The campaign, active since September 2025 and still evolving, has targeted Ukrainian state institutions through spoofed messages and compromised government email accounts. The emails are written in Ukrainian and designed to resemble official correspondence, including court-related notices and administrative documents. Their attachments contain malicious RAR archives built to exploit CVE-2025-8088, a WinRAR path traversal flaw that allows attackers to place files in sensitive Windows directories and trigger execution during system restart or user activity.
Gamaredon, also tracked as UAC-0010, Shuckworm, Aqua Blizzard, Primitive Bear and Armageddon, has been one of the most persistent cyber-espionage actors focused on Ukraine. The group has been active for more than a decade and has been publicly linked by Ukrainian authorities to Russia’s Federal Security Service. Its operations typically prioritise access, surveillance, credential theft and rapid collection of files from public sector systems rather than destructive attacks.
The latest infection chain begins with a spear-phishing email that either appears to come from a trusted institution or is sent from an already compromised account. Some messages hide recipients in the BCC field to conceal the scale of targeting. Once the archive is opened on an unpatched Windows system, the exploit enables the placement of malicious scripts outside the expected extraction path. That technique gives the attacker a foothold without relying on highly complex malware at the entry stage.
GammaDrop functions as the initial downloader. Its role is to prepare the infected machine, retrieve additional components and support the next phase of execution. GammaLoad, delivered as an HTA-based beacon, then establishes persistence and communication with command-and-control infrastructure. The malware also profiles infected systems, helping operators decide whether a compromised machine is valuable enough for further exploitation.
The use of Cloudflare-proxied infrastructure and frequently changing domains has complicated detection. By routing traffic through widely used services, the operators attempt to blend malicious communications with legitimate web activity. Security teams tracking the campaign have observed repeated changes in delivery methods, file names, scripts and hosting arrangements, a pattern consistent with Gamaredon’s long-standing practice of making small but frequent adjustments to avoid static defences.
CVE-2025-8088 remains central to the campaign because WinRAR does not automatically update in many environments. The vulnerability was patched in version 7.13, but older installations remain exposed. The flaw has attracted wider attention because multiple state-linked and financially motivated actors have used it to place malicious payloads into Windows Startup folders or other sensitive locations. That makes outdated archive software a high-value target in phishing operations.
Ukraine’s public sector remains the primary focus. Government offices, regional administrations, judicial bodies, law enforcement-linked institutions and organisations connected to national security have remained under pressure from phishing campaigns throughout the war. Gamaredon’s methods are not always technically sophisticated, but their volume, persistence and localised social engineering have made the group difficult to neutralise.
The campaign also shows how espionage actors are exploiting the gap between patch availability and patch adoption. Many organisations prioritise operating system and browser updates while overlooking archive utilities, document handlers and legacy administrative tools. For attackers, those gaps offer dependable routes into networks where users regularly open compressed files attached to official correspondence.
Defensive measures recommended by specialists include immediate upgrading of WinRAR to the patched version, blocking execution from temporary archive extraction paths, restricting HTA and VBScript execution where business use is not required, enforcing multi-factor authentication on government email accounts, and tightening SPF, DKIM and DMARC controls to limit spoofing. Monitoring outbound traffic to newly created domains and suspicious Cloudflare-routed infrastructure is also considered essential.
Follow Arabian Post
Select Arabian Post as your preferred source on Google and MSN News for trusted business news and Arab politics and updates.
