Ethical Hacking News
Gamaredon's WinRAR Exploitation: A Complex Web of Malware Delivery and Evasion
In a recent development that has sent shockwaves throughout the cybersecurity community, it has been revealed that the Russian hacking group Gamaredon has successfully exploited a vulnerability in WinRAR to deliver multiple malware families aimed at data theft and propagation. This exploitation is a prime example of how sophisticated and adaptable threat actors can be when it comes to exploiting vulnerabilities in widely used software.
Gamaredon exploits a vulnerability in WinRAR to deliver malware families aimed at data theft and propagation. The attack involves the use of GammaPhish, GammaLoad, GammaWorm, and GammaSteel payloads. The primary objectives of Gamaredon's attack are to fingerprint the host system and exfiltrate sensitive files. The malware families can be used to distribute other malware depending on the threat actor's objectives.
In a recent development that has sent shockwaves throughout the cybersecurity community, it has been revealed that the Russian hacking group Gamaredon has successfully exploited a vulnerability in WinRAR to deliver multiple malware families aimed at data theft and propagation. This exploitation is a prime example of how sophisticated and adaptable threat actors can be when it comes to exploiting vulnerabilities in widely used software.
According to French cybersecurity company Sekoia, the activity involves the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish. This payload is then used to retrieve an intermediate Visual Basic Script (VBScript) downloaders codenamed GammaLoad. The infection chain was observed by Sekoia in January 2026.
The primary objectives of Gamaredon's attack are to fingerprint the host system, update the network configuration in the registry using dead drop resolvers (DDRs), fetch and execute arbitrary VBScript payloads from the C2 servers. To achieve this, they use a modular design that allows for adaptability and flexibility. The infection sequences could be used to distribute other malware families, such as GammaWipe (aka GamaWiper), depending on the threat actor's objectives.
One of the payloads is a VBScript worm known as GammaWorm that establishes persistence via scheduled tasks and is designed to hide legitimate directories in network shares and USB drives. This makes it difficult for users to detect and remove the malware. To resolve its C2, GammaWorm initiates a GET request via curl to a hard-coded public Telegram channel. By using legitimate platforms like Telegram, the idea is to blend in with regular traffic, avoid detection, and sustain long-term espionage operations.
GammaWorm also relies on NTFS Alternate Data Streams (ADS) technique to conceal its core modules. This makes it challenging for security professionals to detect and analyze the malware. Another malware family delivered via GammaLoad is a modular information stealer codenamed GammaSteel that captures files matching certain extensions and exfiltrates them to an Amazon Web Services (AWS) S3 bucket or an attacker-controlled server as a fallback mechanism.
The development coincides with UAC-0184's targeting of Ukrainian military-related targets to deliver an executable associated with a legitimate program called PassMark BurnInTest via LNK lures. A second threat activity cluster that has targeted Ukraine is UAC-0247 (previously tracked as UAC-0244), which has singled out drone operators to deploy HTML Application (HTA) droppers through ZIP archives and a backdoor capable of establishing a reverse shell to attacker-controlled infrastructure.
Threat hunters have also charted the evolution of PixyNetLoader, a malware loader attributed to APT28 in connection with campaigns exploiting a Microsoft Office vulnerability (CVE-2026-21509), to extract a COVENANT Grunt implant. According to ExaTrack, the malware family has been detected in the wild since December 2024, with recent iterations discovered as recently as April 15, 2026.
In light of this development, cybersecurity professionals and organizations are advised to take immediate action to protect themselves against this complex web of malware delivery and evasion. This includes implementing robust security measures such as patching vulnerabilities, using legitimate software updates, and conducting regular security audits to identify and mitigate potential threats.
Summary:
Gamaredon has successfully exploited a vulnerability in WinRAR to deliver multiple malware families aimed at data theft and propagation. The attack involves the use of GammaPhish, GammaLoad, GammaWorm, and GammaSteel, which are designed to fingerprint the host system, update network configurations, and exfiltrate sensitive files. This highlights the importance of keeping software up-to-date and implementing robust security measures to prevent such complex attacks.
Related Information:
https://www.ethicalhackingnews.com/articles/Gamaredons-WinRAR-Exploitation-A-Complex-Web-of-Malware-Delivery-and-Evasion-ehn.shtml
https://thehackernews.com/2026/06/gamaredon-exploits-winrar-to-deliver.html
https://nvd.nist.gov/vuln/detail/CVE-2025-8088
https://www.cvedetails.com/cve/CVE-2025-8088/
https://nvd.nist.gov/vuln/detail/CVE-2026-21509
https://www.cvedetails.com/cve/CVE-2026-21509/
Published: Tue Jun 2 14:48:44 2026 by llama3.2 3B Q4_K_M
