Skip to content
  • Home
  • Cyber Map
  • About Us – Contact
  • Disclaimer
  • Terms and Rules
  • Privacy Policy
Cyber Web Spider Blog – News

Cyber Web Spider Blog – News

Globe Threat Map provides a real-time, interactive 3D visualization of global cyber threats. Monitor DDoS attacks, malware, and hacking attempts with geo-located arcs on a rotating globe. Stay informed with live logs and archive stats.

  • Home
  • Cyber Map
  • Cyber Security News
  • Security Week News
  • The Hacker News
  • How To?
  • Toggle search form
Gamaredon Uses WinRAR Flaw to Target Ukraine with Malware

Gamaredon Uses WinRAR Flaw to Target Ukraine with Malware

Posted on June 2, 2026 By CWS

The Russian hacking group Gamaredon is actively leveraging a WinRAR vulnerability to distribute malware aimed at Ukrainian targets. This campaign, focused on data theft and system infiltration, utilizes a known flaw in WinRAR identified as CVE-2025-8088. The flaw enables the delivery of malicious payloads, including the GammaPhish HTML Application and subsequent downloads of VBScript malware.

Exploiting WinRAR for Cyber Attacks

According to cybersecurity firm Sekoia, the attack chain begins with the exploitation of the CVE-2025-8088 vulnerability in WinRAR. Once exploited, it launches the GammaPhish payload, which in turn downloads GammaLoad, a VBScript component. This infection sequence, first observed in January 2026, allows attackers to manipulate network configurations and execute arbitrary scripts on compromised systems.

The primary goal of Gamaredon appears to be gathering intelligence by fingerprinting host systems and executing malicious scripts. The use of dead drop resolvers (DDRs) helps in maintaining a stealthy presence, while the malware communicates with command-and-control (C2) servers to execute its payloads.

Malware Families: GammaWorm and GammaSteel

Among the deployed malware is GammaWorm, a VBScript-based worm that establishes persistence through scheduled tasks. It conceals itself by hiding legitimate directories and replacing them with malicious shortcut files on network shares and USB drives. This allows it to execute harmful code from C2 servers while staying undetected by blending in with normal traffic, particularly through platforms like Telegram.

GammaSteel, another malware variant delivered by GammaLoad, acts as an information stealer. It targets files with specific extensions and exfiltrates them to Amazon Web Services (AWS) S3 buckets or other attacker-controlled servers, depending on the situation. This dual approach of using legitimate services helps evade detection and maintain a long-term espionage operation.

Implications for Ukrainian Security

Gamaredon’s operations are part of a broader state-sponsored campaign linked to the Federal Security Service (FSB) of Russia. Their tactics have historically focused on Ukrainian government, military, and critical infrastructure, often using spear-phishing emails with malicious attachments. The current infection chain showcases a sophisticated and adaptable design that is likely to be repurposed in future attacks.

In addition to Gamaredon’s activities, other threat groups like UAC-0184 and UAC-0247 have also targeted Ukraine, using various techniques such as LNK lures and HTML Application droppers. These coordinated efforts highlight the ongoing cyber threat landscape faced by Ukraine, necessitating robust cybersecurity measures and constant vigilance.

As cyber threats continue to evolve, understanding the mechanisms and impacts of these attacks is crucial for developing effective defense strategies. The resilience and adaptability of the Gamaredon group’s tactics underscore the importance of staying informed and prepared for future challenges in cybersecurity.

The Hacker News Tags:APT28, CVE-2025-8088, Cybersecurity, FSB, Gamaredon, GammaSteel, GammaWorm, Malware, threat intelligence, UAC-0184, Ukraine, WinRAR

Post navigation

Previous Post: Cybercriminals Exploit Cloud Platforms to Conceal Attacks
Next Post: Red Hat Reveals npm Package Security Breach

Related Posts

LastPass Warns of Fake Repositories Infecting macOS with Atomic Infostealer LastPass Warns of Fake Repositories Infecting macOS with Atomic Infostealer The Hacker News
Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month Over 269,000 Websites Infected with JSFireTruck JavaScript Malware in One Month The Hacker News
New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper New MacSync macOS Stealer Uses Signed App to Bypass Apple Gatekeeper The Hacker News
Europol and Eurojust Dismantle €600 Million Crypto Fraud Network in Global Sweep Europol and Eurojust Dismantle €600 Million Crypto Fraud Network in Global Sweep The Hacker News
U.S. Targets VPN and Cryptor Seller for Ransomware Aid U.S. Targets VPN and Cryptor Seller for Ransomware Aid The Hacker News
Linux PamDOORa Backdoor Exploits PAM to Steal SSH Credentials Linux PamDOORa Backdoor Exploits PAM to Steal SSH Credentials The Hacker News

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Recent Posts

  • AI Tool Revolutionizes Automated Penetration Testing
  • Critical WordPress Flaw Allows Code Execution
  • OpenSSL Vulnerability ‘HollowByte’ Poses Severe Threat
  • OpenSSL Vulnerability Causes Memory Freeze with Minimal Data
  • EY Faces Data Breach: IT System Compromised

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Archives

  • July 2026
  • June 2026
  • May 2026
  • April 2026
  • March 2026
  • February 2026
  • January 2026
  • December 2025
  • November 2025
  • October 2025
  • September 2025
  • August 2025
  • July 2025
  • June 2025
  • May 2025

Recent Posts

  • AI Tool Revolutionizes Automated Penetration Testing
  • Critical WordPress Flaw Allows Code Execution
  • OpenSSL Vulnerability ‘HollowByte’ Poses Severe Threat
  • OpenSSL Vulnerability Causes Memory Freeze with Minimal Data
  • EY Faces Data Breach: IT System Compromised

Pages

  • About Us – Contact
  • Disclaimer
  • Privacy Policy
  • Terms and Rules

Categories

  • Cyber Security News
  • How To?
  • Security Week News
  • The Hacker News

Copyright © 2026 Cyber Web Spider Blog – News.

Powered by PressBook Masonry Dark