Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine
What’s new: The Russian hacking group Gamaredon is exploiting a WinRAR vulnerability (CVE-2025-8088) to deliver malware families GammaWorm and GammaSteel, primarily targeting Ukraine. The attack chain involves using an HTML Application payload called GammaPhish to deploy a Visual Basic Script downloader, GammaLoad, which facilitates the installation of the malware. GammaWorm establishes persistence and executes arbitrary code, while GammaSteel is an information stealer that exfiltrates files to AWS S3 buckets.
Who’s affected
Organizations in Ukraine, particularly government, military, and critical infrastructure entities, are the primary targets of this malware campaign.
What to do
- Ensure that WinRAR and other software are updated to mitigate known vulnerabilities.
- Implement network monitoring to detect unusual traffic patterns, especially involving Telegram or other legitimate platforms used for C2 communications.
- Educate users about the risks of executing unknown files, particularly from USB drives or email attachments.
- Utilize endpoint protection solutions to detect and block malicious scripts and payloads.
