In January 2026, French cybersecurity researchers identified a new intrusion campaign targeting Ukrainian government and military systems. The delivery mechanism was familiar: a spear-phishing email carrying a booby-trapped RAR archive. What was not familiar was the sophistication waiting inside. The campaign exploited CVE-2025-8088, a path traversal vulnerability in WinRAR, to trigger code execution the moment a recipient opened the archive in the Windows Explorer preview pane. No double-click required. No macro prompt. The victim does not even need to extract the archive.
The mechanics are worth understanding precisely. The malicious RAR file contains what appears to be an innocuous document, formatted in the archive as something like briefing.pdf:classified.lnk. That colon is the key. It invokes NTFS Alternate Data Streams syntax, and WinRAR's path traversal flaw means the embedded shortcut file is extracted not into the working directory but into the Windows Startup folder. The next time the machine reboots, or the next time the Startup folder is polled, the payload executes. Your user never knew anything was wrong.
WinRAR version 7.13, released on 30 July 2025, patches CVE-2025-8088. No patch deployed. Not yet, not across the hundreds of millions of machines that still run older versions, because WinRAR has no automatic update mechanism and sends no push notification to users. The precedent here is instructive: CVE-2023-38831, a structurally similar WinRAR path traversal flaw patched in August 2023, was simultaneously exploited by APT28, Sandworm, the Konni Group, and multiple financially motivated actors for months after the fix was publicly available. With over 500 million WinRAR installations globally and no forced update path, n-day vulnerabilities in this software persist in operational environments for a very long time.
The targeting so far is precise, not broad. Sekoia's January 2026 YARA rule for early GammaWorm variants produced roughly a dozen confirmed hits, a number that points firmly toward deliberate, selective deployment rather than a wide spray-and-pray campaign. The confirmed targets are Ukrainian government bodies, military units, and critical infrastructure operators. That selectivity is not reassuring, it reflects operational discipline. Gamaredon is not attempting to infect everything. It is attempting to infect the right things and stay quiet.
That said, the technical components of this campaign, the CVE, the toolchain, the dead-drop resolver infrastructure, are not geographically constrained. Any organisation running an unpatched version of WinRAR and receiving files from external parties sits within the potential blast radius. Security teams in Eastern European NATO members, government ministries across the Middle East and Africa, and financial institutions with Ukrainian counterparty relationships should treat this as directly relevant intelligence, not a distant regional incident.
Gamaredon has been operational since at least 2013. Over twelve years, the group, also tracked under the aliases Primitive Bear, Shuckworm, Armageddon, TEMP.Armageddon, and CARPATHIAN, has directed virtually its entire operational focus at Ukrainian government agencies, military structures, and law enforcement entities. That singular focus is itself a defining characteristic. This is not a group that pivots opportunistically toward financial gain or Western intelligence targets. It exists to bleed Ukraine's state apparatus of documents, credentials, and operational data, continuously and persistently.
In 2021, Ukraine's Security Service, the SSU, took the unusual step of publicly identifying five FSB officers by name as the individuals responsible for Gamaredon operations. That public attribution was a political signal as much as an investigative disclosure, confirming official Russian state sponsorship at the officer level. The FSB link means Gamaredon is not a contractor or a loosely affiliated criminal collective, it is a directed intelligence asset with institutional backing, tasking authority, and, presumably, long-term operational continuity regardless of individual personnel changes.
Twelve years of sustained activity. That is the baseline your threat model should account for.
Russian state-sponsored threat actors are sometimes discussed as though they form a monolithic bloc, but the operational differences between groups matter enormously for how your organisation should prioritise defensive resources. Sandworm, the group behind the NotPetya attack in 2017, is designed to cause destruction: wiping systems, destroying infrastructure, creating cascading failures across supply chains. The NotPetya incident cost an estimated ten billion US dollars in global damages and disrupted shipping giant Maersk, pharmaceutical company Merck, and dozens of other organisations that were not even the primary targets. Sandworm's value to the Russian state is in its capacity for large-scale disruption.
APT29, sometimes called Cozy Bear and linked to the SVR rather than the FSB, operates at the opposite end of the spectrum in terms of target selection. Its operations focus on Western governments, diplomatic communications, and intelligence services, the 2020 SolarWinds supply chain compromise being the most consequential publicly attributed example. APT29 prioritises deep access and long dwell times inside high-value Western networks.
Gamaredon sits in a different operational category entirely. Its purpose is persistent, low-noise espionage specifically against Ukrainian state systems. Where Sandworm destroys and APT29 penetrates globally, Gamaredon collects, steadily, patiently, over years. That makes it harder to detect through the tripwires designed to catch destructive activity, and it means the damage accumulates quietly in stolen documents and harvested credentials rather than announcing itself through visible system failures. For defenders, low-and-slow collection campaigns are frequently more damaging in the long run than the dramatic incidents that generate headlines.
The entry point is a spear-phishing email with a RAR archive attached. The social engineering varies by target, military briefings, government procurement documents, official correspondence, but the technical mechanism is consistent. CVE-2025-8088 is a path traversal vulnerability in WinRAR's archive extraction handling. When the victim previews or opens the archive, WinRAR processes a file whose embedded ADS notation causes it to be written outside the intended extraction directory. Specifically, as Security Affairs documents, the archive contains an entry structured so that the ADS suffix resolves to a path pointing directly into the Windows Startup folder. The malicious shortcut file arrives silently in a location that guarantees execution at the next system start.
This technique requires no administrative privileges at the point of delivery. It requires no user interaction beyond opening an email attachment in a preview pane. Organisations that have trained staff to avoid clicking suspicious links have not addressed this vector, because the trigger here is file preview, not an active user decision to execute something.
Once execution occurs via the Startup folder shortcut, the first payload is GammaPhish, an HTA (HTML Application) file that performs initial host fingerprinting. GammaPhish collects system information and establishes initial contact with the attacker's command-and-control infrastructure, updating C2 configuration data directly into the Windows registry using the Dead Drop Resolver mechanism described in the next section. From there, GammaLoad takes over, a VBScript-based downloader that retrieves and executes arbitrary VBScript payloads from the C2 servers.
Put that in context. At this stage, the attacker has a foothold and remote code execution capability. GammaLoad is not yet the destructive or collection component, it is the logistics layer, the mechanism that allows the operator to push whatever tooling is required for the specific target. This modularity is deliberate. By separating the delivery stage from the collection stage, Gamaredon limits the forensic value of any single captured component. Analysing GammaLoad in isolation tells you very little about what was ultimately deployed on a specific victim.
GammaWorm is the persistence and propagation engine, and its scale is the first thing that should register. The worm runs to over 20,000 lines of VBScript code, the vast majority of which is junk code, padding specifically designed to exhaust human analysts and defeat automated static analysis tools that rely on pattern density or code brevity to prioritise samples. This is not accidental complexity. It is calculated obfuscation at scale.
Persistence is established through three scheduled tasks, each given a legitimate Windows service name: DiskDiagnosticDataCollector, SilentCleanup, and SmartRetry. These names are chosen specifically because they appear in standard Windows task schedulers and are likely to be dismissed as system noise by analysts who are not looking closely. The tasks execute different modules hidden inside NTFS Alternate Data Streams at intervals of seven to ten minutes, maintaining a constant operational tempo without triggering anomalous process creation alerts that a single, continuous process might generate.
GammaWorm propagates. It scans for connected USB drives and network shares, hides the legitimate directory structure on those shares, and replaces visible folders with malicious Windows shortcut files (.lnk files) that execute the worm when clicked. Anyone who accesses a network share or inserts a USB drive that has touched an infected machine becomes the next potential host. In a government or military environment where shared drives are standard operating practice, this propagation vector is genuinely dangerous.
GammaSteel is the collection payload: a modular information stealer that targets document files, credential stores, and sensitive government data. Once deployed by GammaLoad, it identifies files matching specific extensions and exfiltrates them to an AWS S3 bucket, with a fallback to a secondary C2 server if the primary exfiltration path is unavailable. Using AWS S3 as an exfiltration destination is a deliberate operational choice, traffic to Amazon's infrastructure is broadly trusted by enterprise firewalls, and distinguishing legitimate S3 traffic from malicious exfiltration requires deep packet inspection and egress monitoring that many organisations have not deployed.
The targeting is not indiscriminate bulk collection. GammaSteel is built to extract the specific file types that contain operational value: documents, credentials, and data that can inform further targeting or provide direct intelligence value to the FSB. This is the endpoint of a carefully engineered chain, and by the time GammaSteel is executing, the attacker has already achieved persistence, propagation capability, and reliable C2 communication.
NTFS Alternate Data Streams are a feature of the Windows file system that allows multiple data streams to be attached to a single file. The primary stream is what you see in Windows Explorer, the file size, the icon, the name. Additional streams are attached invisibly to the same file system entry and do not appear in standard directory listings or file property views. They were originally designed for compatibility with the HFS file system used on older Macintosh systems, but they persist in every version of NTFS to this day.
Gamaredon uses ADS at two distinct points in this campaign. First, during initial delivery via CVE-2025-8088, the malicious RAR archive uses ADS notation in the archive file path to route the extracted shortcut into the Windows Startup folder rather than the expected extraction directory. Second, GammaWorm stores its modular components inside the alternate data streams of legitimate system files on the target machine. The worm's scheduled tasks then call those hidden streams directly, executing malicious code that has no visible footprint in the file system from the perspective of standard security tooling.
That number deserves attention. GammaWorm maintains three separate scheduled tasks, each executing a different ADS-resident module at seven-to-ten-minute intervals. From the perspective of a standard endpoint detection tool that monitors file creation, file modification, and process execution without inspecting ADS, none of those executions produce a visible artefact. The files being executed do not appear to exist. The malicious code is embedded inside files that look legitimate, in streams that standard file enumeration does not display.
Effective detection requires tools that explicitly enumerate NTFS ADS across monitored directories, scheduled task inspection that captures the full execution path including stream references, and behavioural monitoring of the three specific task names Gamaredon has used. Reviewing your indicators of compromise lists against these task names, DiskDiagnosticDataCollector, SilentCleanup, and SmartRetry, is a basic starting point, but it is not sufficient on its own if your endpoint tooling cannot see inside ADS-resident payloads.
Traditional command-and-control detection relies on identifying and blocking attacker-controlled infrastructure: registering the domain, pulling the IP address, and adding both to blocklists. Gamaredon has systematically constructed a C2 architecture designed to make that approach ineffective. The mechanism is called a Dead Drop Resolver, and the current implementation is as clean an evasion as you will find in active campaigns.
When GammaWorm needs to retrieve updated instructions or post victim telemetry, it executes a curl request to a hardcoded public Telegram channel. It then parses the HTML response of that public page to extract an obfuscated IP address embedded in the channel's content. The victim machine's fingerprint data is returned to the attacker inside randomised HTTP headers, specifically in the User-Agent string, traffic that blends into the background noise of normal web browsing at the packet level.
The C2 resolution chain does not stop at Telegram. Security Affairs documents that the infrastructure rotates through graph.org, Cloudflare Workers, Teletype, Telegra.ph, and Telegram, all legitimate, widely trusted public services that almost no organisation blocks at the network perimeter. HTTP 200 responses from these services trigger VBScript execution on the victim; HTTP 404 responses signal a configuration update is required. The protocol is elegant in its simplicity and deeply problematic for network-based detection.
Blocking this C2 without blocking Telegram, Cloudflare Workers, and graph.org entirely is not a realistic option for most organisations. The defensive implication is that network-layer controls are insufficient here, and detection needs to shift to host-level behavioural signals: curl processes spawned by scheduled tasks with unusual parent-child relationships, User-Agent strings that contain structured data inconsistent with normal browser traffic, and VBScript execution triggered immediately following outbound connections to public content platforms.
Your organisation's network monitoring almost certainly generates alerts for outbound connections to known malicious IP addresses. It almost certainly does not generate alerts for curl requests made by a VBScript process to a public Telegram channel. That gap is exactly what this infrastructure is designed to exploit. Reviewing your attack surface in terms of which legitimate services your endpoints are permitted to contact programmatically, rather than through a browser, is a concrete, actionable step your team can take immediately.
The confirmed victim set is Ukrainian government and military entities, and that specificity matters. Gamaredon is not a financially motivated actor scattering malware across every reachable system. However, the technical components of this campaign create risk profiles that extend well beyond Ukraine's borders, and security managers who dismiss this as a regional conflict issue are making a category error.
Any organisation that runs an unpatched version of WinRAR, below version 7.13, and receives external email attachments is technically vulnerable to CVE-2025-8088. That describes a very large number of enterprises, government ministries, and financial institutions globally. WinRAR's lack of automatic updates means patching requires active asset management: you need to know which endpoints have WinRAR installed, what version they are running, and whether your deployment tooling can push the update. Many organisations cannot answer all three of those questions quickly.
Government ministries, defence contractors, and intelligence-adjacent organisations in Eastern European NATO member states are at elevated risk simply by virtue of their proximity to the conflict and their potential value as secondary targets for intelligence collection. Organisations with Ukrainian subsidiary operations, joint ventures, or data-sharing arrangements are also worth examining, a compromised counterparty using shared network infrastructure is a lateral movement risk, not just a geopolitical curiosity.
Financial institutions in the MEA region that maintain correspondent banking relationships with Ukrainian entities, or that employ staff with access to Ukrainian government counterparts, should ensure that credential leak monitoring is active and current. GammaSteel targets credential stores specifically, and credentials harvested from one compromised entity are routinely used to probe connected organisations in subsequent campaigns. The credential exfiltration at Stage 4 of this chain is not an endpoint, it is raw material for the next operation.
Organisations with significant USB drive usage in operational environments, manufacturing, utilities, field operations, face a specific additional risk from GammaWorm's propagation behaviour. A single infected laptop brought into a facility and connected to a local network or used to transfer files via USB can seed an entire operational environment with the worm. The scheduled task persistence mechanism means the infection survives reboots and, absent active remediation, will continue propagating indefinitely.
The most immediate action is version verification across your WinRAR estate. WinRAR 7.13, released 30 July 2025, is the patched version for CVE-2025-8088. Your asset management tooling should be able to generate a list of endpoints with WinRAR installed and their current versions within hours. If it cannot, that is itself a finding that needs addressing before you can close this specific risk. Priority should go to endpoints used by staff who receive external email attachments, executive assistants, procurement teams, legal staff, and anyone who regularly handles inbound documents from external parties.
On the detection side, the three scheduled task names used by GammaWorm, DiskDiagnosticDataCollector, SilentCleanup, and SmartRetry, should be added to your SIEM detection rules immediately, with alerting on any instance where these tasks execute command lines that reference NTFS ADS paths or call VBScript interpreters. These names are chosen to blend in, so the detection logic needs to go beyond name matching and look at the execution context: what process created the task, what the full command line resolves to, and whether ADS syntax is present in the task action.
NTFS ADS enumeration is not a standard capability in all endpoint detection tooling. Confirm with your EDR vendor whether your current deployment monitors ADS writes and reads in real time. If it does not, manual ADS enumeration using the Windows built-in command dir /r across high-value directories, or purpose-built forensic tools, should be added to your incident response playbooks immediately.
For network monitoring, build detection rules around VBScript and HTA processes making outbound connections to Telegram, graph.org, Telegra.ph, and Cloudflare Workers domains, particularly where the User-Agent string contains structured or encoded data inconsistent with standard browser patterns. The curl-to-Telegram C2 mechanism is unusual enough to be detectable if your network monitoring baseline includes process-level attribution of outbound HTTP requests.
USB controls deserve specific attention if your environment has GammaWorm propagation risk. Reviewing group policy settings to restrict autorun behaviour, implementing USB device control policies that allow only approved devices, and ensuring that endpoint monitoring covers writes to removable media are all relevant controls. Educating staff that a shared USB drive from a colleague in a different office could carry an infection that has no visible symptoms is a communication that your security awareness programme should send now, referencing this specific campaign.
Finally, review your email filtering configuration for RAR archive attachments from external senders. Blocking all compressed archives at the perimeter is operationally impractical for most organisations, but filtering on password-protected or structurally unusual archives, combined with sandboxed detonation of inbound RAR files before delivery, reduces the exposure window significantly.
Does CVE-2025-8088 affect WinZip or 7-Zip? No. CVE-2025-8088 is specific to WinRAR's archive extraction handling. WinZip and 7-Zip have separate codebases and are not affected by this particular path traversal vulnerability. If your organisation is standardised on 7-Zip or WinZip for archive handling, you are not exposed to this specific CVE, though both tools have their own vulnerability histories and should be kept current independently.
Is the campaign limited to Windows systems? Yes, based on current reporting. The entire toolchain, GammaPhish as an HTA payload, GammaLoad as VBScript, GammaWorm using NTFS ADS and Windows scheduled tasks, and the LNK shortcut propagation mechanism, is Windows-specific. MacOS and Linux endpoints are not affected by this particular chain, though they may still receive the phishing emails that initiate it.
If we have no direct connection to Ukraine, are we at risk? The confirmed targeted victims are Ukrainian entities, but the technical vulnerability at the entry point, CVE-2025-8088 in unpatched WinRAR, is not geographically bounded. Any organisation running a vulnerable WinRAR version and receiving external email attachments has the technical exposure. Whether Gamaredon would choose to target your organisation specifically depends on its intelligence tasking and your organisation's perceived value, but waiting for confirmation of active targeting before patching is not sound risk management.
Can standard antivirus catch GammaWorm? Signature-based antivirus faces two specific challenges with GammaWorm: the 20,000-plus lines of junk code designed to frustrate static analysis, and the ADS-based storage that means the active payload does not appear as a conventional file. Behavioural detection rules and EDR tooling with ADS visibility are meaningfully more effective than signature scanning alone for this malware family.
What should we do if we find the suspicious scheduled task names on an endpoint? Isolate the endpoint from the network immediately before attempting any remediation. GammaWorm's propagation via network shares means that a connected, infected machine will continue seeding the environment during any investigation. Preserve a forensic image before remediation, enumerate all NTFS ADS on the system, and review outbound connection logs for any curl-initiated traffic to Telegram or related platforms in the preceding weeks. Engage your incident response team or a qualified third party before attempting manual removal.
Defendis surfaces indicators of compromise in formats that integrate directly with your SIEM, removing the manual translation step that creates latency between intelligence receipt and defensive action. For organisations in sectors that overlap with Gamaredon's targeting history, government, defence, critical infrastructure, financial services with Eastern European exposure, that latency reduction is operationally significant.
Defendis also provides credential leak monitoring specifically relevant to the GammaSteel exfiltration risk. If credentials belonging to your organisation's domains appear in data sets associated with Gamaredon-linked infrastructure, your team is notified before those credentials are used in secondary operations against your environment or your counterparties. In a campaign designed around persistent, quiet collection, early warning of credential exposure is frequently the only window available for intervention before the attacker moves laterally.
The Gamaredon group has operated for twelve years without meaningful disruption to its core mission. The January 2026 campaign is not an anomaly, it is the latest iteration of a sustained programme, now equipped with a current-cycle WinRAR zero-day, a worm purpose-built to evade the tools most organisations have deployed, and exfiltration infrastructure that abuses services you almost certainly trust. The question for your team is not whether this threat is real. It is whether your current detection and response capability would catch it before GammaSteel finishes its work.
