Gamaredon Uses GammaDrop and GammaLoad Downloaders in Multi-Stage Phishing Attacks.
A sustained cyber-espionage campaign linked to the Gamaredon threat group is actively targeting Ukrainian government entities using multi-stage phishing attacks and evolving malware loaders.
Gamaredon, also known as UAC-0010 or Shuckworm, continues to exploit CVE-2025-8088, a directory traversal vulnerability in WinRAR that allows attackers to write malicious files outside the intended extraction path.
The vulnerability has been widely abused since mid-2025, but Gamaredon’s campaigns stand out for their scale and persistence.
In observed attacks, victims receive phishing emails sent either from compromised Ukrainian government accounts or spoofed domains. These emails often mimic official court summons or legal notices, increasing the likelihood of user interaction.
Researchers in Harfang Lab tracking the activity uncovered at least 12 waves of spearphishing emails since September 2025, leveraging the WinRAR vulnerability CVE-2025-8088 to deploy custom VBScript-based downloaders silently.
The phishing emails carry malicious RAR archives containing a decoy PDF and a hidden VBScript payload embedded using NTFS alternate data streams (ADS).
Spearphishing email was sent from a compromised email account belonging to a local government official in Odessa Oblast on March 18th, 2026.
When extracted, the exploit forces WinRAR vulnerability to write the VBScript file directly into the Windows Startup folder, ensuring persistence.
The dropped script, known as GammaDrop, acts as the first-stage downloader. It is heavily obfuscated and uses randomized variables and junk code, consistent with Gamaredon’s automated malware generation techniques.
GammaLoad in Phishing Campaigns
GammaDrop retrieves a second-stage payload, GammaLoad, from attacker-controlled infrastructure hosted on Cloudflare Workers. The payload is saved as an HTA file and executed using mshta.exe in a hidden window.
GammaLoad serves as both a persistence mechanism and a reconnaissance tool. It establishes a RunOnce registry key and deploys a secondary VBScript payload that continuously communicates with command-and-control (C2) servers.
The malware collects basic system information such as computer name, system drive, and volume serial number, which is then embedded into beaconing traffic. This allows attackers to uniquely identify infected systems and selectively deliver follow-up payloads.
Based on the emails we collected, we observed that the Security Service of Ukraine (SSU) was the most heavily targeted institution, across different oblasts: Luhansk, Lviv and Chernivtsi.
GammaLoad uses dynamically generated URLs and disguises its traffic with legitimate browser user-agent strings. Communication occurs primarily via Cloudflare Workers domains, with fallback infrastructure hosted on Russian domains.
Each beacon request includes encoded victim identifiers and timestamps, enabling precise tracking of compromised machines. The malware operates in a loop, contacting C2 servers approximately every three and a half minutes.
Notably, Gamaredon frequently rotates its infrastructure, combining fast-flux DNS, dynamic DNS providers, and short-lived domains to evade detection.
While earlier campaigns relied on RAR archives, recent waves in May 2026 show a shift to ARJ archives disguised as ZIP or RAR files.
These new samples still deliver GammaDrop and GammaLoad payloads but introduce slight changes in communication patterns, including bot-like user-agent strings such as Bingbot.
Additionally, some variants skip the GammaDrop stage entirely and deploy GammaLoad directly, streamlining the infection chain.
A key factor behind the campaign’s success is poor email authentication across targeted domains. Many Ukrainian institutions lack properly enforced SPF, DKIM, and DMARC policies, allowing attackers to spoof trusted senders or abuse compromised accounts.
Gamaredon operators consistently use infrastructure within the 194.58.66.0/24 subnet to relay phishing emails, often authenticating with stolen credentials or exploiting weak domain protections.
The campaign maintains Gamaredon’s long-standing focus on Ukrainian government, military, and law enforcement organizations. Regional offices, particularly those linked to the Security Service of Ukraine (SSU), appear to be primary targets.
Despite the relatively low technical sophistication of the malware, the group’s strength lies in its high operational tempo and continuous adaptation.
The combination of social engineering, trusted infrastructure abuse, and automated tooling allows Gamaredon to sustain large-scale intrusion efforts with consistent success.
Security experts recommend enforcing strict DMARC policies, blocking known malicious IP ranges, and patching vulnerable software like WinRAR to mitigate the risk posed by these ongoing attacks.
Follow us on Google News, LinkedIn, and X to Get Instant Updates and Set GBH as a Preferred Source in Google.
