Gamaredon has been linked to a WinRAR exploit chain using CVE-2025-8088 to deploy GammaPhish, GammaLoad, GammaWorm, and GammaSteel for espionage, persistence, and data theft. The activity targets Ukraine and uses obfuscation techniques like Telegram-based C2 resolution, NTFS ADS, and malicious LNK files, while other threat clusters and APT28 continue to target Ukrainian entities with separate lure and loader campaigns. #Gamaredon #CVE-2025-8088 #GammaPhish #GammaLoad #GammaWorm #GammaSteel #GammaWipe #UAC-0184 #UAC-0247 #APT28 #PassMarkBurnInTest #PixyNetLoader #COVENANT
Keypoints
- Gamaredon is exploiting CVE-2025-8088 in WinRAR to deliver a multi-stage malware chain.
- GammaPhish launches GammaLoad, which retrieves and runs additional VBScript payloads.
- GammaWorm maintains persistence with scheduled tasks and spreads through network shares and USB drives.
- GammaSteel steals files and exfiltrates them to AWS S3 or an attacker-controlled fallback server.
- Other campaigns, including UAC-0184, UAC-0247, and APT28 activity, continue targeting Ukraine with separate malware delivery methods.
Read More: https://thehackernews.com/2026/06/gamaredon-exploits-winrar-to-deliver.html