Russian Gamaredon APT Exploits WinRAR Flaw to Deploy GammaWorm Against Ukraine

Russian state-sponsored hacking group Gamaredon, officially linked to the Federal Security Service (FSB), has been exploiting a WinRAR path traversal vulnerability (CVE-2025-8088) to deliver a multi-stage malware arsenal against Ukrainian government, military, and critical infrastructure targets. According to French cybersecurity firm Sekoia, the infection chain observed in January 2026 begins with a weaponized RAR archive attached to spear-phishing emails, which drops an HTML Application payload dubbed GammaPhish. That initial stage retrieves an intermediate VBScript downloader called GammaLoad, which fingerprints the host, updates network configuration in the Windows registry using dead drop resolvers (DDRs), and fetches arbitrary VBScript payloads from attacker-controlled command-and-control (C2) servers.

One of the most damaging payloads, GammaWorm, is a VBScript worm that establishes persistence via scheduled tasks and hijacks network shares and USB drives. It hides legitimate directories and replaces them with malicious Windows Shortcut (LNK) files, triggering arbitrary code execution pulled from a C2 server. Notably, GammaWorm uses curl to issue a GET request to a hard-coded public Telegram channel for C2 resolution, blending malicious traffic with legitimate platform activity to avoid detection and sustain long-term espionage. The worm also leverages NTFS Alternate Data Streams (ADS) to conceal its core modules from forensic analysis. Operators tracking this infrastructure can use a DNS leak test or WHOIS lookup to investigate suspicious Telegram-linked domains and C2 endpoints.

A second payload delivered via GammaLoad is GammaSteel, a modular information stealer that harvests files matching specific extensions and exfiltrates them to an Amazon Web Services (S3) bucket, with an attacker-controlled server as a fallback. Sekoia warned that the modular infection chain could also distribute GammaWipe (a wiper variant) depending on the operator's objectives. Because GammaPhish is designed to deploy GammaLoad first, and GammaWorm may be dropped concurrently or introduced via a weaponized USB drive, defenders are advised to harden USB policies and monitor LNK file creation. The reliance on stolen files and credentials underscores the importance of routine email breach checks and the use of a privacy checkup to limit exposed personal data that could fuel further targeting. Sekoia concluded that the architecture is "resilient, massive, and highly obfuscated," and is likely to be repurposed in future Gamaredon campaigns.