The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation.
Per Sekoia, the activity involves the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used to retrieve an intermediate Visual Basic Script (VBScript) downloaders codenamed GammaLoad. The infection chain was observed by the French cybersecurity company in January 2026.
"Their primary objectives are to fingerprint the host system, update the network configuration in the registry using dead drop resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers," Sekoia said.
One of the payloads is a VBScript worm known as GammaWorm that establishes persistence via scheduled tasks and is designed to hide legitimate directories in network shares and USB drives and replace with malicious Windows Shortcut (LNK) files, resulting in the execution of arbitrary code retrieved from a command-and-control (C2) server.
To resolve its C2, GammaWorm initiates a GET request via curl to a hard-coded public Telegram channel. By using legitimate platforms like Telegram, the idea is to blend in with regular traffic, avoid detection, and sustain long-term espionage operations. GammaWorm also relies on NTFS Alternate Data Streams (ADS) technique to conceal its core modules.
Another malware family delivered via GammaLoad is a modular information stealer codenamed GammaSteel that captures files matching certain extensions and exfiltrates them to an Amazon Web Services (AWS) S3 bucket or an attacker-controlled server as a fallback mechanism.
Sekoia said the infection sequences could be used to distribute other malware families, such as GammaWipe (aka GamaWiper), depending on the threat actor's objectives.
"The exact deployment vector for GammaWorm remains ambiguous; it could be dropped concurrently by GammaLoad, or introduced independently via a user executing a weaponized USB drive," it noted. "In addition, assessing the global execution flow, we assess with high confidence that GammaPhish is designed to deploy GammaLoad first."
Gamaredon, a Russian state-sponsored intrusion-set officially linked to the Federal Security Service (FSB), has a history of targeting Ukraine, particularly government, military, and critical infrastructure entities, using spear-phishing emails containing malicious attachments, in this booby-trapped RAR archives.
"This infection chain reveals a resilient, massive, and highly obfuscated modular design," Sekoia said. "Because of its adaptability and the operator's ability to update configurations on the fly, it is highly likely that this architecture will be reused in the future."
The development coincides with UAC-0184's targeting of Ukrainian military-related targets to deliver an executable associated with a legitimate program called PassMark BurnInTest via LNK lures. A second threat activity cluster that has targeted Ukraine is UAC-0247 (previously tracked as UAC-0244), which has singled out drone operators to deploy HTML Application (HTA) droppers through ZIP archives and a backdoor capable of establishing a reverse shell to attacker-controlled infrastructure.
Threat hunters have also charted the evolution of PixyNetLoader, a malware loader attributed to APT28 in connection with campaigns exploiting a Microsoft Office vulnerability (CVE-2026-21509), to extract a COVENANT Grunt implant. According to ExaTrack, the malware family has been detected in the wild since December 2024, with recent iterations discovered as recently as April 15, 2026.
