Skip to main content
Emerging ThreatsMalware & Ransomware

Gamaredon Exploits WinRAR Flaw to Deliver GammaWorm, GammaSteel Malware

Cluttered office desk with laptop, router, and papers, softly glowing in a cityscape-lit room.

"Their primary objectives are to fingerprint the host system, update the network configuration in the registry using dead drop resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers," Sekoia said.

CVE-2025-8088 and the GammaPhish infection chain

French cybersecurity firm Sekoia observed in January 2026 that Gamaredon has weaponized CVE-2025-8088, a path traversal vulnerability in WinRAR, to deliver an HTML Application payload dubbed GammaPhish. According to Sekoia, GammaPhish is used to retrieve an intermediate Visual Basic Script (VBScript) downloader codenamed GammaLoad. Sekoia assesses with high confidence that GammaPhish is designed to deploy GammaLoad first, which then proceeds to fetch and execute further VBScript payloads from the actor's command-and-control (C2) infrastructure.

GammaWorm: propagation, persistence, and stealth

One of the payloads delivered by GammaLoad is a VBScript worm called GammaWorm. Sekoia describes GammaWorm as establishing persistence through scheduled tasks, and using file-system techniques to spread: it hides legitimate directories on network shares and USB drives and replaces them with malicious Windows Shortcut (LNK) files that execute arbitrary code pulled from a C2 server.

GammaWorm also employs NTFS Alternate Data Streams (ADS) to conceal core modules. To resolve its C2, the worm issues a curl GET request to a hard-coded public Telegram channel — a use of legitimate platforms Sekoia says is intended to blend malicious traffic with normal network activity, avoid detection, and sustain long-term espionage operations. Sekoia notes ambiguity about GammaWorm’s exact delivery vector: it could be dropped by GammaLoad or introduced independently via a weaponized USB drive executed by a user.

GammaSteel and data exfiltration to AWS S3

Another family observed in the chain, GammaSteel, is a modular information stealer. Sekoia reports GammaSteel captures files matching particular extensions and exfiltrates them to an Amazon Web Services (AWS) S3 bucket, with an attacker-controlled server used as a fallback exfiltration destination. Sekoia also warns the same infection chains could distribute other malware families — including destructive tools such as GammaWipe (aka GamaWiper) — depending on the operators' objectives.

Gamaredon’s targets and modular reuse

Sekoia attributes these operations to Gamaredon, which the reporting describes as a Russian state-sponsored intrusion set officially linked to the Federal Security Service (FSB). The group has a documented history of targeting Ukraine — notably government, military, and critical infrastructure entities — using spear-phishing emails with malicious attachments contained in booby-trapped RAR archives.

Sekoia characterizes the discovered architecture as "a resilient, massive, and highly obfuscated modular design." Because the operators can update configurations on the fly, Sekoia assesses it is highly likely that this architecture will be reused in future operations.

Related activity: UAC-0184, UAC-0247, and PixyNetLoader

The GammaPhish/GammaLoad activity coincides with other tracked clusters targeting Ukraine. Sekoia links UAC-0184 to military-related targeting using LNK lures to deliver an executable associated with a legitimate program called PassMark BurnInTest. A separate cluster, UAC-0247 (previously tracked as UAC-0244), has targeted drone operators with HTML Application (HTA) droppers delivered inside ZIP archives and with a backdoor that can establish a reverse shell to attacker-controlled infrastructure.

Separately, ExaTrack reports evolution of PixyNetLoader, a loader attributed to APT28, which has been used to exploit CVE-2026-21509 to drop a COVENANT Grunt implant. ExaTrack notes PixyNetLoader has been detected in the wild since December 2024, with recent iterations discovered as recently as April 15, 2026.

What this means for the Ukrainian government, security teams, and cloud customers

  • Ukrainian government and military: continue to be explicit targets — Sekoia identifies government, military, and critical infrastructure as the focus of Gamaredon campaigns that use booby-trapped RAR attachments, LNK lures, and HTA/ZIP droppers.
  • Security teams and incident responders: should monitor the full GammaPhish -> GammaLoad chain, including VBScript downloaders, scheduled tasks persistence, NTFS ADS usage, LNK replacement behavior on shares and USB drives, and curl GET requests to public Telegram channels used as DDR/C2 conduits.
  • AWS customers and cloud defenders: should be aware of possible exfiltration to S3 buckets and consider investigations of unusual S3 write activity tied to compromised endpoints; Sekoia notes attackers also use fallback attacker-controlled servers for exfiltration.

Gamaredon’s use of a known WinRAR path traversal (CVE-2025-8088), a staged VBScript downloader, and a mix of propagation and exfiltration techniques — including legitimate services such as Telegram and cloud storage like AWS S3 — underscores a single point: this is not a one-off exploit but a flexible, multi-stage architecture designed for persistence and reuse. Sekoia’s assessment that GammaPhish is intended to deploy GammaLoad first, and that the modular design will likely be reused, leaves a clear task for defenders: prioritize detection across the chain, from RAR archive exploitation to Telegram-based C2 and S3 exfiltration.

https://thehackernews.com/2026/06/gamaredon-exploits-winrar-to-deliver.html