Full Report
The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per Sekoia, the activity involves the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used to retrieve an
Analysis Summary
# Threat Actor: Gamaredon
## Attribution & Identity
- **Actor Name:** Gamaredon
- **Affiliation:** Russian state-sponsored intrusion set officially linked to the Federal Security Service (FSB).
- **Aliases/Clusters:** Often tracked in related activities as UAC-0010 (though not explicitly named as such in this article).
## Activity Summary
In early 2026, Gamaredon was observed weaponizing a path traversal vulnerability in WinRAR to target Ukrainian entities. The campaign utilizes a modular infection chain starting with weaponized archives to deploy proprietary malware designed for espionage, data exfiltration, and lateral movement via removable media.
## Tactics, Techniques & Procedures
- **Exploitation:** Leverages **CVE-2025-8088**, a path traversal flaw in WinRAR files.
- **Persistence:** Uses scheduled tasks to maintain access on the host.
- **Evasion:**
- Employs **NTFS Alternate Data Streams (ADS)** to hide malicious modules.
- Uses **Dead Drop Resolvers (DDRs)** via legitimate platforms (Telegram) to obfuscate C2 traffic.
- High levels of code obfuscation.
- **Propagation:** Designed to spread via network shares and USB drives by replacing legitimate directories with malicious LNK files.
- **Exfiltration:** Direct exfiltration to cloud storage (AWS S3) or fallback C2 servers.
- **MITRE ATT&CK IDs:**
- T1204.002 (User Execution: Malicious File)
- T1564.004 (Hide Artifacts: NTFS File Attributes)
- T1105 (Ingress Tool Transfer - curl)
- T1053.005 (Scheduled Task/Job: Scheduled Task)
- T1102.001 (Web Service: Dead Drop Resolver)
- T1021.002 (Remote Services: SMB/Windows Admin Shares)
## Targeting
- **Sectors:** Government, Military, and Critical Infrastructure.
- **Geography:** Ukraine.
- **Victims:** Ukrainian state entities; specific mentions of military-related targets and drone operators in the broader regional context.
## Tools & Infrastructure
- **Malware Families:**
- **GammaPhish:** An HTML Application (HTA) payload used as an initial downloader.
- **GammaLoad:** A VBScript-based intermediate downloader.
- **GammaWorm:** A VBScript worm used for propagation and persistent C2 communication.
- **GammaSteel:** A modular information stealer for file exfiltration (targeting specific extensions).
- **GammaWipe (GamaWiper):** A destructive wiper malware (potential secondary payload).
- **Infrastructure:**
- **C2:** hard-coded Telegram channels used for resolving C2 IPs.
- **Cloud:** Amazon Web Services (AWS) S3 buckets for data exfiltration.
- **Utilities:** Use of `curl` for network requests.
## Implications
Gamaredon remains a highly resilient and adaptive threat to Ukrainian national security. The shift toward exploiting recent vulnerabilities (CVE-2025-8088) and using modular, obfuscated architectures suggests a move toward more sophisticated, long-term espionage operations that are harder to detect via traditional network monitoring due to the use of legitimate cloud and social media services.
## Mitigations
- **Software Updates:** Immediately patch WinRAR to versions addressing CVE-2025-8088.
- **Hardening:** Disable or restrict the execution of HTAs (HTML Applications) and VBScripts if not required for business operations.
- **USB Policy:** Implement strict controls or "read-only" policies for removable media to prevent the spread of GammaWorm.
- **Monitoring:**
- Monitor for unusual `curl` activity or outbound connections to Telegram and AWS S3 from unauthorized processes.
- Scan for hidden NTFS Alternate Data Streams (ADS) and unexpected LNK files on network shares.
- **User Training:** Educate staff on the risks of opening RAR/ZIP archives from external sources and the danger of clicking LNK files on USB drives.