Gamaredon Hides GammaWorm in NTFS Data Streams to Spy on Ukraine

Gamaredon (also tracked as TEMP.Armageddon, Shuckworm, and UAC-0010), the Russia-linked threat group attributed to FSB Center 18 (a unit of Russia's Federal Security Service operating from Sevastopol, Crimea), has deployed a new fileless worm called GammaWorm that conceals itself inside NTFS Alternate Data Streams (ADS) — a Windows file system feature that can carry invisible hidden payloads alongside ordinary files. The campaign, discovered by Sekoia and reported by Infosecurity Magazine on June 1, 2026, has been active since September 2025 and continues as of publication. Targets include Ukraine's Security Service (SSU), regional courts, military units, and judicial institutions. Entry is achieved via a weaponized WinRAR archive exploiting CVE-2025-8088 (a path traversal flaw in WinRAR, CVSS 8.4 High, patched in WinRAR 7.13).

// 01 Gamaredon GammaWorm: Technical Details

NTFS Alternate Data Streams (ADS) are a largely unknown feature of the Windows NTFS file system that allows any file to carry multiple independent data streams. The primary file content (the visible file) sits in the unnamed default stream; additional named streams are appended using the syntax filename.ext:streamname. These extra streams are completely invisible in standard Windows Explorer directory listings, the dir command, and most file manager utilities — they do not appear in file size calculations or security scans that rely on standard directory enumeration. Yet they are fully functional: they can contain executable code that Windows tools can run.

CVE-2025-8088 — WinRAR path traversal into ADS. The initial delivery exploits CVE-2025-8088 (CVSS 8.4 High — discovered by ESET Research on July 18, 2025, patched in WinRAR 7.13 released July 30, 2025). WinRAR's extraction engine validates standard path traversal sequences (../) but fails to sanitize the colon character (:) used in NTFS ADS syntax within archive Service block headers. Gamaredon crafts a malicious RAR archive containing a decoy file (e.g., a PDF document) whose ADS stream name embeds directory traversal sequences that resolve to the Windows Startup folder:

document.pdf:../../../../../Users/<user>/AppData/Roaming/Microsoft/Windows/Start Menu/Programs/Startup/GammaDrop.vbs

When WinRAR extracts the archive, CreateFileW follows the traversal path and writes the hidden GammaDrop.vbs payload directly to the Windows Startup folder — not to the extraction directory where the user is looking. The decoy PDF appears normal; no suspicious file appears in the target folder. Archive CRC32 checksums are recalculated so WinRAR's integrity check passes. At next login, GammaDrop executes automatically as the user.

The full GammaWorm toolchain:

GammaWorm's post-execution capabilities:

• Stores all VBScript modules inside NTFS ADS of legitimate existing files — components do not appear as standalone files in any directory listing
• Propagates to USB drives and network shares by hiding real folders and replacing them with malicious LNK shortcut files using Ukrainian-language filenames mimicking military orders, court summons, and legal mandates — designed to lure additional victims
• Resolves C2 addresses via dead-drop channels: Telegram channels, Cloudflare Workers subdomains (*.workers.dev), Cloudflare Quick Tunnels (trycloudflare.com), Telegraph, and Teletype — using legitimate services to evade domain-based blocking
• Persists via Startup folder and scheduled tasks disguised as routine Windows maintenance
• Executes operator-sent code in an infinite backdoor loop

GammaSteel exfiltration targeting:

• Desktop, Documents, and Downloads folders
• Files with extensions: .doc, .docx, .xls, .xlsx, .ppt, .pptx, .vsd, .vsdx, .rtf, .odt, .txt, .pdf
• MD5-based deduplication via certutil.exe
• Exfiltration via PowerShell HTTP and cURL routed through Tor for operational security

Sekoia recommends a full system wipe as the only reliable remediation once GammaWorm is confirmed on a host — the dead-drop architecture allows operators to push fresh payloads through Telegram and Cloudflare channels even after the initial malware is removed.

// 02 Exploitation Status and Threat Landscape

The GammaWorm campaign has been active continuously since September 2025 with at least 12 documented spearphishing waves. In May 2026, Gamaredon pivoted from RAR archives to ARJ archives disguised as .zip or .rar files — likely to evade detection signatures that had been written for the RAR-based delivery. The most recent wave documented by Sekoia occurred on April 29, 2026.

Gamaredon is not a sophisticated stealth operator — it compensates for technical limitations with operational persistence and volume. Ukraine's Computer Emergency Response Team (CERT-UA) documented over 5,000 Gamaredon attack attempts against Ukrainian critical infrastructure during 2020–2021 alone. The shift to NTFS ADS concealment and fileless execution represents a meaningful technical evolution for a group historically associated with cruder tactics.

The campaign has notable collaboration with Turla (FSB Center 16 — Russia's elite SIGINT cyber unit). ESET Research documented Gamaredon sharing initial access with Turla operatives between January and June 2025, with Turla deploying its Kazuar backdoor (a sophisticated long-term espionage tool) onto machines that Gamaredon had initially compromised through GammaDrop/GammaLoad. This access-sharing between FSB units reflects coordinated operational priorities against Ukrainian targets.

CVE-2025-8088 was patched in WinRAR 7.13 (July 30, 2025), but a significant proportion of WinRAR installations remain unpatched — WinRAR does not prompt for updates by default in older versions, and many enterprise environments use locally deployed copies that are not auto-updated.

// 03 Who Is Affected

Gamaredon's targets are overwhelmingly Ukrainian government, military, and security institutions:

• Security Service of Ukraine (SSU/SBU) — the primary intelligence target
• Regional courts and judicial offices — lures mimic court summons
• Ukrainian military units — lures mimic military deployment orders
• Ukrainian navy
• National Anti-Corruption Bureau of Ukraine (NABU)
• Legislative and parliamentary entities
• A Western country's military mission based in Ukraine (February–March 2025 campaign, documented by Symantec/Broadcom)

For organizations outside Ukraine, the primary risk is from CVE-2025-8088 itself — the WinRAR vulnerability used by Gamaredon has been exploited by multiple other threat actors (including RomCom, where ESET originally discovered it) and represents a general risk to any organization running unpatched WinRAR. The NTFS ADS technique is broadly applicable to Windows environments and may be adopted by other threat groups.

// 04 What You Should Do Right Now

• Update WinRAR to version 7.13 or newer immediately. CVE-2025-8088 is the initial entry point for this campaign. Download the latest version directly from rarlab.com. WinRAR does not auto-update — this must be done manually or via software management:

“powershell # Check installed WinRAR version Get-ItemProperty "HKLM:SoftwareMicrosoftWindowsCurrentVersionUninstallWinRAR archiver" | Select-Object DisplayVersion # Must be 7.13 or higher “

• Audit NTFS Alternate Data Streams on critical systems. Use the built-in streams.exe from Sysinternals or PowerShell to enumerate ADS on suspicious directories:

“`powershell # List all files with alternate data streams in a directory Get-Item "C:Users<user>AppDataRoaming" -Stream * | Where-Object Stream -ne ':$DATA'

# Or use Sysinternals Streams tool: streams.exe -r C:Users<user>AppDataRoaming “ Any file with a .vbs, .ps1, .hta, or .bat` named ADS stream that you did not create is highly suspicious.

• Check the Windows Startup folder for unexpected VBScript files. Gamaredon's GammaDrop places a .vbs file in the Startup folder via the CVE-2025-8088 exploit:

“powershell # Check both user and all-users startup folders Get-ChildItem "$env:APPDATAMicrosoftWindowsStart MenuProgramsStartup" | Where-Object {$_.Extension -eq ".vbs"} Get-ChildItem "C:ProgramDataMicrosoftWindowsStart MenuProgramsStartup" | Where-Object {$_.Extension -eq ".vbs"} “

• Block Cloudflare Workers and Telegram domains at perimeter if operationally feasible. GammaWorm's dead-drop architecture uses *.workers.dev, trycloudflare.com, Telegram (t.me, api.telegram.org), and telegraph.ph for C2 resolution. Blocking these at the perimeter eliminates the C2 channel for compromised hosts — though this may impact legitimate use of these platforms.

• Implement YARA rules for GammaWorm indicators. Sekoia and HarfangLab have published YARA rules covering GammaDrop, GammaLoad, and GammaWorm. Integrate these into your endpoint detection platform. Key IoC patterns include:
• VBS files matching 1_13_4_d+_d{2}.d{2}.202[56].vbs in the Startup folder
• HTTP requests to .h4puonhajw.workers.dev or .cnbyvilkghx2a6p.workers.dev
• Registry modifications to key paths used to store C2 addresses and payload fragments

• For Ukrainian government organizations: assume Gamaredon has attempted to target you. The campaign has been active for 12+ months with consistent targeting of SSU, courts, and military. Conduct a full threat hunt using the IoCs below and treat any suspicious VBScript or HTA execution event in the past year as potentially GammaWorm-related.

Key Indicators of Compromise:

// 05 Background: Understanding the Risk

Gamaredon (FSB Center 18) is one of the most persistent cyber actors in the Russia-Ukraine conflict, operating continuously since 2013. The five named FSB officers attributed to the group by Ukraine's Security Service (SSU) in November 2021 — including Sklianko Oleksandr, Chernykh Mykola, Starchenko Anton, Miroshnychenko Oleksandr, and Sushchenko Oleh — are former Ukrainian law enforcement officers who defected to Russia during Crimea's 2014 occupation. Two affiliated members were sentenced in absentia to 15 years in Ukrainian court in 2024.

The NTFS ADS hiding technique is not Gamaredon's invention — ADS have been used by malware authors since Windows NT. But the specific combination of CVE-2025-8088 delivery (a recent, specifically targeted exploit), NTFS ADS persistence for fileless execution, dead-drop resolver architecture using five separate legitimate cloud platforms simultaneously, and access-sharing with Turla for follow-on sophisticated espionage represents a meaningful step up in technical sophistication for a group historically characterized by volume-over-subtlety operations.

The dead-drop resolver architecture — where C2 addresses are fetched from Telegram channels and Cloudflare Workers rather than hard-coded — is particularly resilient. Even if the payload binaries are identified and blocked, the operators can push entirely new payloads through the resolver chain as long as the initial GammaLoad beacon remains active on a compromised host. This is why Sekoia recommends system wipes rather than malware removal as the definitive remediation.

// 06 Conclusion

Gamaredon's GammaWorm campaign — using CVE-2025-8088 to deliver a fileless worm hidden in NTFS Alternate Data Streams, with C2 evasion through Cloudflare and Telegram — represents the group's most technically capable espionage campaign to date. Patch WinRAR to 7.13 immediately, audit your Windows Startup folders and NTFS ADS for unexpected VBScript entries, block the known C2 domains at your perimeter, and treat any VBS/HTA execution in the past year on Ukrainian government systems as a potential GammaWorm indicator warranting full investigation.