By rssfeeds-admin 
Since September 2025, the notorious hacking group Gamaredon has launched over a dozen waves of highly targeted spearphishing attacks against Ukrainian state institutions.
This ongoing campaign shows no signs of slowing down, using heavily disguised emails to quietly infiltrate secure systems.
Known interchangeably as Aqua Blizzard by Microsoft or Shuckworm by various security researchers, the group is aggressively exploiting CVE-2025-8088.
This critical WinRAR directory traversal vulnerability was initially documented by ESET last year.
Now, Gamaredon is actively leveraging the flaw to silently compromise systems using multi-stage VBScript downloaders, specifically identifying their customized malware as GammaDrop and GammaLoad variants.
Gamaredon Deploys Malware Downloaders
The threat actors rely heavily on hijacked government email accounts to mask their malicious activity. By compromising legitimate infrastructure, they spoof emails that appear as official court summons, legal mandates, or military communications.
Because many of these targeted domains lack strict DMARC enforcement, the spoofed emails easily bypass standard security filters and reach the victim’s primary inbox.
Hidden within these deceptive emails is a weaponized RAR archive. When a victim attempts to open what appears to be a harmless PDF document, the WinRAR vulnerability is triggered immediately.
Through a complex path traversal sequence that abuses NTFS alternate data streams, the archive secretly drops the initial payload, GammaDrop.
The malicious script is planted directly in the Windows Startup folder, ensuring the malware runs automatically every time the infected machine reboots, without requiring any further user interaction.
hxxps://throbsuns2.h4puonhajw.workers[.]dev/<campaign ID>/<URI path>/<date>/<suffix><rand>.<extension>Historically, Gamaredon has focused intensely on targeting the Security Service of Ukraine (SSU), regional courts, and law enforcement agencies.
By leveraging compromised internet service providers and hijacked domains, they create a highly believable infection chain that catches unsuspecting government employees off guard.
Once executed, the GammaDrop script immediately contacts attacker-controlled Cloudflare Workers to fetch the second-stage payload, GammaLoad.
This heavily obfuscated script profiles the infected machine, silently gathering unique system identifiers, drive serial numbers, and computer names.
hxxps://a.cnbyvilkghx2a6p.workers[.]dev/<random_string>.<random_extension>It then establishes a persistent connection, acting as a beacon that continuously contacts primary and fallback command-and-control (C2) servers to await further instructions.
Security analysts note that GammaLoad is designed to selectively deliver tailored, destructive payloads based on the victim’s specific profile.
The malware communicates in an infinite loop, hiding its traffic within standard browser user-agent strings.
If the primary Cloudflare-hosted server fails, it seamlessly falls back to heavily fortified Russian domains to maintain control over the compromised system, harfanglab said.
Indicators of Compromise (IOCs)
| Indicator Type | Value | Description |
|---|---|---|
| SHA-256 | ecb9609989dce48f78d4fa83abf3dae5592dd4e332d27f005e652c4f82d0b3c2 | Malicious RAR archive |
| SHA-256 | 62818ae5e305b89b9461536dac1b9daf4cebd99d24e417357e27e2ae4582a704 | GammaDrop VBS Payload |
| SHA-256 | 69cdde1ec82099a471283de89dd5e17266b1d8dda57d3c1589b7754b009fa2ed | GammaLoad HTA Payload |
Note: IP addresses and domains are intentionally defanged (e.g., [.]) to prevent accidental resolution or hyperlinking. Re-fang only within controlled threat intelligence platforms such as MISP, VirusTotal, or your SIEM.
Follow us on Google News , LinkedIn and X to Get More Instant Updates. Set Cyberpress as a Preferred Source in Google.
The post Gamaredon Deploys GammaDrop and GammaLoad In Phishing Campaigns appeared first on Cyber Security News.
Discover more from RSS Feeds Cloud
Subscribe to get the latest posts sent to your email.