Gamaredon Exploits WinRAR Vulnerability in Ongoing Ukraine Campaign

Gamaredon, a Russian state‑linked APT, is actively exploiting WinRAR vulnerability CVE-2025-8088 to deliver a modular malware suite (GammaPhish, GammaLoad, GammaWorm, GammaSteel) against Ukrainian government, military, and critical infrastructure; the infection chain uses spearphishing RAR attachments, an HTML Application payload and VBScript loaders to fetch a self‑propagating worm that hides components in NTFS Alternate Data Streams and leverages cloud services (Telegram, Cloudflare, Supabase) for C2, with recommendations including WinRAR updates, ADS and scheduled task detections, network blocking of known resolvers, and full system rebuilds due to persistent and resilient infection mechanisms.