Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
Campaign
Summary
Hide ▲
Show ▼
The Gamaredon espionage campaign remained active in January 2026, targeting Ukrainian government, military, and critical-infrastructure networks to steal documents and preserve access. The operation shifted toward fileless VBScript and NTFS Alternate Data Streams, reducing on-disk traces and making detection harder. It also used USB sticks, network drives, and dead-drop command-and-control to spread quietly across compromised environments.
Cases
Related Happenings
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical Analysis
H score23
First: 16.06.2026 17:17
Last: 16.06.2026 17:17
Sources 1
About this happening:
GhostTree and GhostBranch use recursive NTFS junction loops to generate effectively unlimited paths, allowing files in the same folder to evade EDR and Windows D...
GhostTree and GhostBranch NTFS junction loops that evade recursive folder scanning
Technical AnalysisAbout this happening: GhostTree and GhostBranch use recursive NTFS junction loops to generate effectively unlimited paths, allowing files in the same folder to evade EDR and Windows D...
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
H score49
First: 02.06.2026 21:21
Last: 02.06.2026 21:21
Sources 1
About this happening:
Gamaredon used WinRAR CVE-2025-8088 in January 2026 to launch GammaPhish, which retrieved GammaLoad VBScript downloaders and set up host fingerprinting and fol...
Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware ActivityAbout this happening: Gamaredon used WinRAR CVE-2025-8088 in January 2026 to launch GammaPhish, which retrieved GammaLoad VBScript downloaders and set up host fingerprinting and fol...
Latest development: 09.06.2026 15:26
Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware Activity
H score40
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
How related:
GammaWorm is where the campaign's stealth becomes clear, Sekoia explained. Rather than dropping files on disk, the worm hid its modules in NTFS Alternate Data Streams, a native Windows feature that lets data ride alongside an existing file without appearing in standard directory listings.
About this happening:
The GammaWorm malware activity now shows a more covert stage that hides modules in NTFS Alternate Data Streams, helping it spread across Ukrainian networks while leavi...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware ActivityHow related: GammaWorm is where the campaign's stealth becomes clear, Sekoia explained. Rather than dropping files on disk, the worm hid its modules in NTFS Alternate Data Streams, a native Windows feature that lets data ride alongside an existing file without appearing in standard directory listings.
About this happening: The GammaWorm malware activity now shows a more covert stage that hides modules in NTFS Alternate Data Streams, helping it spread across Ukrainian networks while leavi...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor Meta
H score15
First: 29.05.2026 14:31
Last: 29.05.2026 14:31
Sources 1
About this happening:
A newly characterized GREYVIBE actor sits in a grey zone between Kremlin-aligned intelligence work and the Russian cybercrime ecosystem, complicating attribution f...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor MetaAbout this happening: A newly characterized GREYVIBE actor sits in a grey zone between Kremlin-aligned intelligence work and the Russian cybercrime ecosystem, complicating attribution f...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
H score41
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: GREYVIBE is a Russian-speaking malware activity targeting Ukraine and Ukraine-related entities since at least August 2025. The group uses spear-phishing e-mails*...
Timeline
-
01.06.2026 14:00 2 articles · 1mo ago
Gamaredon worm hides inside NTFS Alternate Data Streams on Ukrainian networks
Initial DisclosureSekoia identified a Gamaredon worm used against Ukrainian networks that hides its modules in NTFS Alternate Data Streams, relies heavily on fileless VBScript, and begins from a booby-trapped xHTML file that delivers a malicious RAR archive exploiting CVE-2025-8088 in WinRAR. The campaign targets Ukrainian government, military, and critical infrastructure networks for document theft and long-term access, and defenders were advised to update WinRAR to version 7.13 or later and wipe infected systems when cleanup fails.
Show sources
- FSB Group Gamaredon Hides Worm in Windows Data Streams — www.infosecurity-magazine.com — 01.06.2026 14:00
- FSB Group Gamaredon Hides Worm in Windows Data Streams — www.infosecurity-magazine.com — 01.06.2026 14:00