Gamaredon APT Weaponizes WinRAR Path Traversal Bug for Ukrainian Espionage

The Gamaredon APT group is exploiting the CVE-2025-8088 path traversal vulnerability in WinRAR for Windows to execute a modular infection chain against Ukrainian targets. Analysts at Sekoia observed the activity in January 2026 and published their findings in June 2026. The campaign integrates HTML Applications (HTA), VBScript downloaders, a worm maintaining persistence via scheduled tasks, and an information stealer that exfiltrates data to consumer cloud services.

The discovery highlights two critical issues documented by the source. First, Gamaredon has engineered a modular architecture where components are updated without modifying the initial dropper. Second, the vulnerability has been listed in the CISA Known Exploited Vulnerabilities (KEV) Catalog since August 12, 2025, with a mitigation deadline of September 2, 2025.

Anatomy of the Chain: From WinRAR to AWS S3 Exfiltration

The infection begins with GammaPhish, an HTML Application payload. The CVE-2025-8088 mechanism, classified as CWE-35 according to the NVD record, allows attackers to escape the intended extraction directory by manipulating paths within a malicious archive. Sekoia assesses with high confidence that GammaPhish is designed to deploy GammaLoad first, stating: "assessing the global execution flow, we assess with high confidence that GammaPhish is designed to deploy GammaLoad first."

GammaLoad is an intermediate VBScript downloader. As documented by Sekoia, its primary functions include host system fingerprinting, updating network configurations in the registry via dead drop resolvers (DDR), and retrieving arbitrary VBScript payloads from C2 servers. This intermediate stage decouples the initial execution from permanent malicious activity.

The final stage involves two payloads. GammaWorm is a VBScript worm that establishes persistence through scheduled tasks, hides legitimate directories on network shares and USB drives by replacing them with malicious LNK files, and utilizes NTFS Alternate Data Streams to mask core modules. C2 resolution is performed via curl GET requests to a hard-coded public Telegram channel. GammaSteel is a modular information stealer that captures files with specific extensions and exfiltrates them to AWS S3 buckets or fallback attacker-controlled servers.

"This infection chain reveals a resilient, massive, and highly obfuscated modular design... Because of its adaptability and the operator's ability to update configurations on the fly, it is highly likely that this architecture will be reused in the future" — Sekoia, via The Hacker News

Analysis: How Modularity Shifts the Defensive Posture

The following section interprets the implications of the architecture documented by Sekoia.

The architecture described in the primary source presents features requiring immediate attention. The ability to update C2 configurations on-the-fly, as documented by Sekoia, implies that indicators of compromise (IoCs) may lose validity over time. The source does not specify whether this tactic has already been observed in the field or remains a theoretical capability.

Telegram and AWS S3 are platforms with broad legitimate adoption; the source does not document whether their selection is motivated by perimeter evasion considerations or other factors. Furthermore, Sekoia does not specify the exact nature of the data exfiltrated via GammaSteel; the brief does not document whether the actor targets strategic documents or other specific categories.

Mitigation and Defensive Measures

• Verify that WinRAR version 7.13 or higher is installed on all Windows endpoints. The NVD record indicates that previous versions are vulnerable to CVE-2025-8088, and CISA mandated mitigation by September 2, 2025.
• Review archive extraction logs for path traversal indicators, specifically instances where WinRAR extracts files to paths exceeding the intended destination directory.
• Monitor traffic to uncatalogued AWS S3 endpoints and Telegram web domains, consistent with the C2 techniques documented by Sekoia.
• Inspect scheduled tasks and NTFS Alternate Data Streams on systems where suspicious LNK files have been reported on network shares or removable USB drives.

Exploitation Persistence and Intelligence Gaps

The gap between the January 2026 observation and the June 2026 publication is significant. Sekoia does not specify when the campaign actually began, nor whether the observed activity represents a peak or a continuation of previous operations. The source does not define the initial distribution vector for the weaponized WinRAR archive; whether it involves phishing emails, drive-by downloads, or other methods remains undocumented.

The deployment of GammaWorm remains ambiguous. Sekoia notes that "the exact deployment vector for GammaWorm remains ambiguous; it could be dropped concurrently by GammaLoad, or introduced independently via a user executing a weaponized USB drive." This uncertainty limits the ability to reconstruct the complete chain in every instance.

The presence or absence of GammaWipe (also known as GamaWiper) in this specific campaign is not confirmed; Sekoia only indicates that it "could be used" without documenting actual deployment.

Methodological Note: This analysis is based on a single primary report from Sekoia via The Hacker News; details not independently confirmed are noted as such. Information is derived from the cited source and is current as of Sekoia's publication date.

Information has been verified against the cited sources and updated at the time of publication.

Sources

• https://thehackernews.com/2026/06/gamaredon-exploits-winrar-to-deliver.html
• https://nvd.nist.gov/vuln/detail/CVE-2025-8088
• https://nvd.nist.gov/vuln
• https://nvd.nist.gov/vuln/search
• https://nvd.nist.gov/vuln/categories
• https://nvd.nist.gov/vuln/data-feeds
• https://nvd.nist.gov/vuln/vendor-comments