Gamaredon Exploits WinRAR Flaw to Deploy Modular Gamma Malware in Ukraine
Researchers attributed a January 2026 cyberespionage campaign against Ukrainian government, military, and critical infrastructure organizations to the Russia-linked Gamaredon group, which used booby-trapped spearphishing attachments and malicious RAR archives exploiting WinRAR path traversal flaw CVE-2025-8088 for initial access. The infection chain dropped an HTA payload dubbed GammaPhish, which launched via mshta.exe and fetched follow-on VBScript components including GammaLoad, GammaWorm, and GammaSteel. Sekoia said the operation marks a shift from Gamaredon’s older Pteranodon tooling to a fragmented, modular ecosystem in which multiple stages can independently act as backdoors and retrieve arbitrary remote code.
The malware emphasized stealth, persistence, and resilient command-and-control. GammaWorm established persistence through scheduled tasks and RunOnce registry keys, hid modules in NTFS Alternate Data Streams, and spread through USB devices and network shares using malicious LNK shortcuts, including into air-gapped environments. Command-and-control discovery relied on dead-drop resolvers hosted on Telegram, Telegra.ph, graph.org, Teletype, Cloudflare Workers, and operator infrastructure, while GammaSteel staged dozens of DPAPI-encrypted modules in the registry and exfiltrated selected files to AWS S3 or other S3-compatible storage with fallback to attacker-controlled servers. Because fresh payloads can be fetched at multiple stages, researchers warned that confirmed compromises may require full system wiping.
Get ahead of threats like this
Mallory correlates global threat intelligence with your attack surface — know if you’re exposed before adversaries strike.
How this story unfolded
6 events from the most recent confirmed update back to the earliest known activity.
Trend Micro links Shadow-Earth-066 and Gamaredon to WinRAR exploitation
Trend Micro reported that at least two Russia-aligned clusters, Shadow-Earth-066 and Earth Dahu (Gamaredon), exploited WinRAR path traversal flaw CVE-2025-8088 in email attacks against Ukrainian military and government organizations. The report said Shadow-Earth-066 used the flaw to deploy an updated GiftedCrook stealer, while Gamaredon used HTA and VBScript stages to deliver espionage modules.
Gamaredon launches January 2026 campaign exploiting WinRAR flaw
Sekoia analyzed a January 2026 Gamaredon intrusion chain targeting Ukrainian government, military, and critical infrastructure entities. The campaign used weaponized xHTML files and a malicious RAR archive exploiting WinRAR path traversal vulnerability CVE-2025-8088 for initial access.
Gurucul publishes threat notice with Gamaredon IOCs
Gurucul published a high-severity threat notice summarizing the Gamaredon activity and providing indicators of compromise, including URLs, an IP address, MD5 hashes, and detection queries. The notice cited Sekoia's reporting as its source.
Sekoia publishes Gamaredon 'Gamma' malware analysis
On June 1, 2026, Sekoia published a report reconstructing the modular espionage chain and introducing the GammaPhish, GammaLoad, GammaWorm, GammaSteel, and GammaWipe taxonomy. The report said Gamaredon had shifted away from its historical Pteranodon framework toward a fragmented ecosystem in which multiple stages can independently act as backdoors and fetch remote code.
WinRAR patches CVE-2025-8088 in version 7.13
WinRAR fixed the path traversal vulnerability CVE-2025-8088 in version 7.13 in July 2025. The flaw allowed attackers to write files outside the extraction directory via NTFS Alternate Data Streams, including into the Windows Startup folder for execution at next login.
Talos documents Gamaredon activity
Cisco Talos published reporting on Gamaredon activity, providing historical context on the threat actor referenced by later coverage.
Related entities
Vulnerabilities, threat actors, malware, products, organizations, and breaches Mallory has linked to this story.
Sources
13 references tracked. Mallory keeps watching after this page renders.
WinRAR Vulnerability Exploited by Russian Hackers to Deploy GIFTEDCROOK Stealer
cybersecuritynews.com
Open source俄罗斯相关攻击者持续利用WinRAR漏洞攻击乌克兰目标 - FreeBuf网络安全行业门户
freebuf.com
Open sourceWinRAR Vulnerability Still Fuels Attacks on Ukraine
securityonline.info
Open sourceRussian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088
securityaffairs.com
Open sourceGamaredon APT Hides Malware in Windows Features and Abuses Cloud Platforms for C2
cybersecuritynews.com
Open sourceFSB’s Matryoshka #1/3 - Gamaredon’s Gifts That Keep Unpacking - GammaPhish and GammaWorm | Community Portal | Gurucul
community.gurucul.com
Open sourceFSB’s matryoshka #1/3: Inside Gamaredon Cyber Operations
blog.sekoia.io
Open sourceGamaredon - When nation states don’t pay all the bills
blog.talosintelligence.com
Open sourceSee the full picture, correlated to your attack surface.
Map indicators from this story to your assets and identify affected systems in minutes.
Every observed campaign, victim, and pivot linked to actors named in this story.
Malware, exploits, and IOCs connected to the activity described here.
YARA, Sigma, and Snort rules deployed to your SIEM as soon as they’re published.
Get matching new stories delivered to your team as they break — not the next morning.
Ask questions about this story and take action on the answers.
Related stories
Other stories Mallory is tracking that overlap on entities, sources, or topic labels.
Gamaredon Expanded Ukraine Espionage With New PowerShell Tools and Cloud-Hidden C2
Russia-aligned **Gamaredon** significantly upgraded its cyberespionage operations against Ukrainian government and military organizations during 2025, according to ESET. The group ran **35 spear-phishing campaigns**, introduced **six new PowerShell-based tools**, revived the VBScript weaponizer **PteroSetup**, and exploited **`CVE-2025-8088`** in WinRAR to establish persistence through malicious HTA downloaders placed in Startup folders. ESET said Gamaredon also expanded lateral movement and USB-based propagation, with the newly documented **PteroPaste** able to copy a malicious downloader to connected USB drives while disguising it as a Word document shortcut. The group increasingly concealed command-and-control and data theft behind legitimate services, using **Cloudflare Workers**, **Microsoft dev tunnels**, **Loophole**, DDNS providers, messaging and blogging platforms, paste sites, and cloud storage to mask malicious traffic and stage payloads. Newer malware variants retrieved encrypted C2 data from dead-drop locations such as **Telegram**, **Dropbox**, **GoFile**, and **Mastodon**, while upgraded stealers including **PteroPSDoor** and **PteroVDoor** exfiltrated stolen files to S3-compatible storage such as **Wasabi**, **Tebi**, and **Intercolo**. ESET also observed Gamaredon collaborating with **Turla** in early 2025, providing initial access that supported deployment of the **Kazuar** framework.
Jun 29, 2026
Gamaredon Ran Large-Scale Espionage Campaigns Using Crimeware-Style Delivery
Cisco Talos reported that the **Gamaredon** threat group conducted at least four campaigns from 2020 onward, combining nation-state espionage objectives with high-volume, crimeware-like delivery methods. The operations used **template injection**, trojanized installers, self-extracting archives, spam, and scripts including **VBS**, **VBA**, and batch files to gain initial access and profile victims before selectively deploying second-stage payloads. Talos said the group operated more than **600 first-stage C2 domains** and over **330 IP addresses across 16 countries**, with infrastructure heavily concentrated in Russia. The campaigns showed a strong focus on **Ukrainian targets**, including Russian-language lures themed around Ukrainian government entities, while also reaching organizations outside Ukraine such as a major African bank, U.S. educational institutions, and European telecommunications and hosting providers. Talos highlighted examples including a trojanized **Zoom** installer, an unusually large **68 MB VBS** file likely designed to evade sandbox analysis, and a long-running operation that excluded more than **1,700 IP addresses in 43 countries** from infection. Researchers assessed Gamaredon as a prolific, noisy, likely second-tier APT focused on espionage and information collection rather than direct monetization.
Jun 29, 2026
Ongoing Exploitation of WinRAR Path Traversal Vulnerability CVE-2025-8088
**Google Threat Intelligence Group (GTIG)** reported ongoing, widening exploitation of a high-severity WinRAR path traversal flaw, **CVE-2025-8088**, roughly six months after it was disclosed and patched by RARLAB. GTIG assessed exploitation began as early as **July 18, 2025** (including activity nearly two weeks before the vendor fix) and has expanded across a diverse set of adversaries, spanning **Russia- and China-linked espionage actors** as well as **financially motivated cybercriminals**. Reported targeting includes military, government, and technology organizations, with multiple Russia-aligned operations focusing on **Ukrainian** entities. Technical reporting indicates the vulnerability abuses **Windows Alternate Data Streams (ADS)** within crafted archives to perform directory traversal and write files to arbitrary locations, including the Windows **Startup** folder for persistence. GTIG and other researchers describe exploit chains where a user opens a benign decoy (e.g., a PDF) while hidden ADS entries extract and drop executable content such as `LNK`, `HTA`, `BAT`, `CMD`, or script files that run at login; observed payloads include **remote access trojans, infostealers**, and malware frameworks used by named state actors (e.g., **RomCom/UNC4895**, **APT44**, **TEMP.Armageddon**, **Turla**) in addition to broader criminal activity across multiple regions.
Jun 29, 2026