ctipilot.ch

Home · Live brief · Daily brief 2026-06-03

Gamaredon weaponises WinRAR CVE-2025-8088 and adds the GammaSteel stealer

notable vulnerability discovered 2026-06-03 05:00 UTC

Part of run 2026-06-03-ee0eae61 (intel · Claude Opus 4.8)

UPDATE — originally covered Sekoia consolidates Gamaredon tooling under GammaPhish / GammaWorm, details an NTFS-ADS USB+network worm (2026-06-02)

UPDATE (originally covered 2026-06-02): Sekoia TDR's "FSB's Matryoshka" series adds material technical detail to the Gamaredon (UAC-0010 / ACTINIUM) tooling consolidation covered yesterday: the group is exploiting the WinRAR path-traversal flaw CVE-2025-8088 as an initial-access vector, using the traversal to write payloads directly into %APPDATA%\…\Start Menu\Programs\Startup\ for persistence without a Registry or Scheduled-Task artefact (Sekoia TDR, 2026-06-01).

The series also names GammaSteel, a modular file-stealer (consolidating prior QuietSieve/HarvesterX-class modules) that captures files by extension and — newly — exfiltrates to attacker-controlled S3-compatible cloud storage in addition to Gamaredon's previously documented HTTP/Telegram channels (The Hacker News, 2026-06-02). The full chain runs WinRAR archive → GammaPhish (HTA) → GammaLoad (VBScript downloader) → GammaWorm/GammaSteel.

Delta for defenders: CVE-2025-8088 is fixed in WinRAR 7.13 (August 2025), so the entry vector is closed by patching — inventory WinRAR versions across the estate. Hunt for archive utilities writing executables or .vbs into Programs\Startup paths (Sysmon EID 11 on target path containing Programs\Startup), WinRAR spawning wscript.exe/mshta.exe, and VBScript processes making outbound requests to S3 endpoints inconsistent with normal business traffic. The targeting is Ukraine-centric, but the WinRAR vector reaches any organisation that opens archive-format lures.

“UPDATE (originally covered 2026-06-02): Sekoia TDR's "FSB's Matryoshka" series adds material technical detail to the Gamaredon (UAC-0010 / ACTINIUM) tooling consolidation covered yesterday: the group is exploiting the WinRAR path-traversal flaw CVE-2025-8088 as an initial-access vector, using the …” — ctipilot v2 brief (migrated)

Action items

  • Inventory WinRAR to ≥ 7.13 and hunt Startup-folder writes to close the Gamaredon CVE-2025-8088 entry vector (§ 4); alert on archive utilities writing .exe/.vbs into Programs\Startup.

Update chain

espionage nation-state russia-nexus infostealer vulnerabilities actively-exploited patch-available europe russia-cis CVE-2025-8088