Skip to main content
Emerging ThreatsMalware & Ransomware

FSB-Linked Worm Exploits Windows Flaw to Evade Detection

Windows desktop with File Explorer partially open, showing blurred files and a hint of a hidden folder in the background.

CVE-2025-8088 — a WinRAR path-traversal vulnerability — was used to smuggle a hidden HTA into a Windows Startup folder, a move that Sekoia says set off an infection chain it reconstructed from January 2026 artifacts.

GammaPhish initial access via CVE-2025-8088

Sekoia’s analysis traces the campaign’s opening move to a booby‑trapped xHTML file that, when opened, placed a malicious RAR archive on the victim’s machine. The archive exploited CVE-2025-8088 to plant a hidden HTA file directly in the Windows Startup folder. That HTA executed at the next user login and fetched a follow-on payload from a remote server. A decoy PDF kept the victim unaware while the attack progressed. Sekoia tracks this initial-access stage as “GammaPhish.”

GammaWorm conceals components in NTFS Alternate Data Streams

Once the follow-on payload executed, the campaign deployed a worm Sekoia calls GammaWorm. Rather than leaving components as ordinary files on disk, GammaWorm hid its modules inside NTFS Alternate Data Streams (ADS), a native Windows capability that allows data to be attached to an existing file without appearing in standard directory listings. The campaign has “moved almost entirely to fileless VBScript,” Sekoia reports — a change the company describes as “a clear step up in stealth from Gamaredon’s earlier tooling.”

Persistence, scheduled tasks and registry changes

Sekoia found the worm establishing persistence through scheduled tasks that were disguised as routine maintenance. It also altered registry settings that control file visibility to conceal its activity. GammaWorm saved operational details to the registry, and its runtime design loops indefinitely as a backdoor, awaiting and executing whatever code its operators send.

Propagation, user lures and command-and-control via public services

GammaWorm propagated laterally by infecting removable media and network shares. The malware hid genuine folders and replaced them with malicious shortcuts that used provocative Ukrainian‑language filenames as social-engineering lures. For command-and-control, the worm retrieved live server addresses from legitimate public services, including Telegram and Cloudflare, using those services as dead drops; it then recorded the addresses into the registry for ongoing use.

What this means for technologists, affected enterprises, and end users

  • Technologists and security teams: The reliance on NTFS Alternate Data Streams and fileless VBScript makes traditional file‑based detection less effective; Sekoia’s reconstruction used artifacts from compromised hosts and more than 70 samples to piece together the chain. Defenders should specifically watch for scheduled tasks masquerading as maintenance, registry changes that alter file visibility, and evidence of ADS usage.
  • Affected enterprises and procurement leaders: The initial vector used a WinRAR flaw; Sekoia urges updating WinRAR to version 7.13 or later, which closes the exploited vulnerability. Given the worm’s ability to pull fresh payloads from public services, Sekoia recommends considering full system wipes when infection is confirmed, because “cleaning attempts often result in fallback mechanisms restoring the malware.”
  • End users and operational staff: The campaign uses decoy documents and shortcut replacements with topical Ukrainian‑language filenames to induce clicks. Extra caution with attachments that unpack archives and with files on USB sticks or shared drives remains important.

Sekoia characterizes Gamaredon as a long‑running espionage group that Ukraine’s security service has formally tied to Russia’s Federal Security Service (FSB), and notes the group “focuses almost entirely on Ukraine, targeting government, military and critical infrastructure to steal documents and keep long-term access.” The combination of a WinRAR exploit, ADS concealment, fileless VBScript and dead‑drop resolvers built on public infrastructure gives GammaWorm a high degree of stealth and resilience. As Sekoia warns, the malware’s use of Dead Drop Resolvers “allows it to constantly download fresh payloads, meaning that cleaning attempts often result in fallback mechanisms restoring the malware.”

The immediate, concrete mitigation offered in Sekoia’s advisory is simple: patch WinRAR to version 7.13 or later. Beyond that, investigators and defenders face a campaign that intentionally moves away from on-disk footprints and leans on public services as C2 channels — a combination that complicates cleanup and forces hard choices about containment versus eradication.

Original reporting: https://www.infosecurity-magazine.com/news/gamaredon-worm-ntfs-data-streams/