Stealthy Cyber Threat: Russian Worm Disguises Itself Within Windows File Features
A recently identified cyber threat, linked to the Russian state, has raised alarms due to its cunning ability to conceal its components within an obscure and seldom-used feature of Windows files. This method enables the malicious entity to infiltrate Ukrainian networks while leaving minimal footprints on the compromised machines.
According to a detailed analysis from Sekoia, this worm is an update in the arsenal of Gamaredon, a long-standing espionage group that has been formally associated with Russia’s Federal Security Service (FSB) by Ukraine’s security agencies. The primary focus of Gamaredon appears to be on Ukraine, where it targets government institutions, military organizations, and critical infrastructure with the intention of stealing sensitive documents and maintaining long-term access to these networks.
The cyber response team at Sekoia utilized artifacts found on infected hosts and analyzed over 70 different samples from a partner organization. Through this investigation, they were able to reconstruct an infection chain that was first observed in January 2026, and is still active at the time of their report. They noted that the campaign has shifted predominantly to a fileless VBScript approach, indicating a significant enhancement in stealth compared to the group’s previous tactics.
An Intrusive Beginning: Exploiting WinRAR
The initial phase of this cyber intrusion began with an xHTML file designed to deceive; when opened, it delivered a compromised RAR archive to the target’s system. This stage of the attack is tagged as GammaPhish by Sekoia. The malicious archive took advantage of the CVE-2025-8088 vulnerability, a path traversal flaw in the WinRAR software. This specific exploit has been linked by Google’s threat analysts to other infamous Russian cyber actors, including Sandworm and Turla.
The exploitation of this vulnerability facilitated the placement of a concealed HTA file in the Windows Startup folder. This file would execute the next time the user logged into their computer, subsequently fetching additional malicious payloads from a remote server. To keep the victim oblivious to the ongoing cyber activities, the worm also utilized a spoof PDF document.
The Stealth of GammaWorm
The intricacies of the GammaWorm illustrate a remarkable level of sophistication in stealth tactics, according to Sekoia’s evaluation. Instead of simply placing files onto the infected systems, the worm cleverly embeds its components within NTFS Alternate Data Streams, a Windows native feature that allows data to be stored alongside an existing file without showing up in regular directory listings. This method keeps the worm’s presence shrouded, complicating detection efforts.
Once operational, GammaWorm set itself to endure within the infected system by establishing persistence via scheduled tasks, which were camouflaged as routine maintenance tasks. By manipulating registry settings that dictate file visibility, the worm also obscured its activities, effectively cloaking its malicious operations.
The worm was also observed to propagate through USB drives and across network shares, where it would obscure genuine folders and replace them with harmful shortcuts. These shortcuts were designed to carry misleading Ukrainian-language file names, attempting to bait users into launching them.
For its command-and-control functions, GammaWorm harvested live server addresses from legitimate services such as Telegram and Cloudflare, using these as means to drop malicious payloads. The details were stored within the system’s registry, establishing an open backdoor that enabled the continual execution of commands from its operators.
Recommendations and Countermeasures
In light of the malware’s persistent nature, Sekoia cautioned that the most effective approach for organizations faced with this infection is to perform a complete wipe of the affected systems. The malware’s reliance on Dead Drop Resolvers (DDR) complicates cleaning efforts significantly; attempts to remove it often result in fallback mechanisms being triggered, which restore the malware.
Organizations are also advised to ensure they are using the latest version of WinRAR—version 7.13 or later—to close the vulnerability that the worm exploits. Keeping software updated is a critical line of defense in safeguarding against such sophisticated cyber threats.
As the cyber landscape continues to evolve, the significance of understanding advanced persistent threats like Gamaredon becomes ever clearer, especially for nations experiencing heightened levels of cyber warfare.