ClearSky Cyber Security has discovered a new destructive cyberattack targeting Ukrainian organizations with new malware. Dubbed “GamaWiper,” the malware is a VBS-based wiper designed to destroy data on infected systems.
According to ClearSky’s analysis, the intrusion chain begins with the exploitation of a vulnerable WinRAR version (CVE-2025-80880). Currently, it's not clear whether CVE-2025-80880 is a new vulnerability or just a typo. The malware hash referenced in the post is present in the VirusTotal database and is linked to CVE-2025-6218 and CVE-2025-8088, both of which are remote code execution flaws in WinRAR.
ClearSky assesses with moderate confidence that the activity is linked to the Gamaredon APT group, a long-standing Russia-aligned threat actor known primarily for espionage operations.
“This marks the first observed instance of Gamaredon conducting destructive operations rather than its traditional espionage activities,” the company noted.
According to a recent report from Synaptic Security, Gamaredon was observed using a new zero-click infection vector involving CVE-2025-6218 and CVE-2025-8088 in campaigns from February through November 2025.
The treat actor continues to target Ukrainian military, governmental, political, and administrative entities. The group uses phishing campaigns with constantly changing attachment types and themes, and operates extensive DynDNS and Fast-Flux infrastructure.
Until early November 2025 the group mainly used HTA and LNK attachments, but it then shifted to exploiting CVE-2025-6218, which triggers an infection chain as soon as a victim opens a malicious RAR archive. The initial dropper automatically retrieves the Pteranodon second-stage loader. A multi-layered filtering system protects the command-and-control servers, allowing full responses only to Ukrainian IP ranges, validating browser headers, and requiring system registration before deploying additional payloads. Gamaredon also leverages Telegram channels for rotating C2 addresses and cryptographic data, as well as graph.org pages for frequently updated payload links.