Gamaredon exploits WinRAR vulnerability to deliver GammaWorm and GammaSteel

Colleagues, a cybersecurity advisory: Gamaredon is exploiting CVE-2025-8088 in WinRAR to deliver modular attack chains.
- GammaPhish (HTA) drops a VBScript loader, GammaLoad.
- GammaWorm: worm with persistence via Task Scheduler, concealment using LNK and ADS, C2 over public Telegram.
- GammaSteel: stealer exfiltrating files to AWS S3 or actor-controlled servers.
- Targeting: Ukrainian government entities; other families may be delivered.
Why it matters: software exploitation combined with social engineering and abuse of legitimate services hinders detection.
Recommendations: update WinRAR, monitor HTA/VBScript, audit ADS and scheduled tasks, and filter Telegram traffic.
What measures do you have to defend against such chains?
#cybersecurity #APT #WinRAR #malware


Latest comments
No comments yet.