Gamaredon exploits a WinRAR flaw to drop modular, nearly fileless malware on Ukrainian targets, hiding payloads in Windows streams and resolving C2s via Telegram.
Sekoia’s Threat Detection & Research team dropped a YARA rule in late December 2025 to hunt for new initial access vectors, and by January 2026 it had already generated a dozen hits. Sekoia researchers found a Gamaredon infection chain that’s more modular, more evasive, and more persistent than anything the group had publicly deployed before. This is part one of a three-part series; parts two and three cover GammaLoad and GammaSteel, respectively.
Russia-linked APT group Gamaredon (a.k.a. Armageddon, Primitive Bear, ACTINIUM, Callisto) has been active since 2014 and its activity focuses on Ukraine
The group was tied to the FSB by Ukraine’s Security Service, it originally used off-the-shelf tools like Remote Manipulator System RAT, then moved to a custom framework called Pteranodon, and gradually fragmented into a constellation of standalone, modular malware families. Sekoia has now aligned the naming under a single taxonomy using the “Gamma” prefix: GammaPhish for initial access, GammaLoad for staging, GammaWorm for propagation, GammaSteel for data theft, and GammaWipe for destruction. The group hasn’t changed its goals in a decade; it’s just gotten better at hiding.
In January 2026, the experts observed the threat actor using a weaponized XHTML file, likely delivered as a spearphishing attachment. Opening it silently triggers a 1×1 pixel tracking request to a Supabase endpoint, confirming to the operator that the victim opened the lure. This tracking technique dates back to at least 2018, which tells you something about how little Gamaredon needs to innovate when the basics still work.
The XHTML then uses HTML smuggling to deliver a RAR archive that exploits CVE-2025-8088, a critical path traversal flaw in WinRAR patched in version 7.13. The archive looks like it contains one PDF.
“GammaPhish (Initial access): Through YARA-based hunting, we identified a cluster of weaponized xHTML files distributing a malicious RAR archive. This archive exploits the CVE-2025-8088 vulnerability to extract a hidden HTA file directly into the user’s Windows Startup directory.” reads the report published by Sekoia. “Upon execution, the HTA file leverages mshta.exe to call a remote payload hosted on a C2 server. “
It actually contains two files: the visible decoy and an HTA file that path-traversal extracts directly into the user’s Windows Startup folder. On the next login, Windows executes it automatically. Google’s Threat Intelligence Group documented the same CVE being exploited by Sandworm, Turla, and Gamaredon in the same timeframe, which suggests it moved fast across Russian operators after it was published.
The HTA file runs mshta.exe with a URL that includes www.bbc.com in the path to look legitimate in network logs. That URL fetches GammaLoad, the intermediate staging layer. Sekoia couldn’t retrieve GammaLoad directly from this stage because C2 servers were unresponsive during testing, but forensic artifacts from compromised hosts filled in the picture.
“GammaLoad (Staging): We recovered multiple VBScript loaders from the compromised hosts. It seems that these loaders operate in a continuous cascade, with four distinct execution stages observed during our analysis.” continues the report. “Their primary objectives are to fingerprint the host system, update the network configuration in the registry using Dead Drop Resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers.”
GammaWorm is the propagation component, and it’s where things get technically interesting. It’s a VBScript payload that, after deobfuscation, runs to over 20,000 lines, the vast majority of which is junk code designed to exhaust analysts. It doesn’t drop traditional files. Instead it writes its core modules into NTFS Alternate Data Streams, a native Windows feature that lets data sit invisibly attached to a folder path, invisible to standard directory listings and not reflected in file sizes visible to users. A standard dir command won’t show them.
The malware maintains persistence through three scheduled tasks with names borrowed from legitimate Windows services: DiskDiagnosticDataCollector, SilentCleanup, and SmartRetry. Each one executes a different ADS module at short intervals, from 7 to 10 minutes. GammaWorm also writes a RunOnce registry key that recreates itself on every user login, because GammaWorm itself rewrites the key before the RunOnce entry gets deleted. Cute trick.
The propagation module targets USB drives and network shares. It hides real folders by setting their attributes to Hidden and System, then drops malicious LNK shortcut files in their place using the same folder name and icon. Clicking the LNK opens the real folder in Explorer so the user sees nothing wrong, while silently executing ~.gif, the worm file that sits at the root of every infected drive. The decoy LNK filenames are in Ukrainian and include everything from bureaucratic documents like “draft letter.doc” and “distribution sheet.doc” to deliberately shocking filenames designed to provoke clicks. State-sponsored operators know social engineering just as well as any criminal group.
To find its C2 address, GammaWorm runs curl against a hard-coded public Telegram channel, parses the HTML for an obfuscated IP address, and posts the victim’s machine fingerprint back via randomized HTTP headers, specifically inside the User-Agent string. No request body, just headers.
The C2 resolution chain itself is layered: it hops through graph.org, Cloudflare Workers, Teletype, Telegra.ph, and Telegram before arriving at an operator-controlled server. Each resolved URL gets written to the registry for the next stage to read. If the C2 returns HTTP 200, it executes arbitrary VBScript from the response body. If it returns 404, that’s actually a configuration update. Yes, they repurposed a 404 response as a signaling mechanism.
“This infection chain reveals a resilient, massive, and highly obfuscated modular design.” states Sekoia.”Because of its adaptability and the operator’s ability to update configurations on the fly, it is highly likely that this architecture will be reused in the future.”
That assessment from Sekoia isn’t speculative: every stage of this chain independently retains the ability to fetch and execute arbitrary remote code, meaning even if defenders clean one layer, the others keep running.
The group has also “been using certain techniques for a long time, such as embedding 1×1 tracking pixels to validate victim engagement, exploiting archive path traversal vulnerabilities, and weaponizing USB drives for physical propagation.”
The continuity is striking. What’s new is the infrastructure concealment: running almost entirely in memory, storing payloads in ADS, resolving C2s through Telegram and Cloudflare, and exfiltrating data in HTTP headers rather than request bodies. Sekoia notes that for any host confirmed infected by this chain, a complete wipe is the safest remediation path, because GammaWorm’s dead-drop resolution lets operators push fresh payloads faster than cleaning attempts can keep up.
IOCs including file hashes for GammaPhish and GammaWorm, dead drop resolver URLs, and the single confirmed C2 IP are published at the end of the Sekoia report. The full indicator set, including network infrastructure, is available through Sekoia’s intelligence feed.
“Interestingly, while Gamaredon introduces novel capabilities, they also persistently recycle tactics.” concludes the report. “However, this campaign marks a significant technical step up over Gamaredon’s previously documented attacks. The definitive transition to a nearly entirely fileless, VBScript-driven “matryoshka” architecture, combined with the heavy abuse of NTFS Alternate Data Streams (ADS), demonstrates a concerted effort to bypass automated sandboxes, complicate forensic artifact recovery, and ultimately exhaust defenders.”
Follow me on Twitter: @securityaffairs and Facebook and Mastodon
(SecurityAffairs – hacking, Russia)
