The marketing campaign, energetic since September 2025 and nonetheless evolving, has focused Ukrainian state establishments by way of spoofed messages and compromised authorities e-mail accounts. The emails are written in Ukrainian and designed to resemble official correspondence, together with court-related notices and administrative paperwork. Their attachments include malicious RAR archives constructed to use CVE-2025-8088, a WinRAR path traversal flaw that enables attackers to position recordsdata in delicate Home windows directories and set off execution throughout system restart or person exercise.
Gamaredon, additionally tracked as UAC-0010, Shuckworm, Aqua Blizzard, Primitive Bear and Armageddon, has been probably the most persistent cyber-espionage actors targeted on Ukraine. The group has been energetic for greater than a decade and has been publicly linked by Ukrainian authorities to Russia’s Federal Safety Service. Its operations usually prioritise entry, surveillance, credential theft and speedy assortment of recordsdata from public sector methods somewhat than harmful assaults.
The most recent an infection chain begins with a spear-phishing e-mail that both seems to come back from a trusted establishment or is shipped from an already compromised account. Some messages cover recipients within the BCC area to hide the dimensions of concentrating on. As soon as the archive is opened on an unpatched Home windows system, the exploit allows the location of malicious scripts outdoors the anticipated extraction path. That method offers the attacker a foothold with out counting on extremely advanced malware on the entry stage.
GammaDrop capabilities because the preliminary downloader. Its function is to arrange the contaminated machine, retrieve further parts and assist the following section of execution. GammaLoad, delivered as an HTA-based beacon, then establishes persistence and communication with command-and-control infrastructure. The malware additionally profiles contaminated methods, serving to operators determine whether or not a compromised machine is effective sufficient for additional exploitation.
The usage of Cloudflare-proxied infrastructure and regularly altering domains has sophisticated detection. By routing visitors by way of extensively used companies, the operators try to mix malicious communications with legit net exercise. Safety groups monitoring the marketing campaign have noticed repeated modifications in supply strategies, file names, scripts and internet hosting preparations, a sample in step with Gamaredon’s long-standing apply of creating small however frequent changes to keep away from static defences.
CVE-2025-8088 stays central to the marketing campaign as a result of WinRAR doesn’t robotically replace in lots of environments. The vulnerability was patched in model 7.13, however older installations stay uncovered. The flaw has attracted wider consideration as a result of a number of state-linked and financially motivated actors have used it to position malicious payloads into Home windows Startup folders or different delicate places. That makes outdated archive software program a high-value goal in phishing operations.
Ukraine’s public sector stays the first focus. Authorities places of work, regional administrations, judicial our bodies, legislation enforcement-linked establishments and organisations related to nationwide safety have remained beneath stress from phishing campaigns all through the warfare. Gamaredon’s strategies should not all the time technically subtle, however their quantity, persistence and localised social engineering have made the group tough to neutralise.
The marketing campaign additionally reveals how espionage actors are exploiting the hole between patch availability and patch adoption. Many organisations prioritise working system and browser updates whereas overlooking archive utilities, doc handlers and legacy administrative instruments. For attackers, these gaps supply reliable routes into networks the place customers frequently open compressed recordsdata connected to official correspondence.
Defensive measures advisable by specialists embrace quick upgrading of WinRAR to the patched model, blocking execution from momentary archive extraction paths, proscribing HTA and VBScript execution the place enterprise use will not be required, implementing multi-factor authentication on authorities e-mail accounts, and tightening SPF, DKIM and DMARC controls to restrict spoofing. Monitoring outbound visitors to newly created domains and suspicious Cloudflare-routed infrastructure can be thought-about important.
