Find notable cyber news and cases, enriched with sources, timelines, and signals.

Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure

Campaign
First reported
Last updated
Happening score
H score 56
1 unique sources, 1 articles

Summary

Hide ▲

The Gamaredon espionage campaign remained active in January 2026, targeting Ukrainian government, military, and critical-infrastructure networks to steal documents and preserve access. The operation shifted toward fileless VBScript and NTFS Alternate Data Streams, reducing on-disk traces and making detection harder. It also used USB sticks, network drives, and dead-drop command-and-control to spread quietly across compromised environments.

Cases

Related Happenings

GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning

Technical Analysis
H score23 First: 16.06.2026 17:17 Last: 16.06.2026 17:17 Sources 1

About this happening: GhostTree and GhostBranch use recursive NTFS junction loops to generate effectively unlimited paths, allowing files in the same folder to evade EDR and Windows D...

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

About this happening: Gamaredon used WinRAR CVE-2025-8088 in January 2026 to launch GammaPhish, which retrieved GammaLoad VBScript downloaders and set up host fingerprinting and fol...

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

GammaWorm NTFS Alternate Data Streams propagation and backdoor activity

Malware Activity
H score40 First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

How related: GammaWorm is where the campaign's stealth becomes clear, Sekoia explained. Rather than dropping files on disk, the worm hid its modules in NTFS Alternate Data Streams, a native Windows feature that lets data ride alongside an existing file without appearing in standard directory listings.

About this happening: The GammaWorm malware activity now shows a more covert stage that hides modules in NTFS Alternate Data Streams, helping it spread across Ukrainian networks while leavi...

GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem

Threat Actor Meta
H score15 First: 29.05.2026 14:31 Last: 29.05.2026 14:31 Sources 1

About this happening: A newly characterized GREYVIBE actor sits in a grey zone between Kremlin-aligned intelligence work and the Russian cybercrime ecosystem, complicating attribution f...

GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy

Malware Activity
H score41 First: 29.05.2026 01:24 Last: 29.05.2026 01:24 Sources 1

About this happening: GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...

Timeline

  1. 01.06.2026 14:00 2 articles · 1mo ago

    Gamaredon worm hides inside NTFS Alternate Data Streams on Ukrainian networks

    Initial Disclosure

    Sekoia identified a Gamaredon worm used against Ukrainian networks that hides its modules in NTFS Alternate Data Streams, relies heavily on fileless VBScript, and begins from a booby-trapped xHTML file that delivers a malicious RAR archive exploiting CVE-2025-8088 in WinRAR. The campaign targets Ukrainian government, military, and critical infrastructure networks for document theft and long-term access, and defenders were advised to update WinRAR to version 7.13 or later and wipe infected systems when cleanup fails.

    Show sources