The Russian state-backed cyberespionage group Gamaredon has launched a new campaign against Ukrainian government, military, and critical infrastructure organizations, deploying a VBScript-based worm that hides within native Windows features and uses cloud services for command-and-control (C&C) communications.
The campaign begins with weaponized xHTML files that deliver a malicious RAR archive exploiting a WinRAR vulnerability (CVE-2025-8088). The flaw allows code execution via Windows Startup folders without user interaction.
The malware leverages VBScript instead of traditional executable files. Researchers observed a four-stage loader chain that fingerprints infected systems, updates network settings through Dead Drop Resolvers (DDRs), and downloads additional VBScript payloads from remote servers.
Then, the GammaWorm component establishes persistence through scheduled tasks and hides its modules inside NTFS Alternate Data Streams (ADS). The worm spreads through USB devices and network drives by replacing legitimate folders with malicious LNK shortcut files, including shortcuts disguised with Ukrainian-themed social engineering lures.
The malware continuously updates its C&C infrastructure by collecting DDR information and storing active server details in the Windows registry. It then enters a persistent loop, allowing attackers to remotely execute arbitrary code on compromised systems.
Researchers also found an updated version of GammaSteel, a PowerShell-based information stealer. The malware stores 71 encrypted modules in the Windows registry using the Windows Data Protection API (DPAPI). GammaSteel scans local and network drives for documents, monitors newly connected USB devices, and tracks changes to targeted files in real time.
Stolen data is exfiltrated to an S3-compatible cloud storage service. If cloud channels become unavailable, GammaSteel can switch to attacker-controlled C&C servers, which also provide remote access capabilities for further operations.
“GammaLoad is directly responsible for deploying the GammaSteel payload. However, the exact deployment vector for GammaWorm remains ambiguous; it could be dropped concurrently by GammaLoad, or introduced independently via a user executing a weaponized USB drive,” Sekoia's report notes. “In addition, assessing the global execution flow, we assess with high confidence that GammaPhish is designed to deploy GammaLoad first.”
The researchers say that while Gamaredon still uses older techniques, such as tracking pixels, archive path traversal exploits, and infected USB drives, in the recent campaign the threat actor has incorporated a new approach using a mostly fileless VBScript-based attack structure and NTFS Alternate Data Streams (ADS). This helps the malware avoid detection and make forensic analysis more difficult.