Skip to main content
Mallory
Back to malware
MalwareUsed by 1 actorExploits 1 CVE

GammaSteel

GammaSteel is a modular information-stealing malware family in Gamaredon’s “Gamma” ecosystem, used for data theft in campaigns attributed to the Russia-linked, FSB-associated threat actor Gamaredon. It has been observed in late 2025 and January 2026 operations targeting Ukrainian victims, including government, military, and critical infrastructure entities. GammaSteel is delivered via GammaLoad in a broader intrusion chain that also includes GammaPhish for initial delivery and GammaWorm for propagation. The wider campaign used weaponized XHTML spearphishing attachments and malicious RAR archives exploiting WinRAR path traversal vulnerability CVE-2025-8088 to establish access.

Based on the provided reporting, GammaSteel is a modular stealer, including a PowerShell variant, that captures files matching selected extensions and exfiltrates them to an AWS / S3-compatible cloud storage bucket, with fallback to an attacker-controlled server. Sekoia reported obtaining a newer GammaSteel version by replaying GammaLoad-generated network requests, and described one recent variant as staging itself in the Windows registry as 71 DPAPI-encrypted modules before exfiltration. High-confidence behavior directly mentioned in the content is focused on targeted file theft and cloud-backed exfiltration with operator-controlled backup infrastructure. No additional specific file-extension list or standalone IOCs for GammaSteel were provided in the content.

Share:
For your environment

Hunt this family in your stack

Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.

Start free trial
EXPLOITED CVES

Vulnerabilities exploited

1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.

1 CVES
CVE-2025-8088WinRAR Windows Path Traversal via NTFS Alternate Data StreamsExploited in the wild

According to Sekoia, the attack consists of exploiting the bug CVE-2025-8088, a path traversal bug in WinRAR, to run an HTML App payload called GammaPhish, which is later used to get a VBScript payload from the C2 server.

via cysecurity newscysecurity.news
THREAT ACTORS

Groups observed using it

1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.

View more details
Gamaredon Group

This is part one of a three-part series; parts two and three cover GammaLoad and GammaSteel, respectively... Sekoia has now aligned the naming under a single taxonomy using the “Gamma” prefix: ... GammaSteel for data theft

via security affairssecurityaffairs.com
MITRE ATT&CK

Techniques & procedures

10 distinct techniques documented for this family, organized by ATT&CK tactic.

Discovery

1 technique
T1083File and Directory DiscoveryEvidence1
TacticDiscovery

Targeted files are exfiltrated to an S3-compatible cloud storage provider.

Collection

4 techniques
T1025Data from Removable MediaEvidence1
TacticCollection

GammaSteel manages three concurrent data acquisition mechanisms: recurring scans of local and network drives, hardware event monitoring for newly inserted USBs...

T1039Data from Network Shared DriveEvidence1
TacticCollection

GammaSteel manages three concurrent data acquisition mechanisms: recurring scans of local and network drives...

T1119Automated CollectionEvidence1
TacticCollection

GammaSteel manages three concurrent data acquisition mechanisms: recurring scans of local and network drives, hardware event monitoring for newly inserted USBs, and real-time surveillance of specific files as they are saved or modified.

T1560Archive Collected DataEvidence1
TacticCollection

captures files matching certain extensions and exfiltrates them to an Amazon Web Services (AWS) S3 bucket or an attacker-controlled server

Command and Control

2 techniques
T1092Communication Through Removable MediaEvidence1
TacticCommand and Control

"Gamaredon Uses Infected Removable Drives to Breach..."

T1105Ingress Tool TransferEvidence1
TacticCommand and Control

This confirms the definitive transition from a single-block framework to a modular ecosystem where every component doubles as a functional backdoor.

Exfiltration

3 techniques
T1041Exfiltration Over C2 ChannelEvidence2
TacticExfiltration

or an attacker-controlled server as a fallback mechanism

T1567Exfiltration Over Web ServiceEvidence1
TacticExfiltration

Targeted files are exfiltrated to an S3-compatible cloud storage provider. If the primary cloud infrastructure fails, GammaSteel falls back to operator-controlled C2 servers...

T1567.002Exfiltration to Cloud StorageEvidence2
TacticExfiltration

GammaSteel... stores files matching particular extensions and retrieves the stolen files on AWS S3 bucket or a threat-actor regulated server as a backup option.

ACTIVITY FEED

Recent activity

6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.

6 SOURCESView more in app
security affairsNews
Jun 4, 2026
Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets

Data theft component in Gamaredon’s modular malware taxonomy.

Read more
cysecurity newsNews
Jun 3, 2026
Russian State-sponsored Hackers Attack Ukraine, Exploit WinRAR to Install Malware - CySecurity News - Latest Information Security and Hacking Incidents

A modular information stealer that collects files with selected extensions and exfiltrates them to an AWS S3 bucket or attacker-controlled backup server.

Read more
the hacker newsNews
Jun 2, 2026
Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine

A modular information stealer that collects files matching selected extensions and exfiltrates them to AWS S3 or an attacker-controlled server.

Read more
cyber security newsNews
Jun 2, 2026
Gamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2

A data-theft component in Gamaredon's Gamma ecosystem.

Read more
+2 more in the timeline
What this page doesn’t show

The version that knows your environment.

This page is what’s public. Mallory adds the parts that aren’t: which of your assets match these IOCs, which detections are missing, which campaigns to expect next, and what to do in the next 30 minutes.
Start free trial
IOC matching

Match every observed IP, domain, and hash against your live telemetry.

Threat actor attribution1

Named campaigns wielding this family, with evidence pinned to each claim.

Exploited vulnerabilities1

CVEs this family uses for access and lateral movement.

Detection signatures

YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.

MITRE ATT&CK mapping10

Every documented technique, ranked by evidence weight.

Researcher chatter

Reddit, Mastodon, and CTI community discussion around this family.