What's Happening?
A Russian state-linked espionage group, Gamaredon, has been observed using a Windows file feature to hide a worm within Ukrainian networks. According to Sekoia, the worm is part of a campaign targeting Ukraine's government, military, and critical infrastructure.
The worm, known as GammaWorm, employs NTFS Alternate Data Streams to conceal its modules, allowing it to operate without leaving traces on infected machines. The campaign began with a booby-trapped xHTML file that exploited a WinRAR flaw, CVE-2025-8088, to plant a hidden file in the Windows Startup folder. This file fetched further payloads from remote servers, maintaining stealth through scheduled tasks and registry changes. The worm propagates via USB sticks and network drives, using provocative Ukrainian-language filenames to lure users.
Why It's Important?
The use of NTFS Alternate Data Streams by Gamaredon represents a significant advancement in cyber espionage tactics, enhancing the group's ability to conduct operations undetected. This development poses a serious threat to Ukraine's national security, as it targets critical infrastructure and government entities. The campaign's reliance on fileless techniques and dead drop resolvers for command-and-control makes it difficult to eradicate, potentially allowing continuous access and data exfiltration. The situation underscores the need for robust cybersecurity measures and international cooperation to counteract state-sponsored cyber threats.
What's Next?
Organizations affected by the GammaWorm are advised to perform a full system wipe to remove the malware, as cleaning attempts may trigger fallback mechanisms that restore the worm. Updating WinRAR to version 7.13 or later is recommended to close the exploited flaw. The ongoing threat from Gamaredon may prompt increased cybersecurity collaboration between Ukraine and its allies, as well as heightened vigilance against similar tactics employed by other state-sponsored groups.
