Gamaredon — GammaPhish / GammaWorm / GammaSteel: Russian FSB campaign with USB worm and S3 exfiltration (Sekoia TDR part one) [SINGLE-SOURCE Sekoia TDR]

Sekoia's first part of the Gamaredon series disclosed a January 2026 campaign arc (Sekoia TDR, 2026-06-01; daily 2026-06-02; update daily 2026-06-03). Initial access via CVE-2025-8088 (WinRAR path-traversal, widely unpatched) drops HTA payloads from xHTML attachments. GammaWorm's NTFS-ADS concealment and USB-propagation pattern is the signature detection challenge: filesystem timestamps are useless (ADS hides the worm content), and the worm spreads to any mounted drive and mapped share, meaning air-gap-adjacent workstations remain in scope. GammaSteel exfiltrates collected data directly to S3. Part two of the Sekoia series is outstanding and expected to detail further tooling. Open question: has the campaign reached any EU public-sector estate beyond its primary Ukrainian targets? The USB-propagation vector is exactly the mechanism Luna Moth used this week for physical office intrusion — conceptually distinct actors, coincidentally parallel technique.