Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Browse News Feed Stats Watchlists Beta About Contact

GammaWorm NTFS Alternate Data Streams propagation and backdoor activity

Malware Activity
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

The GammaWorm malware activity now shows a more covert stage that hides modules in NTFS Alternate Data Streams, helping it spread across Ukrainian networks while leaving few on-disk traces. It uses fileless VBScript, scheduled tasks, and registry changes to persist, then propagates through USB sticks and network drives using malicious shortcuts. The worm also pulls C2 details from public services such as Telegram and Cloudflare, keeping the backdoor available for operator commands. The stealthier design makes detection and cleanup harder and raises the risk of repeated reinfection.

Related Happenings

Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure

Campaign
First: 01.06.2026 14:00 Last: 01.06.2026 14:00 Sources 1

How related: The group focuses almost entirely on Ukraine, targeting government, military and critical infrastructure to steal documents and keep long-term access.

About this happening: The **Gamaredon** espionage campaign remained active in **January 2026**, targeting **Ukrainian government, military, and critical-infrastructure** networks to steal documents and...

Open Happening

Turla Kazuar modular P2P botnet

Malware Activity
First: 15.05.2026 20:10 Last: 15.05.2026 20:10 Sources 1

About this happening: **Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...

Open Happening

UAT-9244 TernDoor, PeerTime, and BruteEntry malware activity

Malware Activity
First: 06.03.2026 01:19 Last: 06.03.2026 01:19 Sources 1

About this happening: A **China-linked** malware cluster has been using **TernDoor**, **PeerTime**, and **BruteEntry** to compromise **telecommunication providers in South America** and turn infected s...

Open Happening

APT36 / SideCopy phishing-led campaign targeting Indian defense organizations

Campaign
First: 11.02.2026 16:52 Last: 11.02.2026 16:52 Sources 1

About this happening: A **phishing-led** **APT36 / SideCopy** campaign is targeting **Indian defense and government-aligned organizations**, using cross-platform **RATs** to steal sensitive data and ke...

Open Happening

DEAD#VAX campaign using IPFS-hosted VHD phishing to deploy AsyncRAT

Campaign
First: 04.02.2026 19:24 Last: 04.02.2026 19:24 Sources 1

About this happening: The **DEAD#VAX** campaign is using **phishing-delivered IPFS-hosted VHD files** to deploy **AsyncRAT**, creating a stealthier path to **fileless endpoint compromise**. The chain r...

Open Happening

Timeline

  1. 01.06.2026 14:00 2 articles · 6h ago

    GammaWorm hides modules in NTFS Alternate Data Streams on Ukrainian networks

    Technical Analysis Update

    GammaWorm, a Russian state-linked worm used by Gamaredon against Ukrainian networks, entered through a booby-trapped xHTML file that dropped a malicious RAR archive exploiting CVE-2025-8088 in WinRAR, then hid modules in NTFS Alternate Data Streams, used fileless VBScript, scheduled tasks, and registry visibility changes for persistence, and pulled command-and-control addresses from Telegram and Cloudflare.

    Show sources
    Open in new tab