GammaWorm NTFS Alternate Data Streams propagation and backdoor activity
Malware Activity
Summary
Hide ▲
Show ▼
The GammaWorm malware activity now shows a more covert stage that hides modules in NTFS Alternate Data Streams, helping it spread across Ukrainian networks while leaving few on-disk traces. It uses fileless VBScript, scheduled tasks, and registry changes to persist, then propagates through USB sticks and network drives using malicious shortcuts. The worm also pulls C2 details from public services such as Telegram and Cloudflare, keeping the backdoor available for operator commands. The stealthier design makes detection and cleanup harder and raises the risk of repeated reinfection.
Related Happenings
Silver Fox MODBEACON Rust RAT activity
Malware Activity
H score23
First: 10.07.2026 16:15
Last: 10.07.2026 16:15
Sources 1
About this happening:
The Silver Fox ecosystem has been tied to MODBEACON, a Rust-based remote access trojan that gives operators encrypted C2 and modular control over infected hosts. T...
Silver Fox MODBEACON Rust RAT activity
Malware ActivityAbout this happening: The Silver Fox ecosystem has been tied to MODBEACON, a Rust-based remote access trojan that gives operators encrypted C2 and modular control over infected hosts. T...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware Activity
H score31
First: 09.07.2026 21:08
Last: 09.07.2026 21:08
Sources 1
About this happening:
The GigaWiper / BLUERABBIT malware activity now combines disk wiping, fake ransomware, and spyware backdoor functions on Windows, increasing the chance that on...
GigaWiper / BLUERABBIT destructive Windows backdoor activity
Malware ActivityAbout this happening: The GigaWiper / BLUERABBIT malware activity now combines disk wiping, fake ransomware, and spyware backdoor functions on Windows, increasing the chance that on...
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware Activity
H score14
First: 01.07.2026 00:02
Last: 01.07.2026 00:02
Sources 1
About this happening:
Trojanized Pyrogram forks on PyPI now ship a hidden backdoor that gives attackers remote command execution and file access on compromised Telegram bot servers. The mal...
Trojanized Pyrogram forks with hidden Telegram backdoor
Malware ActivityAbout this happening: Trojanized Pyrogram forks on PyPI now ship a hidden backdoor that gives attackers remote command execution and file access on compromised Telegram bot servers. The mal...
Turla STOCKSTAY .NET backdoor deployment
Malware Activity
H score27
First: 26.06.2026 10:15
Last: 26.06.2026 10:15
Sources 1
About this happening:
Turla's STOCKSTAY backdoor has been newly detailed as a .NET espionage implant used against government and military organizations in Ukraine and entities linked to I...
Turla STOCKSTAY .NET backdoor deployment
Malware ActivityAbout this happening: Turla's STOCKSTAY backdoor has been newly detailed as a .NET espionage implant used against government and military organizations in Ukraine and entities linked to I...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware Activity
H score29
First: 18.06.2026 17:30
Last: 18.06.2026 17:30
Sources 1
About this happening:
A Windows-based cryptocurrency clipper has been active since February 2026, using USB-delivered LNK worming to steal wallet data and reroute payments. The malware adds...
Windows cryptocurrency clipper malware using USB LNK worming and Tor C2
Malware ActivityAbout this happening: A Windows-based cryptocurrency clipper has been active since February 2026, using USB-delivered LNK worming to steal wallet data and reroute payments. The malware adds...
Timeline
-
01.06.2026 14:00 2 articles · 1mo ago
GammaWorm hides modules in NTFS Alternate Data Streams on Ukrainian networks
Technical Analysis UpdateGammaWorm, a Russian state-linked worm used by Gamaredon against Ukrainian networks, entered through a booby-trapped xHTML file that dropped a malicious RAR archive exploiting CVE-2025-8088 in WinRAR, then hid modules in NTFS Alternate Data Streams, used fileless VBScript, scheduled tasks, and registry visibility changes for persistence, and pulled command-and-control addresses from Telegram and Cloudflare.
Show sources
- FSB Group Gamaredon Hides Worm in Windows Data Streams — www.infosecurity-magazine.com — 01.06.2026 14:00
- FSB Group Gamaredon Hides Worm in Windows Data Streams — www.infosecurity-magazine.com — 01.06.2026 14:00