Gamaredon GammaPhish/GammaWorm — NTFS-ADS USB+network worm (Sekoia)

campaign · campaign:gamaredon-gammaphish-gammaworm

Coverage timeline

first 2026-06-02 → last 2026-06-03

Briefs

2 distinct

Sources cited

5 hosts

Sections touched

research, updates

Co-occurring entities

see Related entities below

2026-06-022 appearances2026-06-03

Story timeline

2026-06-03CTI Daily Brief — 2026-06-03
updatesUPDATE — WinRAR CVE-2025-8088 entry vector + GammaSteel stealer (AWS S3 exfil)
2026-06-02CTI Daily Brief — 2026-06-02
researchFirst coverage. Sekoia unifies Gamaredon (UAC-0010/FSB) tooling; CVE-2025-8088 WinRAR initial access; ADS hiding + removable-media propagation + legit-service dead-drops.

Where this entity is cited

research1
updates1

Source distribution

attack.mitre.org7 (58%)
thehackernews.com2 (17%)
blog.sekoia.io1 (8%)
infosecurity-magazine.com1 (8%)
microsoft.com1 (8%)

Related entities

ACR Stealer distributed via counterfeit Claude AI download pages + malicious search ads
campaigncampaign:acr-stealer-fake-claude×1
UPDATE: Chaotic Eclipse Windows zero-days — MiniPlasma is third PoC (cldflt.sys CfAbortHydration, claimed CVE-2020-17103 regression on fully patched Win11)
campaignitem:windows-zero-day-proliferation-yellowkey-greenplasma-minipla×1
UPDATE: Grafana Labs CoinbaseCartel — victim confirms source-code-only theft via Pwn-Request, no customer data, ransom rejected on FBI guidance
incidentitem:grafana-labs-coinbasecartel-pwn-request-github-actions-breac×1
UPDATE: TeamPCP / Shai-Hulud — first copycat wave (OX Security npm packages w/ Phantom Bot + SSH/cloud stealers); Checkmarx Jenkins plugin trojanised (third in three months); SentinelLabs PCPJack rival worm
campaignitem:teampcp-shai-hulud-copycat-wave-ox-security-checkmarx-pcpja×1
WinRAR path-traversal (referenced as initial-access exploit in Gamaredon GammaPhish/GammaWorm campaign, Sekoia 2026-06-01)
cveCVE-2025-8088×1

All cited sources (12)

Items in briefs about Gamaredon GammaPhish/GammaWorm — NTFS-ADS USB+network worm (Sekoia) (2)

UPDATE: Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer

From CTI Daily Brief — 2026-06-03 · published 2026-06-03 · view item permalink →

UPDATE (originally covered 2026-06-02): Sekoia TDR's "FSB's Matryoshka" series adds material technical detail to the Gamaredon (UAC-0010 / ACTINIUM) tooling consolidation covered yesterday: the group is exploiting the WinRAR path-traversal flaw CVE-2025-8088 as an initial-access vector, using the traversal to write payloads directly into %APPDATA%\…\Start Menu\Programs\Startup\ for persistence without a Registry or Scheduled-Task artefact (Sekoia TDR, 2026-06-01).

The series also names GammaSteel, a modular file-stealer (consolidating prior QuietSieve/HarvesterX-class modules) that captures files by extension and — newly — exfiltrates to attacker-controlled S3-compatible cloud storage in addition to Gamaredon's previously documented HTTP/Telegram channels (The Hacker News, 2026-06-02). The full chain runs WinRAR archive → GammaPhish (HTA) → GammaLoad (VBScript downloader) → GammaWorm/GammaSteel.

Delta for defenders: CVE-2025-8088 is fixed in WinRAR 7.13 (August 2025), so the entry vector is closed by patching — inventory WinRAR versions across the estate. Hunt for archive utilities writing executables or .vbs into Programs\Startup paths (Sysmon EID 11 on target path containing Programs\Startup), WinRAR spawning wscript.exe/mshta.exe, and VBScript processes making outbound requests to S3 endpoints inconsistent with normal business traffic. The targeting is Ukraine-centric, but the WinRAR vector reaches any organisation that opens archive-format lures.

Sekoia consolidates Gamaredon tooling under GammaPhish / GammaWorm, details an NTFS-ADS USB+network worm

From CTI Daily Brief — 2026-06-02 · published 2026-06-02 · view item permalink →

Sekoia's Threat Detection & Research team published part one of a Gamaredon (UAC-0010 / ACTINIUM, attributed to Russia's FSB) series describing a January 2026 campaign against Ukrainian government and military targets, introducing unified naming for two capability clusters: GammaPhish (the funnel from spearphishing through GammaLoad deployment) and GammaWorm (the propagation layer, subsuming the tooling previously tracked as LitterDrifter / PteroLNK) (Sekoia TDR, 2026-06-01 · Infosecurity Magazine, 2026-06-01). The chain begins with weaponised xHTML files exploiting CVE-2025-8088 (the WinRAR path-traversal flaw) to drop HTA payloads into Windows Startup directories via mshta.exe. GammaWorm itself is a 20,000+-line obfuscated VBScript worm that persists via scheduled tasks and RunOnce/Run registry keys, hides components in NTFS Alternate Data Streams, propagates across USB and mapped network drives using Ukrainian-language lures, and resolves C2 through dead-drop resolvers on Telegram, Telegra.ph, Teletype.in, Supabase and Cloudflare Workers.

Why it matters to us: The ADS-hiding + removable-media propagation + legitimate-service dead-drop pattern is highly transferable to any EU public-sector estate. Hunt for mshta.exe spawning wscript.exe, large obfuscated VBScripts executing from %APPDATA%, scheduled tasks with randomised GUID names pointing into user-profile paths, ADS on %TEMP%/%APPDATA% files, and outbound HTTPS to Telegra.ph / Supabase / Workers endpoints from non-developer hosts.