Cybercrime high

Gamaredon

Reports 1

Last Reported 8 Jun 2026

Sectors Targeted critical-infrastructure, communications, ot-ics

Intelligence Reports

Analysis critical-infrastructurecommunications

Gamaredon in 2026: Russia's Most Persistent APT Upgrades to a Modular Framework and Exploits WinRAR for Initial Access

Gamaredon (Primitive Bear, Aqua Blizzard) — Russia's FSB-linked APT targeting Ukraine since 2014 — has deployed a newly modularised malware framework in 2026, using HTML smuggling and CVE-2025-8088 WinRAR exploitation for initial access. Sekoia's June 2026 analysis reveals a four-stage VBScript loader chain, Telegram-based dead drop resolvers, and five distinct payload families covering every phase of the kill chain.

8 Jun 2026 · 10 min read