish, which is then used to retrieve an intermediate Visible Fundamental Script (VBScript) downloaders codenamed GammaLoad. The an infection chain was noticed by the French cybersecurity firm in January 2026.
“Their major goals are to fingerprint the host system, replace the community configuration within the registry utilizing lifeless drop resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers,” Sekoia mentioned.
One of many payloads is a VBScript worm often known as GammaWorm that establishes persistence through scheduled duties and is designed to cover reputable directories in community shares and USB drives and change with malicious Home windows Shortcut (LNK) recordsdata, ensuing within the execution of arbitrary code retrieved from a command-and-control (C2) server.
To resolve its C2, GammaWorm initiates a GET request through curl to a hard-coded public Telegram channel. Through the use of reputable platforms like Telegram, the thought is to mix in with common site visitors, keep away from detection, and maintain long-term espionage operations. GammaWorm additionally depends on NTFS Alternate Knowledge Streams (ADS) approach to hide its core modules.
One other malware household delivered through GammaLoad is a modular data stealer codenamed GammaSteel that captures recordsdata matching sure extensions and exfiltrates them to an Amazon Internet Companies (AWS) S3 bucket or an attacker-controlled server as a fallback mechanism.
Sekoia mentioned the an infection sequences may very well be used to distribute different malware households, akin to GammaWipe (aka GamaWiper), relying on the menace actor’s goals.
“The precise deployment vector for GammaWorm stays ambiguous; it may very well be dropped concurrently by GammaLoad, or launched independently through a consumer executing a weaponized USB drive,” it famous. “As well as, assessing the worldwide execution circulate, we assess with excessive confidence that GammaPhish is designed to deploy GammaLoad first.”
Gamaredon, a Russian state-sponsored intrusion-set formally linked to the Federal Safety Service (FSB), has a historical past of focusing on Ukraine, notably authorities, navy, and important infrastructure entities, utilizing spear-phishing emails containing malicious attachments, on this booby-trapped RAR archives.
“This an infection chain reveals a resilient, huge, and extremely obfuscated modular design,” Sekoia mentioned. “Due to its adaptability and the operator’s potential to replace configurations on the fly, it’s extremely seemingly that this structure might be reused sooner or later.”
The event coincides with UAC-0184‘s focusing on of Ukrainian military-related targets to ship an executable related to a reputable program referred to as PassMark BurnInTest through LNK lures. A second menace exercise cluster that has focused Ukraine is UAC-0247 (beforehand tracked as UAC-0244), which has singled out drone operators to deploy HTML Software (HTA) droppers by means of ZIP archives and a backdoor able to establishing a reverse shell to attacker-controlled infrastructure.
Menace hunters have additionally charted the evolution of PixyNetLoader, a malware loader attributed to APT28 in reference to campaigns exploiting a Microsoft Workplace vulnerability (CVE-2026-21509), to extract a COVENANT Grunt implant. In keeping with ExaTrack, the malware household has been detected within the wild since December 2024, with current iterations found as just lately as April 15, 2026.
