Gameredon Uses WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine
A Russian hacking group known as The Gamaredon caused by the continuous exploitation of WinRAR vulnerability to deliver many malware families aimed at data theft and distribution.
According to Sekoia, the project involved exploiting CVE-2025-8088, a path-breaking flaw in WinRAR, to launch an HTML program payload called GammaPhish, which was then used to retrieve Visual Basic Script (VBScript) downloaders called GammaLoad. A series of infections was detected by a French cybersecurity company in January 2026.
“Their main goals are to fingerprint the host system, update the network configuration in the registry using dead drop resolvers (DDRs), download and extract VBScript payloads arbitrarily from C2 servers,” said Sekoia.
One of the payloads is a VBScript worm known as GammaWorm that establishes persistence with programmed tasks and is designed to hide legitimate directories on network shares and USB drives and return malicious Windows Shortcut (LNK) files, which lead to the execution of malicious code found on the command and control server (C2).
To solve its C2, GammaWorm initiates a GET request with curl on a hard-coded Telegram public channel. By using legitimate platforms like Telegram, the idea is to blend in with normal traffic, avoid detection, and maintain long-term spying activities. GammaWorm also relies on the NTFS Alternate Data Streams (ADS) method to hide its core modules.
Another malware family introduced by GammaLoad is a modular data-stealing machine called GammaSteel that captures files that match certain extensions and dumps them on an Amazon Web Services (AWS) S3 bucket or attacker-controlled server as a fallback.
Sekoia said the infection sequence could be used to distribute other malware families, such as GammaWipe (also known as GamaWiper), depending on the threat actor’s goals.
“The exact vector used by GammaWorm remains elusive; it may be simultaneously downloaded by GammaLoad, or launched independently by a user using a weaponized USB drive,” it notes. “Furthermore, we are testing the global execution flow, testing with high confidence that GammaPhish is designed to feed GammaLoad first.”
Gamaredon, a Russian state-sponsored hacking suite officially linked to the Federal Security Service (FSB), has a history of targeting Ukraine, particularly government, military, and critical infrastructure organizations, using phishing emails containing malicious attachments, in these encrypted RAR archives.
“This series of contagions presents a strong, massive, and very mysterious design,” Sekoia said. “Because of its flexibility and the ability of the user to update the settings over time, there is a good chance that this structure will be used again in the future.”
The development coincides with targeting UAC-0184 to targets related to the Ukrainian military to deliver an exploit associated with an official program called PassMark BurnInTest using the LNK exploit. The second batch of threat activity targeting Ukraine is UAC-0247 (which was tracked as UAC-0244), which has designated drone operators to release HTML Application (HTA) drones via a ZIP archive and a backdoor capable of establishing a reverse shell on attacker-controlled infrastructure.
Threat hunters also orchestrated the release of PixyNetLoader, a malware loader associated with APT28 for campaigns exploiting the Microsoft Office vulnerability (CVE-2026-21509), to release the COVENANT Grunt installation. According to ExaTrack, the malware family has been found in the wild since December 2024, with the most recent updates received as recently as April 15, 2026.
