top of page
perceptive_background_267k.jpg

Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine

Published:

2 June 2026 at 18:21:49

Alert date:

2 June 2026 at 19:00:51

Source:

thehackernews.com

Click to open the original link from this advisory

Ransomware & Malware, Data Breach & Exfiltration, Critical Infrastructure

Russian hacking group Gamaredon continues exploiting CVE-2025-8088, a path traversal vulnerability in WinRAR, to deliver multiple malware families including GammaWorm and GammaSteel against Ukrainian targets. The campaign uses weaponized WinRAR archives to deploy an HTML Application payload called GammaPhish, which serves as an initial foothold for data theft and lateral movement operations.

Technical details

Gamaredon exploits CVE-2025-8088, a path traversal vulnerability in WinRAR, to deliver GammaPhish HTML Application payload. GammaPhish retrieves GammaLoad VBScript downloader which fingerprints hosts and updates network configuration using dead drop resolvers. GammaWorm establishes persistence via scheduled tasks, hides legitimate directories on network shares and USB drives, replaces them with malicious LNK files. It uses Telegram channels for C2 communication via curl GET requests and employs NTFS Alternate Data Streams to hide core modules. GammaSteel is a modular information stealer that captures files with specific extensions and exfiltrates to AWS S3 buckets or attacker servers.

Mitigation steps:

Monitor for suspicious HTA files, VBScript payloads, and malicious LNK files. Watch for NTFS Alternate Data Streams usage for hiding malware modules. Monitor network traffic to Telegram channels and AWS S3 buckets. Implement detection for scheduled task creation and USB drive activity. Update WinRAR and Microsoft Office to latest versions to patch known vulnerabilities.

Affected products:

WinRAR
Microsoft Office

Related links:

https://thehackernews.com/2025/09/russian-hackers-gamaredon-and-turla.html
https://thehackernews.com/2025/12/warning-winrar-vulnerability-cve-2025.html
https://blog.sekoia.io/fsbs-matryoshka-1-3-gamaredons-gifts-that-keeps-unpacking-gammaphish-and-gammaworm/
https://thehackernews.com/2025/04/gamaredon-uses-infected-removable.html
https://thehackernews.com/2026/01/russia-aligned-hackers-abuse-viber-to.html
https://blog.synapticsystems.de/uac-0184-from-hta-to-a-signed-network-stack/
https://thehackernews.com/2026/04/uac-0247-targets-ukrainian-clinics-and.html
https://blog.synapticsystems.de/uac-0247-malware-targeting-fpv-operators/
https://blog.exatrack.com/Tracking_APT28_PixyNetLoader/
https://thehackernews.com/2026/04/apt28-deploys-prismex-malware-in.html

Related CVE's:

Related threat actors:

IOC's:

HTML Application (HTA) files, VBScript payloads, Windows Shortcut (LNK) files, NTFS Alternate Data Streams usage, Telegram channels for C2, AWS S3 bucket exfiltration, COVENANT Grunt implant, PixyNetLoader malware

This article was created with the assistance of AI technology by Perceptive.

About us

© 2025 by Perceptive Security. All rights reserved.

email: info@perceptivesecurity.com

Disclaimer: Deze website toont informatie afkomstig van externe bronnen. Perceptive aanvaardt geen verantwoordelijkheid voor de inhoud, juistheid of volledigheid van deze informatie.

bottom of page