FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps unpacking – GammaPhish and GammaWorm

**Sekoia.io documents an active, high‑sophistication Gamaredon (Russian FSB‑linked) espionage campaign observed in January 2026 that uses HTML smuggling and a WinRAR path‑traversal exploit (CVE‑2025‑8088) to deploy a modular toolset (GammaPhish, GammaLoad, GammaWorm, GammaSteel) which leverages NTFS Alternate Data Streams, scheduled tasks, USB propagation, and Dead Drop Resolvers (Telegram/Cloudflare) to maintain persistent backdoors and exfiltrate sensitive documents.**