Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine

Sekoia attributes an active Gamaredon campaign exploiting WinRAR CVE-2025-8088 to deliver an HTML Application (GammaPhish) that deploys VBScript downloaders (GammaLoad) and multiple payloads — notably GammaWorm (worm with persistence via scheduled tasks, LNK replacement and ADS hiding, using Telegram for C2) and GammaSteel (modular infostealer exfiltrating to AWS S3). The report highlights the modular, highly obfuscated architecture, use of legitimate platforms to blend traffic, and the likelihood of reuse against Ukrainian government, military, and critical infrastructure targets.