UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer

UPDATE (originally covered 2026-06-02): Sekoia TDR's "FSB's Matryoshka" series adds material technical detail to the Gamaredon (UAC-0010 / ACTINIUM) tooling consolidation covered yesterday: the group is exploiting the WinRAR path-traversal flaw CVE-2025-8088 as an initial-access vector, using the traversal to write payloads directly into %APPDATA%\…\Start Menu\Programs\Startup\ for persistence without a Registry or Scheduled-Task artefact (Sekoia TDR, 2026-06-01).

The series also names GammaSteel, a modular file-stealer (consolidating prior QuietSieve/HarvesterX-class modules) that captures files by extension and — newly — exfiltrates to attacker-controlled S3-compatible cloud storage in addition to Gamaredon's previously documented HTTP/Telegram channels (The Hacker News, 2026-06-02). The full chain runs WinRAR archive → GammaPhish (HTA) → GammaLoad (VBScript downloader) → GammaWorm/GammaSteel.

Delta for defenders: CVE-2025-8088 is fixed in WinRAR 7.13 (August 2025), so the entry vector is closed by patching — inventory WinRAR versions across the estate. Hunt for archive utilities writing executables or .vbs into Programs\Startup paths (Sysmon EID 11 on target path containing Programs\Startup), WinRAR spawning wscript.exe/mshta.exe, and VBScript processes making outbound requests to S3 endpoints inconsistent with normal business traffic. The targeting is Ukraine-centric, but the WinRAR vector reaches any organisation that opens archive-format lures.