Russia's FSB-linked Gamaredon group is weaponising WinRAR flaw CVE-2025-8088 to deploy GammaSteel and GammaWorm malware against Ukrainian targets.
Russia's Gamaredon hacking group is exploiting a now-patched flaw in the WinRAR archiving tool to plant data-stealing and self-spreading malware on Ukrainian government, military and critical-infrastructure networks, according to an analysis published by French cybersecurity firm Sekoia. The campaign, observed into January 2026, weaponises CVE-2025-8088 — a path-traversal vulnerability in the widely used Windows utility — to quietly drop a chain of malicious scripts the moment a booby-trapped archive is opened.
Gamaredon, also tracked as Armageddon, Shuckworm and Primitive Bear and publicly linked to Russia's FSB intelligence service, has run cyber-espionage operations against Ukraine for years. The WinRAR campaign marks its latest pivot toward exploiting a software vulnerability rather than relying solely on phishing attachments.
How the attack works
The infection begins with a malicious RAR archive engineered to abuse CVE-2025-8088. The flaw lets a crafted archive use NTFS Alternate Data Streams (ADS) and directory-traversal characters to write files outside the folder the victim extracts to — including the Windows Startup directory, which guarantees the payload runs at the next login.
From there, Sekoia documented a layered toolkit, each component carrying the group's signature "Gamma" naming:
- GammaPhish — an HTML Application (HTA) payload that kicks off the chain.
- GammaLoad — a Visual Basic Script downloader that retrieves the next stage.
- GammaWorm — a VBScript worm that establishes persistence through scheduled tasks and spreads across network shares and USB drives by hiding legitimate folders and replacing them with malicious shortcut (LNK) files.
- GammaSteel — a modular information stealer that harvests files by extension and exfiltrates them to an AWS S3 bucket, falling back to an attacker-controlled server.
To stay hidden, the malware tucks components inside NTFS Alternate Data Streams and uses Telegram "dead drop" channels to resolve its command-and-control servers. Sekoia notes the operators can also deploy a wiper, tracked as GammaWipe, depending on the mission.
A vulnerability with a long tail
CVE-2025-8088 carries a CVSS severity score of 8.8 and was exploited as a zero-day from mid-July 2025, before WinRAR's developers shipped a fix. Gamaredon is far from the only group abusing it. Google's Threat Intelligence Group reported that several other state-backed and criminal actors weaponised the same flaw, including the Russia-nexus RomCom and Sandworm (APT44) operations, the espionage group Turla, and a China-linked actor deploying the PoisonIvy backdoor. Financially motivated crews have used it to spread commodity remote-access trojans such as XWorm and AsyncRAT.
The flaw was patched in WinRAR version 7.13, released on 30 July 2025. Because WinRAR has no automatic update mechanism, users must download and install the new version manually — a gap that helps explain why exploitation has continued into 2026.
Frequently Asked Questions
Who is Gamaredon?
Gamaredon is a Russian state-sponsored hacking group linked to the FSB. It has targeted Ukrainian institutions for years and is also known as Armageddon, Shuckworm and Primitive Bear.
What is CVE-2025-8088?
It is a path-traversal vulnerability in WinRAR that lets a malicious archive write files to arbitrary locations, such as the Windows Startup folder, by abusing NTFS Alternate Data Streams. It was patched in WinRAR 7.13.
Who else is exploiting the flaw?
Google's Threat Intelligence Group attributed exploitation to multiple groups, including RomCom, Sandworm, Turla, a China-nexus actor, and financially motivated cybercriminals.