Gamaredon APT Hides Malware in Windows Features Abuses

Russian state-backed espionage group Gamaredon is deploying a new VBScript worm in an ongoing campaign against Ukrainian targets, leveraging native Windows features for concealment and exploiting popular cloud services for covert command-and-control (C2) channels.

The operation showcases a modular toolset built for stealth, resilience and long-term access.

In this campaign, Gamaredon has reorganized its arsenal into a “Gamma” ecosystem, with dedicated components for phishing (GammaPhish), staging (GammaLoad), worm-like propagation (GammaWorm) and data theft (GammaSteel).

The intrusion starts with weaponized xHTML lures that drop a malicious RAR archive exploiting CVE‑2025‑8088 in WinRAR, allowing code execution from Windows Startup folders without attracting user attention.

Once triggered, the VBScript-based chain avoids traditional executables. Instead, it layers multiple script stages, each of which can independently fetch and execute new payloads from remote infrastructure.

Gamaredon Malware in Windows and Cloud C2

This architecture turns the entire infection sequence into a stack of backdoors. Every stage can profile the victim host, update its configuration, and deploy fresh malware on demand.

Even if defenders remove part of the chain, surviving components retain enough capability to restore access, making partial cleanups largely ineffective.

The core of the new toolset is GammaWorm, a massive VBScript script that hides almost entirely inside NTFS Alternate Data Streams (ADS), an obscure Windows file system feature.

Rather than dropping visible files, GammaWorm stores its modules in ADS attached to existing user profile paths, leaving directory listings and file sizes looking normal.

To maintain persistence, the worm creates RunOnce registry entries and scheduled tasks that execute code directly from these hidden streams, while also modifying Explorer settings to hide extensions and protected system files, further reducing the chance of discovery.

After installation, GammaWorm spreads across USB and network drives by copying itself to each target and hiding real folders, replacing them with malicious LNK shortcuts that both open the expected directory and silently execute the worm via mshta.exe and wscript.exe.

It also generates decoy shortcuts using provocative Ukrainian-language filenames to lure users into clicking, amplifying the spread across shared media.

In parallel, GammaWorm runs a continuous loop that acts as a stealth backdoor, regularly contacting its C2 to exfiltrate system fingerprints and retrieve new VBScript payloads for in-memory execution, encoding host data into randomized HTTP headers to mimic normal web traffic.

Gamaredon reinforces these fileless techniques by abusing legitimate cloud and messaging platforms for C2 management.

GammaWorm resolves live servers through Dead Drop Resolvers hosted on services like Telegraph/Teletype via graph.org, Cloudflare Workers subdomains and S3‑compatible storage, storing each discovered URL in dedicated registry keys and walking them later to obtain current C2 endpoints.

The group also leverages public Telegram channels as dead drops, pulling HTML with curl.exe and parsing embedded IP addresses that act as active C2 nodes.

This hybrid design enables rapid domain rotation, concealment of staging servers behind Cloudflare tunnels, and seamless fallback to direct IPs if cloud services are disrupted.

SEKOIA said in a report shared with Cyber Security News that the campaign remains focused on Ukrainian government, military, and critical infrastructure networks, reinforcing links between Gamaredon and Russia’s Federal Security Service.

By combining fileless VBScript chains, ADS-based concealment, USB-borne propagation, and cloud-backed C2, the group has significantly boosted the stealth and durability of its espionage operations compared to earlier frameworks.

Disclaimer: HackersRadar reports on cybersecurity threats and incidents for informational and awareness purposes only. We do not engage in hacking activities, data exfiltration, or the hosting or distribution of stolen or leaked information. All content is based on publicly available sources.