Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets
Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets
Publish Date: 2026-06-04 06:53:09
Source Domain: securityaffairs.com
Gamaredon’s Sophisticated Modular Spy Campaign
Gamaredon, a Russia-linked APT group, has been detected exploiting a WinRAR vulnerability to deploy a highly sophisticated, nearly fileless modular malware campaign targeting Ukrainian entities. The Sekoia Threat Detection & Research team recorded a significant increase in Gamaredon’s infection attempts in late December 2025 and January 2026, indicating the group’s evolution towards more modular, evasive, and persistent components. The campaign leverages a weaponized XHTML file, exploiting CVE-2025-8088 to extract a hidden HTA file, which retrieves further payloads using chain of command servers (C2) through Telegram and other intermediate services. Notably, GammaWorm, the propagation component, uses VBScript code spread through NTFS Alternate Data Streams (ADS) and USB and network shares to maintain persistence and spread across compromised networks.
Key Points:
- Vulnerability Exploitation: Gamaredon exploits CVE-2025-8088 in WinRAR to perform its attack.
- Modular Architecture: The campaign features multiple modular components under the “Gamma” designation: GammaPhish for initial access, GammaLoad for staging, GammaWorm for propagation, GammaSteel for data theft, and GammaWipe for destruction.
- Fileless Malware: GammaWorm operates almost entirely in memory and stores payloads in NTFS Alternate Data Streams to avoid detection.
- Repurposed C2 Mechanisms: The threat actor utilizes Telegram and various – The generated text has been blocked by our content filters.
