Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Malware Activity
Summary
Hide ▲
Show ▼
Gamaredon used WinRAR CVE-2025-8088 in January 2026 to launch GammaPhish, which retrieved GammaLoad VBScript downloaders and set up host fingerprinting and follow-on execution. Sekoia also reported GammaSteel as a modular stealer that could exfiltrate files to AWS S3 or an attacker-controlled fallback server. Later reporting by Trend Micro tied ongoing exploitation in Ukraine to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226), using crafted RAR archives, hidden ADS payloads, a Startup-folder LNK, and a PowerShell/cmd.exe chain. That activity deployed GIFTEDCROOK, shifted exfiltration from Telegram to dedicated C2 servers, and remained active through at least April 10, 2026.
Related Happenings
Gamaredon Ukraine spear-phishing campaign across government and military targets
Campaign
H score39
First: 29.06.2026 14:40
Last: 29.06.2026 14:40
Sources 1
How related:
Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year.
About this happening:
The Gamaredon campaign expanded across Ukraine in 2025, hitting governmental and military institutions with 35 spear-phishing campaigns and raising the risk of...
Gamaredon Ukraine spear-phishing campaign across government and military targets
CampaignHow related: Slovakian cybersecurity company ESET said it observed 35 distinct spear-phishing campaigns mounted by Gamaredon against new targets, with most of them taking place in the second half of the year.
About this happening: The Gamaredon campaign expanded across Ukraine in 2025, hitting governmental and military institutions with 35 spear-phishing campaigns and raising the risk of...
Turla STOCKSTAY .NET backdoor deployment
Malware Activity
H score27
First: 26.06.2026 10:15
Last: 26.06.2026 10:15
Sources 1
About this happening:
Turla's STOCKSTAY backdoor has been newly detailed as a .NET espionage implant used against government and military organizations in Ukraine and entities linked to I...
Turla STOCKSTAY .NET backdoor deployment
Malware ActivityAbout this happening: Turla's STOCKSTAY backdoor has been newly detailed as a .NET espionage implant used against government and military organizations in Ukraine and entities linked to I...
Turla STOCKSTAY phishing campaign targeting Ukraine and Europe
Campaign
H score37
First: 26.06.2026 10:15
Last: 26.06.2026 10:15
Sources 1
About this happening:
Turla's STOCKSTAY phishing campaign is targeting government and military organizations in Ukraine and selected European entities, extending a recurring espionage opera...
Turla STOCKSTAY phishing campaign targeting Ukraine and Europe
CampaignAbout this happening: Turla's STOCKSTAY phishing campaign is targeting government and military organizations in Ukraine and selected European entities, extending a recurring espionage opera...
Earth Dahu and SHADOW-EARTH-066 WinRAR exploitation campaign against Ukrainian organisations
Campaign
H score57
First: 09.06.2026 15:26
Last: 09.06.2026 15:26
Sources 1
How related:
Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.
About this happening:
The Earth Dahu and SHADOW-EARTH-066 campaigns are still exploiting CVE-2025-8088 in WinRAR against Ukrainian organisations, extending exposure nearly a year af...
Earth Dahu and SHADOW-EARTH-066 WinRAR exploitation campaign against Ukrainian organisations
CampaignHow related: Two Russia-aligned cyber attack campaigns have continued to exploit a security flaw in WinRAR to target Ukrainian organisations, almost a year after patches for the vulnerability were released.
About this happening: The Earth Dahu and SHADOW-EARTH-066 campaigns are still exploiting CVE-2025-8088 in WinRAR against Ukrainian organisations, extending exposure nearly a year af...
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
Campaign
H score56
First: 01.06.2026 14:00
Last: 01.06.2026 14:00
Sources 1
About this happening:
The Gamaredon espionage campaign remained active in January 2026, targeting Ukrainian government, military, and critical-infrastructure networks to steal documents and...
Gamaredon Ukraine espionage campaign targeting government, military and critical infrastructure
CampaignAbout this happening: The Gamaredon espionage campaign remained active in January 2026, targeting Ukrainian government, military, and critical-infrastructure networks to steal documents and...
Timeline
-
09.06.2026 15:26 1 articles · 1mo ago
Trend Micro attributes ongoing WinRAR exploitation in Ukraine to Earth Dahu and SHADOW-EARTH-066
Attribution UpdateTrend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.
Show sources
- WinRAR Flaw Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine — thehackernews.com — 09.06.2026 15:26
-
02.06.2026 21:21 3 articles · 1mo ago
Initial report: Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel
Initial DisclosureIn January 2026, exploitation of CVE-2025-8088 in WinRAR launched GammaPhish, which then retrieved GammaLoad VBScript downloaders. The initial stage focused on payload staging, host fingerprinting, and setup for follow-on execution.
Show sources
- Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine — thehackernews.com — 02.06.2026 21:21
- Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine — thehackernews.com — 02.06.2026 21:21
- Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abuse — thehackernews.com — 29.06.2026 14:40