Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets

Gamaredon leverages a WinRAR path-traversal (CVE-2025-8088) via weaponized XHTML attachments to HTML-smuggle a RAR that extracts an HTA into Startup, initiating a multi-stage VBScript-based, nearly fileless infection chain (GammaPhish → GammaLoad → GammaWorm). The campaign uses NTFS Alternate Data Streams for stealth, scheduled tasks and RunOnce registry tricks for persistence, USB and share-based propagation with deceptive LNK files, and resolves C2s through a layered dead-drop chain including Telegram and Cloudflare; IOCs and remediation advice (full host wipe recommended) are provided.