FSB Group Gamaredon Hides Worm in Windows Data Streams
ID: 84b17f39-ff95-5be0-930f-28e15f2d113b
STIX ID: report--84b17f39-ff95-5be0-930f-28e15f2d113b
Feed Name: Infosecurity Magazine (News)
Sekoia reports that Russian state-linked APT Gamaredon used a WinRAR path-traversal flaw (CVE-2025-8088) to install a hidden HTA and deploy a worm called GammaWorm; the worm hides modules in NTFS Alternate Data Streams, runs fileless VBScript, propagates via USB and network shares, and uses public services (Telegram, Cloudflare) as dead-drop resolvers for C2. Organizations are advised to update WinRAR to 7.13+ and to consider full system wipes for infected hosts due to the malware's stealth and ability to reinfect via remote payloads.
Your team is not currently subscribed to this feed. You must subscribe to it in order to see this post.