Russian linked hacking group Gamaredon has been linked to the continued exploitation of a WinRAR vulnerability to distribute multiple malware families targeting Ukraine, according to findings shared by French cybersecurity company Sekoia. The activity involves the use of CVE-2025-8088, a path traversal flaw in WinRAR, which threat actors are reportedly exploiting to deploy malicious payloads designed for data theft, system compromise, and malware propagation. Researchers observed the infection chain in January 2026 and stated that the campaign demonstrates an increasingly adaptable and modular attack structure aimed at maintaining persistence and operational flexibility. Gamaredon, which has historically targeted Ukrainian institutions, continues to focus on government, military, and critical infrastructure sectors using malicious file based delivery mechanisms.
According to Sekoia, the attack chain begins with the exploitation of the WinRAR flaw to launch an HTML Application payload referred to as GammaPhish. This component is then used to retrieve an intermediate Visual Basic Script downloader known as GammaLoad, which acts as a staging mechanism for additional malware deployment. Researchers stated that the primary purpose of these scripts is to fingerprint infected systems, update network configurations within Windows registry settings through dead drop resolvers, and retrieve arbitrary VBScript payloads from command and control infrastructure. One of the malware families delivered through this process is GammaWorm, a VBScript based worm designed to establish persistence through scheduled tasks while spreading across network shares and USB devices. The malware reportedly hides legitimate directories and replaces them with malicious Windows Shortcut files, enabling unauthorized code execution through links connected to attacker controlled infrastructure.
Researchers also noted that GammaWorm uses legitimate online services to disguise malicious activity and maintain communications with command and control servers. To resolve its command and control configuration, the malware reportedly sends a GET request through curl to a hard coded public Telegram channel. By relying on a widely used platform such as Telegram, operators are believed to reduce the likelihood of detection by blending malicious traffic with ordinary network activity. GammaWorm also uses NTFS Alternate Data Streams, commonly known as ADS, to conceal critical modules and reduce visibility during forensic investigations. Another malware family distributed through GammaLoad is GammaSteel, described as a modular information stealer capable of collecting files based on predefined extensions and exfiltrating stolen data to an Amazon Web Services S3 bucket. Researchers stated that if the primary storage route fails, attacker controlled servers are used as an alternative exfiltration mechanism.
Sekoia further indicated that the infection chain may be adapted to distribute additional malware depending on operational goals, including GammaWipe, also referred to as GamaWiper. While researchers noted uncertainty regarding the exact deployment method for GammaWorm, they assess with high confidence that GammaPhish is structured to deploy GammaLoad as the initial payload in the sequence. The activity coincides with other cyber campaigns targeting Ukraine, including operations associated with UAC-0184, which reportedly targeted military related entities through malicious LNK lures delivering software connected to PassMark BurnInTest. Another activity cluster, UAC-0247, previously tracked as UAC-0244, has reportedly targeted drone operators through HTML Application droppers delivered via ZIP archives alongside a backdoor capable of creating reverse shell access to attacker controlled systems. Researchers have also tracked the continued development of PixyNetLoader, a malware loader associated with APT28, which has reportedly been used in campaigns exploiting Microsoft Office vulnerability CVE-2026-21509 to deploy a COVENANT Grunt implant. According to ExaTrack, PixyNetLoader activity has been observed since December 2024, with recent versions detected as recently.
Follow the SPIN IDG WhatsApp Channel for updates across the Smart Pakistan Insights Network covering all of Pakistan’s technology ecosystem.
