Gamaredon APT Leverages Windows Features and Cloud Platforms for Stealthy Espionage Against Ukraine

The Russian state-backed espionage group Gamaredon, also known as Primitive Bear, has intensified its operations targeting Ukraine with a sophisticated new VBScript worm. This malware is designed for stealth and resilience, leveraging obscure Windows features and popular cloud platforms for command-and-control (C2) infrastructure. The campaign showcases a modular toolset reorganized into a "Gamma" ecosystem, comprising GammaPhish for initial lures, GammaLoad for staging, GammaWorm for propagation, and GammaSteel for data exfiltration.

The intrusion begins with weaponized xHTML files that deliver a malicious RAR archive. This archive exploits CVE-2025-8088, a vulnerability in WinRAR, to execute code from Windows Startup folders without user interaction. The malware chain is built entirely on VBScript, avoiding traditional executables and employing multiple script stages. Each stage can independently fetch and execute new payloads, effectively creating a stack of backdoors that can restore access even if parts of the chain are removed, making partial cleanups ineffective.

The core of this new arsenal is GammaWorm, a VBScript that conceals its modules within NTFS Alternate Data Streams (ADS). This feature allows files to store additional data streams beyond the main content, making the malware nearly invisible in standard file system listings. To ensure persistence, GammaWorm creates RunOnce registry entries and scheduled tasks that execute code directly from these hidden streams. It also modifies Windows Explorer settings to hide file extensions and protected system files, further reducing the chances of detection.

GammaWorm's propagation capabilities are equally concerning. It spreads across USB drives and network shares by copying itself to target systems. Instead of dropping visible files, it replaces real folders with malicious LNK shortcuts. When a user clicks these shortcuts, they appear to open the intended directory but also silently execute the worm using legitimate Windows utilities like mshta.exe and wscript.exe. The worm also generates decoy shortcuts with provocative Ukrainian-language filenames to entice users, thereby amplifying its spread.

Beyond its fileless and stealthy execution, GammaWorm functions as a persistent backdoor. It continuously contacts its C2 servers to exfiltrate system information and download new VBScript payloads for in-memory execution. To evade network detection, it encodes host data into randomized HTTP headers, mimicking legitimate web traffic.

Gamaredon's reliance on cloud platforms for C2 is a key aspect of this campaign's resilience. The group uses Dead Drop Resolvers hosted on services like Telegraph/Teletype, Cloudflare Workers subdomains, and S3-compatible storage to dynamically locate live C2 servers. These discovered URLs are stored in registry keys and used to establish connections. Additionally, public Telegram channels are employed as dead drops, with the malware fetching HTML content via curl.exe to parse embedded IP addresses of active C2 nodes.

This hybrid C2 infrastructure allows for rapid domain rotation, conceals staging servers behind Cloudflare tunnels, and provides fallback mechanisms to direct IP addresses if cloud services become unavailable. Security researchers at SEKOIA, who shared their findings with Cyber Security News, noted that the campaign remains focused on Ukrainian government entities, military networks, and critical infrastructure, reinforcing the group's ties to Russia's Federal Security Service (FSB).

The combination of fileless VBScript chains, ADS concealment, USB propagation, and cloud-backed C2 infrastructure represents a significant advancement in Gamaredon's espionage capabilities, enhancing both the stealth and durability of their operations against Ukrainian targets.