Skip to main content
Meet us at Black Hat USA 2026— Las Vegas, August 1–6Book a Meeting
Mallory
Back to threat actors
1 malware family

TEMP.Armageddon

Also known astemparmageddon

TEMP.Armageddon, also referred to as CARPATHIAN and identified in the content as UNC530, is a Russian-nexus cyber espionage threat actor operating out of occupied Crimea and Eastern Ukraine. The group is described as Kremlin-linked and has been observed targeting Ukrainian entities, including military, government, and technology sectors, for espionage purposes. Reported tradecraft includes use of removable media for propagation, specifically USB-driven malware such as QUICKGAME to gain and extend access in victim environments. The actor has also been observed exploiting the WinRAR path traversal vulnerability CVE-2025-8088 using crafted RAR archives to place HTA downloader files into Windows Startup folders for persistence and execution at user login. In this activity, the HTA acts as a downloader for second-stage payloads. The content states this TEMP.Armageddon/CARPATHIAN activity continued into 2026.

Share:
Are they targeting you?

Know when an actor pivots toward your sector

Mallory correlates actor tradecraft and target patterns against your stack, your sector, and your geography. See overlap before they land.

Start free trial
MITRE ATT&CK

Tradecraft

1 distinct technique observed across reporting, grouped by tactic. Hover any cell for the evidence excerpt; click through for MITRE's full description.

1 of 15 tactics1 techniques×N= number of intelligence reports citing this technique
MITRE ATT&CK
TA0011
Command and Control
1 technique
T1092
Communication Through Removable Media
ARSENAL

Associated malware families

1 malware family attributed to this actor across reporting.

FamilyContextEvidenceLast seen
QUICKGAME"QUICKGAME is the latest in an arsenal of USB-driven malware that TEMP.Armageddon has relied upon to gain and further its access in victim environments."1Mar 8, 2026
ACTIVITY FEED

Recent activity

7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

7 SOURCESView more in app
thecyberexpress com vulnerabilitiesNews
Jan 29, 2026
Nation-State Hackers Weaponize Patched WinRAR Flaw

Exploits CVE-2025-8088 via RAR archives to plant HTA downloaders in Windows Startup for persistence and second-stage payload delivery; activity observed through Jan 2026.

Read more
register securityNews
Jan 28, 2026
Everyone’s exploiting a WinRAR bug to drop RATs • The Register

Kremlin-linked activity exploiting CVE-2025-8088 to target Ukrainian military/government/technology sectors.

Read more
help net securityNews
Jan 28, 2026
WinRAR vulnerability still a go-to tool for hackers, Mandiant warns - Help Net Security

Russian-nexus espionage activity exploiting/attempting to exploit CVE-2025-8088 against Ukrainian targets.

Read more
bleeping computerNews
Jan 27, 2026
WinRAR path traversal flaw still exploited by numerous hackers

Exploiting CVE-2025-8088 to drop HTA downloaders into Windows Startup folders for persistence and subsequent payload retrieval; activity ongoing into 2026.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: sector and geo overlap with your footprint, the IOCs they’re burning right now, detection coverage, and what to do next.
Start free trial
Target overlap

Match sector + geo + tech-stack targeting against your real footprint.

Tradecraft mapping1

Every observed MITRE ATT&CK technique, grouped by tactic.

Malware arsenal1

Families this actor is known to deploy, with IOCs and behavior.

Exploited CVEs

CVEs this actor has used in known campaigns.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

Observables

Domains, IPs, and hashes tied to this actor, refreshed continuously.