RST TI Report Digest: 25 May 2026
ID: 7addfb32-6db6-5124-b9f0-d8e1a93fa23b
STIX ID: report--7addfb32-6db6-5124-b9f0-d8e1a93fa23b
Feed Name: RST Cloud Blog
Gamaredon (Aqua Blizzard) has been observed exploiting CVE-2025-8088 (WinRAR path traversal) in spearphishing campaigns against Ukrainian state institutions, delivering multi-stage VBScript downloaders (GammaDrop and GammaLoad) which fetch payloads from dynamically generated Cloudflare Workers domains and leverage fast-changing archives and fast‑flux DNS; the report includes a large set of IoCs (IPs, domains, URLs, SHA hashes) and infrastructure patterns from activity observed since at least September 2025 with a wave in April 2026.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.