Find notable cyber news and cases, enriched with sources, timelines, and signals.
Home Watchlists Beta Browse News Feed Stats About Contact

Gamaredon Ukraine spear-phishing campaign across government and military targets

Campaign
First reported
Last updated
Happening score
H score 39
1 unique sources, 1 articles

Summary

Hide ▲

The Gamaredon campaign expanded across Ukraine in 2025, hitting governmental and military institutions with 35 spear-phishing campaigns and raising the risk of sensitive-data theft. The operation used archive attachments, XHTML files, and HTML smuggling to deliver HTA downloaders and follow-on payloads. It also abused legitimate cloud and paste services to hide infrastructure and support exfiltration.

Related Happenings

Gamaredon WinRAR malware chain using GammaPhish, GammaLoad, GammaWorm, and GammaSteel

Malware Activity
H score49 First: 02.06.2026 21:21 Last: 02.06.2026 21:21 Sources 1

How related: Some of the attacks have also weaponized a now-patched flaw in WinRAR (CVE-2025-8088) as a way of placing the malicious HTA downloader into the victim's Windows Startup folder.

About this happening: **Gamaredon** is a **Russian APT** that expanded its **2025** activity against **Ukraine** with **35 spear-phishing campaigns** aimed at **government and military institutions**....

Latest development: 09.06.2026 15:26

Trend Micro attributes ongoing exploitation of WinRAR CVE-2025-8088 against Ukrainian organizations to Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). The campaigns use crafted RAR archives with hidden ADS payloads, a decoy PDF, a Startup-folder LNK, and a PowerShell chain via cmd.exe to launch GIFTEDCROOK (result.dll), while Earth Dahu's HTA-to-VBScript chain delivers GammaPhish, GammaLoad, and GammaSteel. The exfiltration path also shifts from Telegram to dedicated C2 servers, and Earth Dahu's use of the flaw is assessed to have remained active through at least April 10, 2026.

Open Happening

LongNosedGoblin cyber-espionage campaign targeting government entities in Southeast Asia and Japan

Campaign
H score33 First: 18.12.2025 19:34 Last: 18.12.2025 19:34 Sources 1

About this happening: A **LongNosedGoblin** campaign is targeting **governmental entities in Southeast Asia and Japan**, creating a sustained risk of **cyber espionage** and **file exfiltration** insid...

Open Happening

Tomiris 2025 government-targeting campaign

Campaign
H score32 First: 01.12.2025 07:07 Last: 01.12.2025 07:07 Sources 1

About this happening: The **Tomiris 2025 campaign** is using **phishing** and **public-service C2** to target **foreign ministries**, **intergovernmental organizations**, and **government entities**, i...

Open Happening

Timeline

  1. 29.06.2026 14:40 2 articles · 2h ago

    Gamaredon expands 2025 spear-phishing campaign against Ukraine

    Initial Disclosure

    Gamaredon expanded its 2025 spear-phishing campaign against Ukraine, mounting 35 distinct campaigns against new targets and concentrating on Ukrainian governmental and military institutions. The operation used archive attachments and XHTML files with HTML smuggling to deliver malicious HTA downloaders and follow-on payloads such as PteroSand, abused a now-patched WinRAR flaw (CVE-2025-8088) to place a downloader in the Windows Startup folder, introduced six new PowerShell tools, and increasingly relied on tunnels, serverless workers, and legitimate online services for C2 hiding and exfiltration.

    Show sources
    Open in new tab