GammaWorm

The propagation module targets USB drives and network shares.

The malware maintains persistence through three scheduled tasks with names borrowed from legitimate Windows services: DiskDiagnosticDataCollector, SilentCleanup, and SmartRetry. Each one executes a different ADS module at short intervals, from 7 to 10 minutes.

resulting in the execution of arbitrary code retrieved from a command-and-control (C2) server

We recovered multiple VBScript loaders from the compromised hosts. It seems that these loaders operate in a continuous cascade, with four distinct execution stages observed during our analysis.

hide authentic directories in network shares and USB drives and replace with infected Windows Shortcut (LNK) files. This causes the launch of arbitrary code

The malware maintains persistence through three scheduled tasks with names borrowed from legitimate Windows services: DiskDiagnosticDataCollector, SilentCleanup, and SmartRetry. Each one executes a different ADS module at short intervals, from 7 to 10 minutes.

Next, to mask its future propagation activities, GammaWorm alters several registry keys within HKEY_USERS\[SID]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\.

GammaWorm also writes a RunOnce registry key that recreates itself on every user login, because GammaWorm itself rewrites the key before the RunOnce entry gets deleted.

It hides real folders by setting their attributes to Hidden and System, then drops malicious LNK shortcut files in their place using the same folder name and icon. Clicking the LNK opens the real folder in Explorer so the user sees nothing wrong, while silently executing ~.gif, the worm file that sits at the root of every infected drive.

The malware maintains persistence through three scheduled tasks with names borrowed from legitimate Windows services: DiskDiagnosticDataCollector, SilentCleanup, and SmartRetry. Each one executes a different ADS module at short intervals, from 7 to 10 minutes.

GammaWorm also writes a RunOnce registry key that recreates itself on every user login, because GammaWorm itself rewrites the key before the RunOnce entry gets deleted.

It hides real folders by setting their attributes to Hidden and System, then drops malicious LNK shortcut files in their place using the same folder name and icon. Clicking the LNK opens the real folder in Explorer so the user sees nothing wrong, while silently executing ~.gif, the worm file that sits at the root of every infected drive.

The extracted HTA file contains a VBScript blob comprising approximately 90% of junk and obfuscated code.

The module iterates from the root level through all folders. It modifies their attributes to Hidden and System, removing them from the user’s standard view.

Instead it writes its core modules into NTFS Alternate Data Streams, a native Windows feature that lets data sit invisibly attached to a folder path, invisible to standard directory listings and not reflected in file sizes visible to users. | It hides real folders by setting their attributes to Hidden and System, then drops malicious LNK shortcut files in their place using the same folder name and icon.

Next, to mask its future propagation activities, GammaWorm alters several registry keys within HKEY_USERS\[SID]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\.

GammaLoad (Staging): We recovered multiple VBScript loaders from the compromised hosts... Their primary objectives are to fingerprint the host system...

The propagation module targets USB drives and network shares.

The propagation module targets USB drives and network shares.

Its malware ecosystem, including GammaPhish and GammaWorm, enables USB-based propagation across air-gapped systems, document theft, and continuous deployment of additional payloads

The exact deployment vector for GammaWorm remains ambiguous... or introduced independently via a user executing a weaponized USB drive

To find its C2 address, GammaWorm runs curl against a hard-coded public Telegram channel, parses the HTML for an obfuscated IP address... The C2 resolution chain itself is layered: it hops through graph.org, Cloudflare Workers, Teletype, Telegra.ph, and Telegram before arriving at an operator-controlled server.

By using legitimate platforms like Telegram, the idea is to blend in with regular traffic, avoid detection, and sustain long-term espionage operations

Their primary objectives are to fingerprint the host system, update the network configuration in the registry using Dead Drop Resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers.

If the C2 returns HTTP 200, it executes arbitrary VBScript from the response body.

GammaWorm resolves live servers through Dead Drop Resolvers hosted on services like Telegraph/Teletype via graph.org, Cloudflare Workers subdomains and S3‑compatible storage... The group also leverages public Telegram channels as dead drops...

GammaWorm runs a continuous loop that acts as a stealth backdoor, regularly contacting its C2 to exfiltrate system fingerprints...

To find its C2 address, GammaWorm runs curl against a hard-coded public Telegram channel, parses the HTML for an obfuscated IP address, and posts the victim’s machine fingerprint back via randomized HTTP headers, specifically inside the User-Agent string. No request body, just headers.

The group employs a stealthy, multi-stage infection chain that abuses legitimate Windows features and trusted services such as Telegram, Cloudflare, and cloud storage to maintain persistent access while minimizing detection.