A Russian hacker group known as Gamaredon is believed to have continuously exploited vulnerabilities in WinRAR and distributed multiple families of malware aimed at data theft and propagation.
According to Sekoia, this activity involves weaponizing CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML application payload called GammaPhish, which is used to obtain an intermediate Visual Basic Script (VBScript) downloader codenamed GammaLoad. This infection chain was observed by a French cybersecurity company in January 2026.
“Their main objectives are to fingerprint the host system, update the network configuration in the registry using Dead Drop Resolver (DDR), and fetch and execute arbitrary VBScript payloads from the C2 server,” Sekoia said.
One of the payloads is a VBScript worm known as GammaWorm, which is designed to establish persistence through scheduled tasks, hide legitimate directories on network shares and USB drives, and execute arbitrary code obtained from a command-and-control (C2) server by replacing them with malicious Windows Shortcut (LNK) files.
To resolve C2, GammaWorm initiates a GET request via curl to a hard-coded public Telegram channel. The idea is that by using legitimate platforms like Telegram, they can blend in with normal traffic, avoid detection, and continue their long-term espionage efforts. GammaWorm also relies on NTFS Alternate Data Stream (ADS) technology to hide core modules.
Another malware family delivered via GammaLoad is a modular information stealer codenamed GammaSteel that captures files matching specific extensions and exfiltrates them to an Amazon Web Services (AWS) S3 bucket or attacker-controlled server as a fallback mechanism.
Sekoia said that depending on the attacker’s objectives, the infection sequence could be used to distribute other malware families such as GammaWipe (also known as GamaWiper).
“GammaWorm’s exact deployment vector remains ambiguous and could be dropped simultaneously by GammaLoad or introduced independently via users running weaponized USB drives,” the report noted. “Additionally, after evaluating the global execution flow, we believe GammaPhish is designed to deploy GammaLoad first.”
Gamaredon, a Russian state-sponsored intrusion set officially affiliated with the Federal Security Service (FSB), has a history of targeting Ukraine, specifically government, military, and critical infrastructure agencies, using spear-phishing emails containing malicious attachments in this booby-trapped RAR archive.
“This infection chain reveals a resilient, large-scale, and highly obfuscated modular design,” Sequoia said. “Due to its adaptability and ability for operators to update configurations on the fly, this architecture is highly likely to be reused in the future.”
This development coincides with UAC-0184 targeting military targets in Ukraine to deliver an executable associated with a legitimate program called PassMark BurnInTest via LNK lures. The second threat activity cluster targeting Ukraine was UAC-0247 (previously tracked as UAC-0244), which identified drone operators and deployed an HTML application (HTA) dropper via a ZIP archive and a backdoor that could establish a reverse shell into attacker-controlled infrastructure.
Threat hunters have charted the evolution of PixyNetLoader, a malware loader attributed to APT28, in connection with a campaign that exploits a Microsoft Office vulnerability (CVE-2026-21509) to extract the COVENANT Grunt implant. According to ExaTrack, this malware family has been in the wild since December 2024, with the most recent iteration discovered on April 15, 2026.
Source link
