Gamaredon Exploits WinRAR Flaw to Deploy GammaWorm in Ukraine

Russian state-sponsored threat actor Gamaredon continues exploiting CVE-2025-8088, a path traversal vulnerability in WinRAR, to deliver multiple malware families against Ukrainian government and military targets. French cybersecurity researchers tracking the campaign observed GammaWorm and GammaSteel payloads spreading through network shares and USB drives across compromised organizations.

The campaign demonstrates Gamaredon's persistent focus on Ukraine and their ongoing evolution of delivery mechanisms and post-exploitation tools.

Attack Chain

The infection begins with phishing emails containing malicious RAR archives that exploit CVE-2025-8088. When victims extract the archive with vulnerable WinRAR versions, a path traversal attack drops an HTML Application (HTA) file called GammaPhish outside the expected extraction directory.

The attack unfolds in stages:

1. Initial Execution: GammaPhish HTA runs automatically when placed in Windows startup locations
2. Downloader Stage: VBScript-based GammaLoad retrieves additional payloads from command-and-control infrastructure
3. Worm Deployment: GammaWorm establishes persistence via scheduled tasks and begins lateral movement
4. Data Theft: GammaSteel infostealer harvests credentials and documents

The use of WinRAR exploitation is noteworthy—this archiver remains ubiquitous on Windows systems, especially in government environments where users frequently exchange compressed files.

GammaWorm Propagation

GammaWorm's self-propagation capabilities distinguish this campaign from typical targeted attacks. The malware spreads through:

• Network shares: Copies itself to accessible file shares, infecting systems when users access those locations
• USB drives: Monitors for removable media insertion and copies malicious payloads to connected drives

This approach enables Gamaredon to reach air-gapped systems—computers disconnected from the internet that security-conscious organizations use for sensitive operations. By spreading through USB drives, the malware can jump the air gap when personnel move data between networks.

The worm communicates with command-and-control servers using dead drop resolvers (DDRs), retrieving updated network configurations from legitimate web services to maintain connectivity even when specific C2 domains are blocked.

Attribution to Russian FSB

Gamaredon (also tracked as Primitive Bear, ACTINIUM, and Shuckworm) has been publicly attributed to Russia's Federal Security Service (FSB). The group has maintained continuous operations against Ukraine since at least 2014, with particular focus on:

• Government ministries and agencies
• Military and defense organizations
• Critical infrastructure operators
• Law enforcement bodies

Unlike more sophisticated Russian APT groups that prioritize stealth, Gamaredon operates at high volume, accepting lower success rates per target in exchange for broader coverage. Their tooling emphasizes rapid iteration—new malware variants appear frequently as the group adapts to detection.

Technical Indicators

The campaign uses several identifiable components:

• Delivery: RAR archives exploiting CVE-2025-8088
• Initial access: GammaPhish HTA files
• Download: GammaLoad VBScript-based downloader
• Propagation: GammaWorm with scheduled task persistence
• Exfiltration: GammaSteel credential and document theft

Organizations defending against Gamaredon should monitor for:

• Suspicious HTA execution from unexpected directories
• Scheduled tasks with obfuscated VBScript content
• Unusual file copying to network shares
• WinRAR archives containing path traversal sequences

Connections to Broader Campaigns

Gamaredon's use of WinRAR exploitation connects to a broader pattern of archive-based attacks. We've covered similar techniques in social engineering attacks where attackers abuse trusted file formats to bypass user suspicion.

The group's continued focus on Ukraine follows their historical pattern of supporting Russian intelligence objectives in the ongoing conflict. While Gamaredon's tools lack the sophistication of groups like Sandworm or APT29, their persistence and volume make them a significant threat to Ukrainian organizations.

Recommended Defenses

1. Update WinRAR — Version 7.10 and later are not vulnerable to CVE-2025-8088
2. Block HTA execution — Use application control to prevent unexpected HTA files from running
3. Monitor USB usage — Log and alert on mass file copying to removable media
4. Segment network shares — Limit write access to reduce worm propagation paths
5. Filter email attachments — Quarantine RAR files or scan them with updated engines before delivery

Why This Matters

Gamaredon's campaigns against Ukraine provide a real-time view of state-sponsored cyber operations during active conflict. While the direct targets are Ukrainian, the techniques—WinRAR exploitation, USB propagation, scheduled task persistence—apply broadly.

Organizations outside Ukraine shouldn't assume immunity. Gamaredon's infrastructure occasionally overlaps with cybercriminal operations, and their tools have appeared in campaigns beyond their primary geographic focus. Defense strategies effective against Gamaredon also protect against commodity threats using similar vectors.

For deeper context on Russian cyber operations, our recommended reading list includes analysis of Sandworm and related threat actors that share tactical overlaps with Gamaredon.