The Russia-linked Gamaredon malware campaign has resurfaced with a more advanced toolkit, leveraging hidden Windows features and cloud infrastructure to maintain stealthy access in targeted espionage operations. The group, widely associated with Russia’s Federal Security Service (FSB), is actively targeting Ukrainian government, military, and critical infrastructure networks.

This latest campaign introduces a modular framework—internally referred to as the “Gamma” ecosystem—that combines fileless malware techniques, worm-like propagation, and cloud-based command-and-control (C2) communications to evade detection and persist within compromised environments.

Key Details

The attack chain begins with weaponized xHTML phishing lures that deliver malicious RAR archives exploiting CVE-2025-8088, a vulnerability in WinRAR.

Once opened, the exploit allows code execution within Windows Startup folders, bypassing user scrutiny.

The campaign is structured around several modular components:

GammaPhish – Initial phishing delivery
GammaLoad – Payload staging
GammaWorm – Propagation and persistence
GammaSteel – Data exfiltration

This modular architecture allows attackers to update or replace individual components without disrupting the overall attack chain.

Technical Analysis

Fileless VBScript Infection Chain

Unlike traditional malware, Gamaredon avoids dropping standard executables. Instead, it relies on multi-stage VBScript payloads:

Initial scripts execute from the Startup directory
Each stage fetches additional payloads from remote servers
Components operate independently, forming layered backdoors

This aligns with fileless malware techniques (MITRE ATT&CK T1059 – Command and Scripting Interpreter) and significantly reduces detection by endpoint security tools.

NTFS Alternate Data Streams (ADS) Concealment

The campaign’s core component, GammaWorm, uses NTFS Alternate Data Streams (ADS) to hide malicious code.

Key characteristics:

Malware stored inside hidden data streams attached to legitimate files
No visible changes to file size or directory listings
Reduced forensic visibility

This technique allows the malware to remain undetected even during routine file inspections.

Persistence Mechanisms

To maintain long-term access, GammaWorm:

Creates RunOnce registry entries
Schedules persistent tasks
Executes code directly from ADS

Additionally, it modifies system settings to:

Hide file extensions
Conceal protected system files

These steps further reduce the chances of user discovery.

Worm-Like Propagation via USB and Network Drives

GammaWorm includes self-propagation capabilities:

Copies itself to USB drives and shared folders
Replaces legitimate folders with malicious LNK shortcuts
Executes payloads using:
- mshta.exe
- wscript.exe

These shortcuts open expected directories while silently executing malware, blending functionality with deception.

Cloud and Messaging-Based C2

Gamaredon has shifted heavily toward cloud-based command-and-control infrastructure, using:

Cloudflare Workers subdomains
S3-compatible storage services
Telegraph/graph.org pages as dead drops
Telegram channels for IP distribution

The malware retrieves active C2 endpoints through Dead Drop Resolvers, dynamically updating its infrastructure.

This approach provides:

Rapid domain rotation
Reduced reliance on static infrastructure
Evasion of traditional network detection

Host data is exfiltrated via HTTP requests with encoded headers, mimicking legitimate web traffic.

Impact and Risks

Targeted Sectors

Ukrainian government agencies
Military organizations
Critical infrastructure operators

Potential Impact

Persistent unauthorized access
Data exfiltration and surveillance
Lateral movement within networks
Long-term espionage operations

Due to its modular design, even partial remediation may fail, as surviving components can reconstruct the infection chain.

Why This Campaign Is Dangerous

Combines fileless execution and filesystem evasion
Uses trusted cloud platforms for C2
Includes self-propagation across removable media
Maintains resilience through distributed architecture

Expert Recommendations

1. Monitor for ADS Abuse

Use advanced forensic tools to detect hidden streams
Audit file system anomalies beyond standard directory views

2. Restrict Script Execution

Limit use of VBScript, mshta.exe, and wscript.exe
Apply application control policies

3. Harden Endpoint Security

Deploy EDR solutions capable of detecting fileless attacks
Monitor unusual script behavior and persistence mechanisms

4. Control Removable Media

Restrict USB device usage in sensitive environments
Scan removable drives for LNK-based threats

5. Inspect Cloud Traffic

Monitor outbound traffic to cloud services for anomalies
Analyze HTTP headers for encoded data exfiltration patterns

6. Improve Threat Hunting

Look for IoCs tied to Gamma ecosystem components
Track unusual registry modifications and scheduled tasks

Industry Context

The Gamaredon campaign reflects a broader shift in cyber espionage tactics:

Increased reliance on fileless malware techniques
Growing use of cloud platforms for C2 infrastructure
Adoption of modular malware frameworks for resilience

State-sponsored groups are prioritizing stealth and persistence over rapid attacks, aiming for long-term intelligence collection.

The use of NTFS Alternate Data Streams and dead drop resolvers demonstrates how attackers are exploiting lesser-known system features to bypass modern defenses.

Conclusion

The latest Gamaredon operation highlights the evolving sophistication of state-backed cyber campaigns. By embedding malware within Windows internals and leveraging trusted cloud services, attackers have significantly improved their ability to evade detection and maintain long-term access.

Organizations must adopt proactive detection strategies and deepen visibility into system behavior to defend against these advanced, persistent threats.

FAQ SECTION

What is Gamaredon malware?

Gamaredon malware refers to tools used by a Russian state-backed APT group targeting Ukrainian and European entities for espionage.

How does GammaWorm hide on systems?

It uses NTFS Alternate Data Streams to store malicious code, making it invisible in normal file system views.

What is CVE-2025-8088?

It is a WinRAR vulnerability exploited in this campaign to execute malicious code via crafted archive files.

How does the malware communicate with attackers?

It uses cloud services, Telegram channels, and dead drop resolvers to retrieve command-and-control instructions.

How can organizations defend against this threat?

Implement endpoint detection, restrict script execution, monitor cloud traffic, and audit file systems for hidden data streams.