Find notable cyber news and cases, enriched with sources, timelines, and signals.

GammaWorm NTFS Alternate Data Streams propagation and backdoor activity

Malware Activity
First reported
Last updated
Happening score
H score 40
1 unique sources, 1 articles

Summary

Hide ▲

The GammaWorm malware activity now shows a more covert stage that hides modules in NTFS Alternate Data Streams, helping it spread across Ukrainian networks while leaving few on-disk traces. It uses fileless VBScript, scheduled tasks, and registry changes to persist, then propagates through USB sticks and network drives using malicious shortcuts. The worm also pulls C2 details from public services such as Telegram and Cloudflare, keeping the backdoor available for operator commands. The stealthier design makes detection and cleanup harder and raises the risk of repeated reinfection.

Related Happenings

Silver Fox MODBEACON Rust RAT activity

Malware Activity
H score23 First: 10.07.2026 16:15 Last: 10.07.2026 16:15 Sources 1

About this happening: The Silver Fox ecosystem has been tied to MODBEACON, a Rust-based remote access trojan that gives operators encrypted C2 and modular control over infected hosts. T...

GigaWiper / BLUERABBIT destructive Windows backdoor activity

Malware Activity
H score31 First: 09.07.2026 21:08 Last: 09.07.2026 21:08 Sources 1

About this happening: The GigaWiper / BLUERABBIT malware activity now combines disk wiping, fake ransomware, and spyware backdoor functions on Windows, increasing the chance that on...

Trojanized Pyrogram forks with hidden Telegram backdoor

Malware Activity
H score14 First: 01.07.2026 00:02 Last: 01.07.2026 00:02 Sources 1

About this happening: Trojanized Pyrogram forks on PyPI now ship a hidden backdoor that gives attackers remote command execution and file access on compromised Telegram bot servers. The mal...

Turla STOCKSTAY .NET backdoor deployment

Malware Activity
H score27 First: 26.06.2026 10:15 Last: 26.06.2026 10:15 Sources 1

About this happening: Turla's STOCKSTAY backdoor has been newly detailed as a .NET espionage implant used against government and military organizations in Ukraine and entities linked to I...

Windows cryptocurrency clipper malware using USB LNK worming and Tor C2

Malware Activity
H score29 First: 18.06.2026 17:30 Last: 18.06.2026 17:30 Sources 1

About this happening: A Windows-based cryptocurrency clipper has been active since February 2026, using USB-delivered LNK worming to steal wallet data and reroute payments. The malware adds...

Timeline

  1. 01.06.2026 14:00 2 articles · 1mo ago

    GammaWorm hides modules in NTFS Alternate Data Streams on Ukrainian networks

    Technical Analysis Update

    GammaWorm, a Russian state-linked worm used by Gamaredon against Ukrainian networks, entered through a booby-trapped xHTML file that dropped a malicious RAR archive exploiting CVE-2025-8088 in WinRAR, then hid modules in NTFS Alternate Data Streams, used fileless VBScript, scheduled tasks, and registry visibility changes for persistence, and pulled command-and-control addresses from Telegram and Cloudflare.

    Show sources