Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
Campaign
Summary
Hide ▲
Show ▼
The Gamaredon espionage campaign remained active in January 2026, targeting Ukrainian government, military, and critical-infrastructure networks to steal documents and preserve access. The operation shifted toward fileless VBScript and NTFS Alternate Data Streams, reducing on-disk traces and making detection harder. It also used USB sticks, network drives, and dead-drop command-and-control to spread quietly across compromised environments.
Cases
Related Happenings
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware Activity
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
How related:
GammaWorm is where the campaign's stealth becomes clear, Sekoia explained. Rather than dropping files on disk, the worm hid its modules in NTFS Alternate Data Streams, a native Windows feature that lets data ride alongside an existing file without appearing in standard directory listings.
About this happening:
The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware ActivityHow related: GammaWorm is where the campaign's stealth becomes clear, Sekoia explained. Rather than dropping files on disk, the worm hid its modules in NTFS Alternate Data Streams, a native Windows feature that lets data ride alongside an existing file without appearing in standard directory listings.
About this happening: The **GammaWorm** malware activity now shows a more covert stage that hides modules in **NTFS Alternate Data Streams**, helping it spread across **Ukrainian networks** while leavi...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor Meta
First: 29.05.2026 14:31
Last: 29.05.2026 14:31
Sources 1
About this happening:
A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GREYVIBE's Kremlin-aligned role in the Russian cybercrime ecosystem
Threat Actor MetaAbout this happening: A newly characterized **GREYVIBE** actor sits in a **grey zone** between **Kremlin-aligned intelligence work** and the **Russian cybercrime ecosystem**, complicating attribution f...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware Activity
First: 29.05.2026 01:24
Last: 29.05.2026 01:24
Sources 1
About this happening:
**GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
GreyVibe custom malware activity with LegionRelay, PhantomRelay, and FallSpy
Malware ActivityAbout this happening: **GREYVIBE** is a **Russian-speaking** malware activity targeting **Ukraine and Ukraine-related entities** since at least **August 2025**. The group uses **spear-phishing e-mails*...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
Campaign
First: 21.05.2026 17:00
Last: 21.05.2026 17:00
Sources 1
About this happening:
A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Calypso telecommunications espionage campaign using Showboat and JFMBackdoor
CampaignAbout this happening: A **Calypso / Red Lamassu** espionage campaign is targeting **telecommunications providers** with new **Showboat** and **JFMBackdoor** malware, increasing the risk of long-term co...
Handala multi-stage malware with Telegram C2 and exfiltration
Malware Activity
First: 24.03.2026 11:30
Last: 24.03.2026 11:30
Sources 1
About this happening:
The **Handala** malware package uses a **multi-stage payload** to give operators **remote access** to infected **Windows** devices, increasing the risk of stealthy data theft. The...
Handala multi-stage malware with Telegram C2 and exfiltration
Malware ActivityAbout this happening: The **Handala** malware package uses a **multi-stage payload** to give operators **remote access** to infected **Windows** devices, increasing the risk of stealthy data theft. The...
Timeline
-
01.06.2026 14:00 2 articles · 6h ago
Gamaredon worm hides inside NTFS Alternate Data Streams on Ukrainian networks
Initial DisclosureSekoia identified a Gamaredon worm used against Ukrainian networks that hides its modules in NTFS Alternate Data Streams, relies heavily on fileless VBScript, and begins from a booby-trapped xHTML file that delivers a malicious RAR archive exploiting CVE-2025-8088 in WinRAR. The campaign targets Ukrainian government, military, and critical infrastructure networks for document theft and long-term access, and defenders were advised to update WinRAR to version 7.13 or later and wipe infected systems when cleanup fails.
Show sources
- FSB Group Gamaredon Hides Worm in Windows Data Streams — www.infosecurity-magazine.com — 01.06.2026 14:00
- FSB Group Gamaredon Hides Worm in Windows Data Streams — www.infosecurity-magazine.com — 01.06.2026 14:00