Gamaredon's GammaWorm: how Russia's FSB uses WinRAR and NTFS data streams to silently spread through Ukrainian networks
Sekoia published the first installment of a three-part series on Gamaredon last week. The series documents the Russian FSB-linked group's current toolchain against Ukrainian targets in detail, and Part 1 covers an infection chain built for stealth: a WinRAR path traversal vulnerability as entry point, NTFS alternate data stream hiding for persistence concealment, USB and network share propagation, and AWS S3-based exfiltration that blends into normal cloud traffic.
The infection chain
The entry point is CVE-2025-8088, a path traversal vulnerability in WinRAR. When a target opens a crafted archive, the exploit executes GammaPhish, an HTML Application payload. GammaPhish connects to attacker infrastructure and retrieves GammaLoad, a VBScript-based downloader. GammaLoad then drops one of two second-stage tools depending on what Gamaredon wants to do with the target.
GammaWorm: the propagation engine
GammaWorm is a VBScript worm designed to spread laterally across shared storage. Its core technique: it enumerates connected network shares and USB drives, identifies legitimate directories, and hides those directories using NTFS alternate data stream attributes. It then places malicious shortcut files in their place. A user who navigates to what they expect to be a shared folder or opens a USB drive sees the shortcut files. Opening them executes the worm silently.
The NTFS hiding technique is important. Standard Windows directory listings do not surface alternate data streams by default. The hidden directories are still present and accessible to the worm, but invisible to routine inspection. This allows GammaWorm to establish persistence on shared storage that looks clean to a user or a basic file audit.
The scheduled task persistence mechanism adds another layer: GammaWorm registers a scheduled task on the infected host so it re-executes on a timer even if the shortcut mechanism is discovered and cleaned from the storage device.
GammaSteel: the exfiltration module
GammaSteel is a modular information stealer. It profiles the host, identifies files by extension (Office documents, PDFs, images), and exfiltrates them. The primary exfiltration channel is an AWS S3 bucket controlled by the attacker. The fallback is an attacker-controlled server.
The S3 channel is deliberate. Outbound traffic to S3 is rarely blocked by enterprise network controls; S3 is a standard destination for backup and cloud storage workflows. Data exfiltrated via S3 is difficult to distinguish from legitimate cloud backup traffic without deep packet inspection or S3-specific monitoring for unfamiliar bucket names.
Why this matters beyond Ukraine
The targeting is Ukrainian government institutions, military networks, and critical infrastructure. But the techniques are general-purpose and applicable anywhere. The WinRAR entry point is patched in version 7.13. Any organization running an older version is exposed to the initial infection vector. This is not a zero-day; it is an n-day being actively exploited because patch rates for archiver tools are often lower than for operating systems or browsers.
The NTFS alternate data stream hiding technique is not novel, but it is reliable and underdetected in environments that do not specifically hunt for it. Endpoint detection rules looking for GammaWorm behavior should include scheduled task creation combined with NTFS stream manipulation on removable media and network shares.
What to do
Update WinRAR to version 7.13 or later. Audit scheduled tasks on sensitive systems for unexpected entries. Hunt for NTFS alternate data stream modifications on shared storage and USB endpoints. Monitor outbound S3 traffic for bucket names not in your organization's known-good list.
Gigia Tsiklauri is a Security Architect and founder of Infosec.ge. Get in touch if you want to discuss threat hunting for persistent nation-state campaigns or incident response methodology.