Gamaredon Group Employs Advanced Multi-Stage Phishing Techniques Targeting Ukrainian Government Entities
A recent report has revealed that a persistent cyber-espionage campaign attributed to the Gamaredon threat group is intensifying its efforts, specifically aiming at Ukrainian governmental institutions. Through the use of sophisticated multi-stage phishing attacks and evolving malware loaders, Gamaredon, also recognized by its aliases UAC-0010 or Shuckworm, has been exploiting a significant vulnerability in software to execute its malicious operations.
At the forefront of Gamaredon’s tactics is the exploitation of CVE-2025-8088, a directory traversal vulnerability found in WinRAR. This flaw permits attackers to write harmful files outside of the intended extraction directory, creating a significant risk for users who may unknowingly open infected files. Although this vulnerability has been exploited broadly since mid-2025, the strategic approach taken by Gamaredon has drawn attention due to its vast scale and ongoing persistence.
The scheme typically begins when potential victims receive phishing emails that either originate from compromised accounts belonging to Ukrainian government officials or from spoofed domains that closely resemble legitimate email addresses. Frequently designed to mimic official court summons or legal notifications, these emails are crafted to pique the target’s curiosity and compel them to engage with the content.
Researchers from Harfang Lab have meticulously tracked Gamaredon’s activities and uncovered at least 12 waves of spear-phishing emails since September 2025. These communications have effectively leveraged the previously mentioned WinRAR vulnerability to introduce custom VBScript-based downloaders, which deploy malware covertly onto victim systems.
The emails often contain malicious RAR archives that are disguised as decoy PDF files. Unbeknownst to the recipient, these archives also include a hidden VBScript payload which is embedded using NTFS alternate data streams (ADS). For instance, on March 18, 2026, a phishing email was forwarded from a compromised account tied to a local government official in Odessa Oblast, exemplifying the operational reliability of this group’s strategy.
Upon extraction, the exploit forces the vulnerable WinRAR application to write the malicious VBScript file directly into the Windows Startup folder, thereby ensuring its persistence on the infected machine. The contained script, dubbed GammaDrop, operates as the first-stage downloader and is characterized by heavy obfuscation and the use of randomized variables—attributes aligning with Gamaredon’s automated malware generation techniques.
Progressing further into the attack chain, GammaDrop then retrieves the subsequent payload known as GammaLoad from command-and-control (C2) servers under the control of the attackers. The retrieved payload is saved as an HTA file and executed via mshta.exe executed in a hidden window. Functioning as both a persistence mechanism and reconnaissance tool, GammaLoad establishes a RunOnce registry key and deploys a secondary VBScript payload that maintains continuous communication with the attackers.
As part of its operation, the malware gathers fundamental system information, including the computer name, system drive, and volume serial number. This data is embedded in outgoing communications, thereby allowing the attackers to uniquely identify compromised systems and selectively deliver follow-up payloads.
Analysis of collected emails indicates that the Security Service of Ukraine (SSU) has emerged as the most targeted institution, with the attacks extending across multiple oblasts, including Luhansk, Lviv, and Chernivtsi. Gamaredon’s strategy incorporates dynamically generated URLs and effective camouflage of its traffic using legitimate browser user-agent strings, primarily utilizing Cloudflare Workers domains for their communications.
Notably, the malware conducts requests to its C2 servers roughly every three and a half minutes, each containing encoded victim identifiers and timestamps. A significant aspect of Gamaredon’s operational approach is its ability to frequently rotate its infrastructure, using methods such as fast-flux DNS and short-lived domains to avoid detection by cybersecurity measures.
Recent waves of attacks observed in May 2026 reveal a strategic shift—while early campaigns predominantly utilized RAR archives, there is now a growing inclination towards ARJ archives that are camouflaged as ZIP or RAR files. These updated samples continue to deliver both GammaDrop and GammaLoad, albeit with slight modifications in the communication patterns, which now occasionally feature bot-like user-agent strings mimicking services such as Bingbot.
Some newer variants of the malware exhibit a streamlined approach, circumventing the GammaDrop stage entirely and deploying GammaLoad directly onto targeted machines. A critical component contributing to the campaign’s effectiveness is the insufficient email authentication implemented across various targeted domains. Many Ukrainian institutions have yet to enforce robust SPF, DKIM, and DMARC policies, facilitating the attackers’ efforts to impersonate trusted sources or exploit compromised accounts.
Gamaredon consistently employs infrastructure within the 194.58.66.0/24 subnet to propagate phishing emails. Often, the group authenticates its activities using stolen credentials or takes advantage of weak domain security practices.
In summary, the Gamaredon group continues to target Ukrainian government entities with a tailored focus on military and law enforcement organizations. Despite the malware’s relative lack of complexity, the group’s strength lies in its adaptability, high operational tempo, and innovative use of social engineering techniques. Cybersecurity experts assert that enforcing strict DMARC policies, blocking known malicious IP addresses, and patching vulnerable software like WinRAR are critical steps to mitigating the risks posed by these ongoing attacks.