• Home
  • About
  • Locations
logologologologo
  • Plan
    • vCISO
    • Policies & Procedures
    • Strategy & Security Program Creation
    • Risk Management
  • Attack
    • Penetration Testing
    • PTaaS
    • Red Teaming
    • Web Application Penetration Testing
    • Mobile Application Penetration Testing
    • IOT Penetration Testing
  • Defend
    • Office 365 Security
    • HIPAA Compliance
    • PCI Compliance
    • Code Reviews
    • Blockchain Security Analysis
    • Vulnerability Assessments
  • Recover
    • Ransomware Recovery
    • Expert Witness
    • Forensics
  • Learn
    • Resources
    • Penetration Testing Training
    • Blog
  • Contact Us
  • Instant Quote
✕

GammaWorm Malware: How Gamaredon APT Hides in Windows

June 2, 2026

GammaWorm Malware: How Gamaredon APT Hides in Windows

Russia's FSB linked Gamaredon APT has just deployed GammaWorm malware, one of the most technically advanced fileless attack chains ever attributed to this threat group. Researchers at Sekoia.io uncovered the campaign in January 2026 and confirmed it was still active at the time of their June 2026 publication. GammaWorm malware hides inside native Windows file system features, spreads through USB drives and network shares, and communicates through legitimate cloud platforms including Telegram and Cloudflare. Every security team, SOC analyst, and IT leader needs to understand exactly what this threat does and how to stop it.

This is not a routine espionage campaign. GammaWorm malware is nearly invisible to standard antivirus tools, exploits a known WinRAR vulnerability, and uses dead drop resolver techniques that defeat traditional network-based detection. The primary targets are Ukrainian government agencies, military organizations, and critical infrastructure operators. However, the techniques apply globally and any organization running WinRAR below version 7.13 faces direct exposure.

Here is a complete breakdown of the attack chain, detection strategies, and mitigation steps your team needs right now.

What Is GammaWorm Malware and Who Is Behind It

GammaWorm malware is a VBScript based worm developed and deployed by Gamaredon APT, a Russia-linked advanced persistent threat group officially attributed to the FSB. Security researchers also track this group under the names ACTINIUM, Armageddon, and UAC-0010.

Gamaredon has operated since at least 2013, focusing almost entirely on Ukraine. The group targets government agencies, military organizations, defense contractors, and critical infrastructure. Their goal is long-term access and intelligence collection in support of Russian strategic interests.

GammaWorm malware represents a significant technical evolution for this group. Previous Gamaredon campaigns relied on high volume, relatively basic tooling. This campaign is different. It is targeted, technically sophisticated, and deliberately built to frustrate incident response teams.

Key facts about GammaWorm malware:

  • VBScript based worm exceeding 20,000 lines of obfuscated code
  • Stores all modules inside NTFS Alternate Data Streams, invisible to standard directory listings
  • Persists through scheduled tasks disguised as Windows maintenance processes
  • Propagates to USB drives and network shares via malicious LNK shortcut files
  • Retrieves live C2 server addresses from Telegram, Cloudflare Workers, and Telegra.ph using dead drop resolvers
  • Executes all payloads in memory, leaving minimal forensic footprint on disk

How Sekoia.io Discovered This Campaign

Sekoia.io researchers identified this active Gamaredon campaign through a YARA-based threat hunting operation in January 2026. They combined their initial findings with over 70 forensic artifacts retrieved from compromised hosts. This allowed them to reconstruct a significant portion of the full infection chain.

Discovery timeline:

  • January 2026: Sekoia.io identifies the campaign via YARA-based hunting
  • January to June 2026: Researchers collect and analyze over 70 forensic artifacts from compromised endpoints
  • June 2026: Sekoia.io publishes full analysis, confirms campaign still active
  • Targets confirmed: Ukrainian government, military, and critical infrastructure entities

The research team also managed to replay live network requests to Gamaredon's C2 servers during their investigation. This gave them direct insight into how GammaWorm malware communicates with its operators in real time.

The Full GammaWorm Malware Attack Chain Explained

Understanding the full infection chain is essential for defenders. Here is every stage from initial phishing email to data exfiltration.

Stage 1: GammaPhish - HTML Smuggling for Initial Access

The attack starts with a spearphishing email. The email delivers a weaponized XHTML file as an attachment. When the victim opens the file, HTML Smuggling silently drops a malicious RAR archive directly onto their machine. Standard email gateway filtering does not catch this technique because the payload assembles on the client side rather than arriving as a pre-formed binary.

The RAR archive exploits CVE-2025-8088, a critical path traversal vulnerability in WinRAR versions prior to 7.13. This same vulnerability connects to Russian state-sponsored operators including Sandworm and Turla, confirming its strategic value across the FSB's contractor ecosystem.

What CVE-2025-8088 does:

The exploit abuses WinRAR's path handling to extract a hidden HTA file directly into the user's Windows Startup directory. WinRAR displays no errors. The extraction completes silently. A decoy PDF document opens to keep the victim unaware. On the next system login, Windows automatically executes the HTA file.

GammaPhish execution flow:

  • Spearphishing email delivers weaponized XHTML attachment
  • HTML Smuggling drops malicious RAR archive to disk
  • CVE-2025-8088 extracts hidden HTA file into Windows Startup directory
  • Decoy PDF displays to victim to prevent suspicion
  • HTA executes automatically at next user login via mshta.exe
  • mshta.exe fetches next-stage payload from Supabase cloud infrastructure
  • Request uses fake www.bbc.com authentication prefix to deceive casual inspection

Stage 2: GammaLoad - Modular Loader and Host Fingerprinting

After the HTA executes, it calls mshta.exe to pull down the next stage payload from Supabase-hosted infrastructure. Sekoia classifies this stage as GammaLoad.

GammaLoad fingerprints the compromised host and downloads additional payloads through cascading VBScript stages. Each stage only reveals the next component, limiting the full toolset's exposure at any single point in time. This approach deliberately hampers sandbox analysis and automated threat intelligence collection.

Stage 3: GammaWorm Malware - Fileless Execution via NTFS ADS

This is the core of the campaign. GammaWorm malware is where Gamaredon APT demonstrates genuine technical sophistication.

What are NTFS Alternate Data Streams?

NTFS Alternate Data Streams (ADS) is a native Windows file system feature originally created for Macintosh file system compatibility. ADS allows additional data streams to attach to any existing file. These streams do not appear in standard directory listings. The standard Windows dir command does not show them. Most file managers do not reveal them. Most antivirus tools do not scan them by default.

GammaWorm malware writes its core operational modules into hidden ADS streams attached to files in the user's profile directory:

  • %USERPROFILE%:GTR stores the main worm module
  • %USERPROFILE%:URL stores C2 address data
  • %USERPROFILE%:LNK stores the USB propagation module
  • %USERPROFILE%:SERVER stores active C2 server configuration

Persistence mechanisms used by GammaWorm malware:

GammaWorm establishes persistence through three scheduled tasks. Each task masquerades as a legitimate Windows system maintenance process:

  • DiskDiagnosticDataCollector
  • SilentCleanup
  • SmartRetry

These tasks trigger execution of the ADS-stored modules at regular intervals. The malware also modifies registry settings under HKCU\Console\ to suppress file and stream visibility, making manual discovery even harder.

USB and network drive propagation:

GammaWorm malware actively propagates to any connected USB drive or accessible network share. It hides legitimate folders on the target drive. It then replaces those folders with malicious LNK shortcut files. The shortcut files use Ukrainian-language filenames referencing military orders, personnel files, and government documents to trick users into clicking them. Each click executes GammaWorm on the new host.

Dead Drop Resolver C2 communication:

GammaWorm malware does not hardcode C2 server addresses. Instead it uses Dead Drop Resolvers (DDRs), publicly accessible posts on legitimate platforms, to retrieve live server addresses. DDR platforms include:

  • Telegram channels
  • Telegra.ph posts
  • Teletype.in pages
  • Cloudflare Workers endpoints

Retrieved C2 addresses store directly in the Windows registry under HKCU\Console. The worm then operates in an infinite loop, sending POST requests to its C2 servers with host fingerprint data embedded in randomized HTTP headers rather than the request body. This deliberate technique evades payload-based network inspection rules. Depending on the C2 server's HTTP response code, GammaWorm either executes fresh VBScript payloads in memory or updates its C2 configuration on the fly with new server addresses.

Stage 4: GammaSteel - Registry-Staged Document Theft

GammaSteel handles targeted document exfiltration. It is a fully PowerShell based stealer that stages itself entirely within the Windows registry.

GammaSteel technical details:

  • Stores 71 encrypted modules inside Windows registry keys
  • Protects all modules using Windows Data Protection API (DPAPI)
  • Targets specific document types including Office files and PDFs
  • Captures files from newly inserted USB drives
  • Exfiltrates stolen data to S3-compatible cloud storage buckets
  • Falls back to operator-controlled C2 servers if cloud storage is unavailable

GammaSteel consolidates capabilities from several prior Gamaredon malware families including QuietSieve, USBStealer, HarvesterX, and various Pteranodon stealer modules.

Why GammaWorm Malware Is Dangerous for Every Organization

The Gamaredon campaign targets Ukraine. However, the techniques behind GammaWorm malware present a direct risk to any organization worldwide that shares infrastructure characteristics with the confirmed targets.

Enterprise and SMB risks:

  • Any Windows endpoint running WinRAR below version 7.13 is vulnerable to the CVE-2025-8088 initial access exploit
  • HTML Smuggling bypasses virtually all standard email gateway filtering
  • NTFS ADS abuse evades most legacy antivirus and many first-generation EDR platforms
  • DDR-based C2 defeats domain blocklists and IP reputation filtering entirely

Cloud security implications:

  • GammaSteel exfiltrates data to S3-compatible cloud storage, blending into normal enterprise cloud traffic
  • DDR hosting on Telegram and Cloudflare makes blocking these platforms impractical as a detection strategy
  • Organizations relying solely on TLS inspection will miss the exfiltration without dedicated DLP controls in place

Financial and operational impact:

  • Sekoia.io recommends a full system wipe as the only reliable remediation for any confirmed GammaWorm malware infection
  • Organizations without validated backup and recovery capabilities face significant downtime and data loss exposure
  • GammaSteel targets sensitive documents with direct intelligence value including personnel records, strategic plans, and communications

Regulatory exposure:

  • Any confirmed GammaSteel exfiltration of personal data triggers mandatory breach reporting obligations under GDPR, HIPAA, and similar frameworks
  • Incident response costs, forensic investigation, and notification requirements create substantial financial exposure beyond the immediate operational impact

Five Real-World Attack Scenarios

Scenario 1: Defense Contractor Hit Through Spearphishing

An employee at a defense contractor opens a spearphishing email with an XHTML attachment disguised as a procurement tender. HTML Smuggling drops a RAR archive. CVE-2025-8088 silently places a hidden HTA file in the Startup directory. After the next login, GammaLoad deploys GammaWorm malware across the endpoint. Within days, GammaSteel quietly exfiltrates project files, personnel records, and contract documents to cloud storage.

Scenario 2: USB Lateral Movement Into a Restricted Network

GammaWorm malware infects an endpoint with access to both the corporate network and a USB drive used to transfer files to a more sensitive network segment. The worm writes malicious LNK files to the USB drive using convincing filenames. A user connects the drive to the sensitive network segment and opens what appears to be a legitimate folder. GammaWorm executes on the new host and the infection spreads.

Scenario 3: Managed Service Provider Used as Entry Point

A managed service provider employee's endpoint becomes infected via a GammaPhish campaign. GammaWorm malware establishes silent ADS-based persistence. When the MSP employee connects remotely to a client environment, the worm enumerates accessible network shares and propagates to client infrastructure. The client has no visibility into the MSP endpoint's compromise until GammaSteel begins exfiltrating their data.

Scenario 4: Credential Recovery Enables Privilege Escalation

GammaSteel collects documents containing embedded credentials, SSH keys, and VPN configuration files from the compromised endpoint. Threat actors use these recovered credentials to authenticate to cloud workloads and internal gateways. All subsequent lateral movement occurs under legitimate authenticated sessions, bypassing perimeter detection completely.

Scenario 5: Incomplete Remediation Leads to Re-infection

An incident response team removes GammaWorm malware scheduled tasks from a compromised host. Standard remediation tools do not detect the NTFS ADS modules still hidden in the user profile. The DDR-based C2 mechanism reestablishes contact after the next reboot. Fresh payloads download. Persistence reinstates itself. The organization believes it is clean but remains fully compromised.

How to Detect GammaWorm Malware in Your Environment

Standard antivirus will not catch this threat. Detecting GammaWorm malware requires behavioral monitoring, registry auditing, and proactive threat hunting. Here is a practical framework for your SOC team.

Logging You Must Enable Now

  • Enable PowerShell Script Block Logging (Event ID 4104) on all endpoints
  • Enable PowerShell Module Logging to capture all loaded modules
  • Collect Scheduled Task creation and modification events (Event IDs 4698 and 4702)
  • Enable registry modification auditing with focus on HKCU\Console\ hive writes
  • Enable full command-line audit logging (Event ID 4688 or Sysmon Event ID 1)
  • Capture process creation events with full parent-child relationship data

EDR Rules to Build Today

  • Alert on mshta.exe making outbound connections to Supabase or cloud storage infrastructure
  • Alert on wscript.exe executing file paths containing colons not followed by a backslash (direct ADS execution indicator)
  • Alert on scheduled task creation using names DiskDiagnosticDataCollector, SilentCleanup, or SmartRetry
  • Detect ADS stream creation events under the %USERPROFILE% directory path
  • Flag VBScript execution of files exceeding 5,000 lines
  • Monitor POST requests embedding host fingerprint data in HTTP headers rather than the request body

SIEM Correlation Rules

  • Correlate mshta.exe execution events with subsequent outbound connections to cloud platforms within a 60-second window
  • Alert on RAR archive extraction directly into the Windows Startup directory
  • Flag registry writes to HKCU\Console\ immediately following VBScript process execution
  • Correlate USB drive insertion events with LNK file creation at the root of the connected drive
  • Build rules flagging S3-compatible cloud storage upload traffic from endpoints with no prior upload history
  • Correlate scheduled task creation with VBScript process spawning within 60 seconds

Threat Hunting Queries

Run these hunts immediately across your endpoint fleet:

  • Hunt for files with NTFS ADS attached in user profile directories using Sysinternals Streams or PowerShell: Get-Item -Path $env:USERPROFILE -Stream *
  • Search all scheduled tasks referencing paths containing colons outside of standard drive letter notation
  • Query registry values under HKCU\Console\ containing IP addresses or domain names
  • Hunt for LNK files located at the root of USB drives or network shares that should only contain folders
  • Search for mshta.exe child processes spawning wscript.exe or cscript.exe
  • Identify all endpoints running WinRAR versions below 7.13 and prioritize immediate patching

Identity and Access Monitoring

  • Review all privileged account activity on endpoints where GammaWorm malware indicators are present
  • Monitor cloud platform authentication attempts from endpoints flagged for suspicious VBScript activity
  • Enable conditional access policies requiring device compliance checks before granting access to sensitive resources
  • Alert on authentication using credentials matching documents found on recently inserted USB drives

Mitigation Steps to Stop GammaWorm Malware

Act on these recommendations immediately. Do not wait for your next patch cycle.

Patch WinRAR Now

  • Update WinRAR to version 7.13 or later on every endpoint in your environment
  • Verify patch compliance through your vulnerability management platform
  • Apply emergency patching procedures if standard cycles would delay this beyond 48 hours
  • Include remote workers, contractor endpoints, and shared workstations in the patching scope

Enforce Multi-Factor Authentication

  • Deploy phishing-resistant MFA on all remote access and cloud platform logins
  • Disable legacy authentication protocols that allow MFA bypass
  • Enforce MFA on cloud storage platform access to reduce GammaSteel exfiltration viability
  • Audit all service accounts for MFA compliance immediately

Apply Zero Trust Principles

  • Implement Zero Trust network access to limit lateral movement after initial compromise
  • Apply least privilege access to all user accounts including administrative roles
  • Enforce microsegmentation to contain GammaWorm malware propagation across network shares
  • Require device compliance verification before granting access to any sensitive resource

Harden Endpoints Against Script Execution

  • Block VBScript and PowerShell execution from user profile directories via application control policies
  • Implement AppLocker or Windows Defender Application Control rules restricting mshta.exe and wscript.exe
  • Enable Attack Surface Reduction rules targeting HTML application execution and script-based malware behaviors
  • Restrict write permissions to the Windows Startup directory to administrative accounts only

Control USB and Removable Media

  • Deploy removable media policies blocking unauthorized USB device connections
  • Disable autorun and autoplay features on all endpoints immediately
  • Enable endpoint DLP controls alerting on document uploads to cloud storage from endpoints not pre-approved for such activity
  • Audit USB insertion logs regularly for anomalous device patterns

Validate Your Backups Before You Need Them

  • Confirm all backups are current, clean, and fully recoverable before any incident occurs
  • Maintain offline or air-gapped backup copies unreachable by a compromised endpoint
  • Test full recovery procedures to confirm your recovery time objectives are realistic and achievable
  • Verify backup integrity both before and after any endpoint wipe and rebuild

Lock Down Cloud Storage Access

  • Audit S3-compatible cloud storage configurations for unexpected data uploads
  • Implement CASB controls to monitor and restrict cloud storage data transfers from managed endpoints
  • Apply DNS filtering to flag communication with known GammaWorm DDR hosting infrastructure
  • Review Telegram and Cloudflare Worker traffic patterns for anomalous outbound communication

What This Campaign Tells Us About the Future of Cyber Threats

GammaWorm malware is not just a Gamaredon problem. It is a signal about where the entire threat landscape is heading, and security teams need to take note.

The fileless trend is accelerating. Nation-state operators and financially motivated ransomware groups alike are abandoning disk-based malware because behavioral detection has improved significantly against traditional executables. ADS-based storage, registry-staged payloads, and memory-only execution are becoming standard techniques across multiple threat actor categories.

Living-off-the-land tactics have fully matured. GammaWorm malware does not use exotic kernel exploits or custom binaries. It uses scheduled tasks, VBScript, PowerShell, NTFS features, and registry keys. Every component is native to Windows. Defenders who rely on malware signature databases alone will consistently miss this class of threat.

Dead Drop Resolver C2 breaks traditional network defenses. When a threat actor retrieves C2 addresses from Telegram channels and Cloudflare Workers, IP blocklists and domain reputation databases provide no defensive value. Behavioral analytics, DNS query monitoring, and registry write auditing are the only viable detection approaches. Organizations that have not built these capabilities are operating blind against modern state-sponsored campaigns.

Third-party and supply chain risk is a direct attack vector. GammaWorm malware's USB and network share propagation means a single compromised vendor endpoint can seed infections across multiple downstream client environments. Zero Trust architecture and strict third-party access controls are not optional security improvements. They are direct countermeasures to this specific threat technique.

The lesson for security leadership is simple. Behavioral EDR, NTFS ADS monitoring, registry auditing, PowerShell logging, and SIEM-based behavioral correlation are the core defensive investments this threat demands. Any organization still relying on legacy antivirus as their primary endpoint protection needs to treat this campaign as a wake-up call.

Key Takeaway

GammaWorm malware is one of the most technically evasive campaigns Gamaredon APT has ever deployed. It exploits CVE-2025-8088 in WinRAR to gain initial access, hides its worm modules inside native Windows NTFS Alternate Data Streams, persists through disguised scheduled tasks, spreads via USB and network shares using social engineering lures, and retrieves C2 addresses from legitimate cloud platforms using dead drop resolvers. Its final payload, GammaSteel, exfiltrates targeted documents to cloud storage while staging its 71 modules entirely within encrypted Windows registry keys.

This campaign is ongoing. Any organization running WinRAR below version 7.13 and lacking behavioral endpoint detection is at direct risk today.

Summary of critical actions:

  • Patch WinRAR to version 7.13 or later immediately to close CVE-2025-8088
  • Deploy behavioral EDR with NTFS ADS detection and registry monitoring
  • Enable PowerShell Script Block Logging and full command-line auditing
  • Implement application control restricting mshta.exe and wscript.exe
  • Hunt for ADS content under %USERPROFILE% and suspicious HKCU\Console\ values
  • Enforce strict USB device controls and monitor removable media activity
  • Apply Zero Trust segmentation to limit post-compromise lateral movement
  • Validate backup integrity and prepare for full system wipe remediation
  • Treat any confirmed GammaWorm malware or GammaSteel indicator as a critical incident requiring immediate response

The threat actors behind GammaWorm malware are investing in fileless techniques because they consistently succeed against organizations that have not modernized their detection stack. The question is not whether this class of threat will reach your industry. It already has.

Frequently Asked Questions About GammaWorm Malware

What is GammaWorm malware?

GammaWorm malware is a sophisticated VBScript-based worm developed by the Russia-linked Gamaredon APT group, also known as ACTINIUM, Armageddon, and UAC-0010. It hides its operational modules inside NTFS Alternate Data Streams, a native Windows file system feature, making it invisible to standard directory listings and most antivirus tools. GammaWorm malware uses legitimate cloud platforms including Telegram and Cloudflare as dead drop resolvers to retrieve live C2 server addresses, and it propagates to USB drives and network shares using social engineering lure files with Ukrainian-language filenames.

Is GammaWorm malware actively being exploited right now?

Yes. Sekoia.io confirmed that GammaWorm malware was still active and targeting Ukrainian government, military, and critical infrastructure organizations at the time of their June 2026 publication. The campaign has been running since at least January 2026 and shows no signs of stopping. Any organization running WinRAR below version 7.13 is exposed to the same initial access exploit used in this active campaign.

How does GammaWorm malware avoid detection?

GammaWorm malware avoids detection through multiple layered techniques. It stores all modules inside NTFS Alternate Data Streams invisible to standard tools. It executes all payloads directly in memory rather than writing them to disk. It uses scheduled tasks with legitimate-sounding Windows maintenance names for persistence. It retrieves C2 addresses from trusted public platforms like Telegram and Cloudflare to defeat network blocklists. It embeds host fingerprint data in randomized HTTP headers rather than request bodies to evade payload-based network inspection.

Why is GammaWorm malware particularly dangerous for enterprises?

GammaWorm malware is especially dangerous for enterprises because it targets every layer of standard corporate defenses simultaneously. It bypasses email gateway filtering with HTML Smuggling. It evades antivirus with NTFS ADS storage and memory-only execution. It defeats network monitoring with DDR-based C2 through trusted platforms. It defeats standard incident response by re-establishing persistence after incomplete cleanup. Its companion tool GammaSteel then stages an entirely registry-based stealer to exfiltrate sensitive documents to cloud storage that blends into normal enterprise traffic.

Who is most at risk from GammaWorm malware?

Ukrainian government agencies, military organizations, and critical infrastructure operators are the confirmed primary targets of GammaWorm malware. However, any organization running WinRAR below version 7.13 is directly exposed to CVE-2025-8088, which provides the initial access. Defense contractors, government supply chain vendors, managed service providers with Ukrainian client connections, and organizations holding sensitive government contracts should treat themselves as high-risk targets and act immediately.

How should security teams respond to a GammaWorm malware infection?

Security teams that confirm a GammaWorm malware infection should treat it as a critical incident requiring immediate escalation. Sekoia.io explicitly recommends a full system wipe as the only reliable remediation because GammaWorm's DDR- based persistence and fallback mechanisms will restore the infection after partial cleanup attempts. Before wiping, teams should collect full forensic images, identify all connected USB drives and network shares for additional hunting, review registry values under HKCU\Console\ for stored C2 addresses, and audit cloud storage configurations for evidence of GammaSteel exfiltration activity.

author avatar
social
See Full Bio
Share
Copyright © Digital Warfare. All rights reserved.
  • Home
  • About
  • Locations