Gamaredon Uses Windows Features and Cloud Platforms to Hide Malware in Ukraine Campaign

Gamaredon is using a modular malware chain that hides inside native Windows features and relies on public cloud and messaging platforms to maintain command-and-control access. The campaign remains focused on Ukrainian government, military, and critical infrastructure targets.

The latest findings come from Sekoia.io’s first report in a three-part investigation into Gamaredon’s 2026 toolset. The company describes a fileless, VBScript-heavy infection chain that uses GammaPhish for initial access, GammaLoad for staging, GammaWorm for propagation, and GammaSteel for document theft.

Gamaredon, also known as Armageddon, ACTINIUM, Aqua Blizzard, and UAC-0010, has targeted Ukraine for more than a decade. MITRE ATT&CK says the Ukrainian government publicly attributed the group to Russia’s Federal Security Service Center 18 in 2021.

Gamaredon rebuilt its malware into a Gamma ecosystem

Sekoia says Gamaredon has moved away from older monolithic tooling and now uses standalone malware families with separate roles. This makes the chain more flexible because each stage can retrieve new scripts, update configuration, and continue the operation even if another component fails.

The first stage observed by Sekoia uses weaponized xHTML files. The xHTML lure triggers HTML smuggling and delivers a malicious RAR archive that abuses CVE-2025-8088 in WinRAR to place an HTA file in the Windows Startup folder.

Google Threat Intelligence previously documented widespread exploitation of CVE-2025-8088 in WinRAR. The bug is a path traversal flaw that attackers can use to write files outside the intended extraction folder, including Windows Startup locations.

Malware family	Main role	Key behavior
GammaPhish	Initial access	Uses xHTML lures and a malicious RAR archive
GammaLoad	Staging	Loads additional VBScript and PowerShell payloads
GammaWorm	Propagation	Spreads across USB and network drives
GammaSteel	Data theft	Collects documents and exfiltrates them to cloud storage
GammaWipe	Destructive activity	Listed in the broader taxonomy but not the focus of this chain

WinRAR exploitation starts the Windows chain

The RAR archive appears to contain a decoy PDF and a folder, but it also carries a hidden HTA file. When a user manually opens and extracts the archive on a vulnerable WinRAR version, the HTA file can land in the user’s Startup folder.

That HTA file runs when the user logs in again and uses mshta.exe to call remote infrastructure. This gives the operator a path to execute additional code without dropping a conventional executable as the first visible payload.

Google’s CVE-2025-8088 analysis says the flaw was patched in WinRAR 7.13 in July 2025, but threat actors continued exploiting it because many users had not updated. Organizations should treat outdated archive tools as an initial-access risk, not just a utility maintenance issue.

• A targeted user opens an xHTML lure.
• The lure smuggles a malicious RAR archive to the device.
• The archive abuses CVE-2025-8088 on vulnerable WinRAR versions.
• A hidden HTA file is written to the Startup folder.
• Windows launches the HTA file on the next login.
• The chain retrieves later Gamma payloads from remote infrastructure.

GammaWorm hides inside NTFS Alternate Data Streams

GammaWorm is the most visible shift in the campaign’s stealth model. Instead of storing many normal files, it hides key VBScript modules inside NTFS Alternate Data Streams attached to existing profile paths.

This technique maps to MITRE ATT&CK NTFS File Attributes. Alternate Data Streams can store content without changing what users normally see in Windows Explorer, which can reduce the chance that a victim or basic file scanner notices the payload.

GammaWorm also creates RunOnce registry entries and scheduled tasks that execute code from those hidden streams. It changes Explorer settings to hide file extensions, hidden files, and protected operating system files, making the infected environment look cleaner than it is.

Windows feature abused	How Gamaredon uses it
Alternate Data Streams	Stores VBScript modules in hidden streams
RunOnce registry key	Relaunches GammaWorm at user logon
Scheduled Tasks	Runs hidden ADS modules at intervals
Explorer settings	Hides file extensions and protected system files
mshta.exe and wscript.exe	Executes script content through native Windows tools

USB and network drive propagation increase reach

GammaWorm does not only stay on one host. It scans for USB and network drives, hides legitimate folders, and replaces them with malicious LNK shortcuts. Those shortcuts open the expected folder while quietly launching the worm again.

This design helps the malware move through shared drives and removable media, including environments where direct network access may be limited. It also uses Ukrainian-language lure names to push users into opening the shortcuts.

Sekoia’s GammaWorm analysis says the worm targets USB and network drives and uses a continuous loop that acts as a backdoor. The loop can resolve C2 infrastructure, send host fingerprints, and execute remote VBScript returned by the operator.

GammaLoad keeps staging alive through cloud dead drops

The middle of the chain relies on GammaLoad, a set of VBScript loaders that fetch and execute later stages. A second Sekoia report says GammaLoad uses a priority-based failover system that checks cached registry values before turning to public dead drop resolvers.

Those dead drops include Telegraph, Telegram, Check-Host, Cloudflare Workers, and related services. Instead of hardcoding one fixed C2 server, the malware can scrape current infrastructure from public pages and store fresh values under HKCU\Console registry keys.

That design improves resilience. If one server goes down, another script stage can still use cached values, public dead drops, or fallback infrastructure to retrieve new payloads.

• GammaLoad stores live C2 values in the Windows registry.
• It queries public services to recover fresh infrastructure.
• It executes some payloads in memory with VBScript or PowerShell.
• It can write later stages into Alternate Data Streams.
• It uses scheduled tasks to rerun hidden components.

GammaSteel focuses on document theft

The final payload in the reconstructed chain is GammaSteel, a PowerShell-based stealer. Sekoia says the malware stages 71 distinct payload functions in the HKCU\Printers registry key and encrypts them with Windows DPAPI.

The GammaSteel report says the stealer looks for user documents through three methods: recurring scans of local and network drives, monitoring newly inserted USB devices, and watching files as they are saved or modified.

Once GammaSteel finds candidate documents, it deduplicates them locally using MD5 hashes and exfiltrates data to S3-compatible cloud storage. If the main cloud path fails, it can fall back to operator-controlled servers or dead drop resolvers to continue activity.

Cloud and messaging platforms make blocking harder

Gamaredon’s infrastructure strategy mixes public platforms with operator-controlled servers. The group uses Telegram pages, Telegraph and Teletype pages, Cloudflare Workers, TryCloudflare domains, Check-Host, and S3-compatible storage as part of the command-and-control chain.

This creates a problem for defenders. Blocking every public service used in the chain may disrupt legitimate activity, while allowing them without inspection can let malware hide inside traffic that looks ordinary.

The Gamaredon Group profile notes the group’s history of using web protocols and infrastructure to support staging and C2. In the 2026 chain, that long-running pattern now appears more modular and more cloud-heavy.

Platform or service	Observed role
Telegram	Hosts dead drop pages with C2 information
Telegraph and Teletype	Stores resolver pages that point to live infrastructure
Cloudflare Workers and TryCloudflare	Hides staging and C2 paths behind trusted infrastructure
Check-Host	Used as a resolver source for IP data
S3-compatible cloud storage	Used for document exfiltration by GammaSteel

Detection should focus on behavior, not only indicators

Gamaredon changes infrastructure often, so defenders should not rely only on domains and hashes. Endpoint behavior can provide stronger signals, especially around ADS execution, suspicious scheduled tasks, and script interpreters launched from unusual locations.

The MITRE NTFS File Attributes technique recommends watching for suspicious file creations or modifications with colon-style stream paths and utilities that interact with streams. In this case, defenders should also inspect wscript.exe, mshta.exe, curl.exe, PowerShell, and scheduled task activity tied to ADS paths.

For compromised systems, Sekoia recommends a complete wipe as the safest remediation path because the chain has several fallback mechanisms. Partial removal may leave enough components behind for the malware to restore access.

1. Update WinRAR to version 7.13 or later on all Windows systems.
2. Block or inspect xHTML, HTA, RAR, and LNK files from untrusted sources.
3. Hunt for RunOnce entries named ExplorerGuard.
4. Monitor scheduled tasks that execute ADS paths with wscript.exe.
5. Inspect USB and network drives for hidden folders and suspicious LNK replacements.
6. Look for curl.exe contacting Telegram pages from user endpoints.
7. Track suspicious HKCU\Console registry keys used for C2 caching.
8. Consider full reimaging for confirmed GammaWorm infections.

Why Gamaredon’s 2026 toolset matters

The campaign shows how a long-running espionage group can raise persistence and stealth without abandoning familiar tactics. Gamaredon still uses phishing, scripts, USB propagation, and document theft, but it now wraps those behaviors in a layered architecture that makes cleanup harder.

The GammaLoad research shows how intermediary loaders can keep refreshing access, while the GammaSteel analysis shows the final goal: continued collection and exfiltration of sensitive documents.

For Ukrainian organizations and their partners, the main lesson is practical. Defenders need patching, script control, USB hygiene, ADS-aware forensics, and cloud traffic inspection working together, because Gamaredon’s chain deliberately crosses all of those areas.

FAQ