Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
Summary
Hide ▲
Show ▼
A Gamaredon malware chain is using WinRAR CVE-2025-8088 to deliver GammaPhish, GammaLoad, GammaWorm, and GammaSteel, expanding persistence, C2 execution, and data theft against Ukrainian targets. The chain was observed in January 2026 and relies on staged payloads rather than a single dropper. GammaWorm establishes scheduled-task persistence and hides malicious shortcuts, while GammaSteel exfiltrates files to AWS S3 or an attacker-controlled fallback server. The modular design also supports reuse for additional payloads, including GammaWipe.
Related Happenings
Turla Kazuar modular P2P botnet
Malware Activity
First: 15.05.2026 20:10
Last: 15.05.2026 20:10
Sources 1
About this happening:
**Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...
Turla Kazuar modular P2P botnet
Malware ActivityAbout this happening: **Turla** has refactored its **Kazuar** backdoor into a **modular peer-to-peer (P2P) botnet**, strengthening **stealth** and **persistent access** on compromised hosts. The redesi...
Timeline
-
02.06.2026 21:21 2 articles · 2h ago
Initial report: Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Initial DisclosureIn **January 2026**, exploitation of **CVE-2025-8088** in **WinRAR** launched **GammaPhish**, which then retrieved **GammaLoad** VBScript downloaders. The initial stage focused on payload staging, host fingerprinting, and setup for follow-on execution.
Show sources
- Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine — thehackernews.com — 02.06.2026 21:21
- Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine — thehackernews.com — 02.06.2026 21:21