Gamaredon Exploits WinRAR to Deliver GammaWorm and GammaSteel Against Ukraine

The Russian hacking group known as Gamaredon has been attributed to the continued exploitation of a WinRAR vulnerability to deliver multiple malware families aimed at data theft and propagation. Per Sekoia, the activity involves the weaponization of CVE-2025-8088, a path traversal flaw in WinRAR, to launch an HTML Application payload dubbed GammaPhish, which is then used to retrieve an

The article reports on Gamaredon, a Russian state‑linked APT, exploiting WinRAR CVE-2025-8088 in spearphishing campaigns against Ukraine to deliver a multi‑stage malware chain including GammaPhish, GammaLoad, GammaWorm, and the GammaSteel stealer.[2] These tools use advanced evasion techniques such as HTML smuggling, NTFS Alternate Data Streams, registry‑only payload staging, and cloud services for C2, enabling stealthy persistence, worm-like propagation, and large‑scale data theft.[2] From a CyberSE.AI perspective, such campaigns illustrate how sophisticated, rapidly iterating threat actors might target AI-enabled organizations and agent infrastructures as just another high‑value workload in the environment, especially where AI agents can access sensitive documents, file shares, or cloud storage. Security teams should integrate continuous red teaming focused on malware‑like lateral movement and exfiltration paths around AI systems, and use AI CISO advisory support to align incident response, backup/recovery, and hardening (e.g., patch management, script execution constraints, ADS and registry monitoring) so AI workloads do not become blind spots in broader cyber defense.