VYPR
researchPublished Jun 1, 2026· Updated Jun 9, 2026· 3 sources

Gamaredon Deploys Fileless Worm Hidden in NTFS Alternate Data Streams to Spy on Ukrainian Targets

Russian state-linked APT group Gamaredon is using a fileless worm that hides components in NTFS alternate data streams, allowing it to spread across Ukrainian networks with minimal forensic traces.

A Russian state-linked worm has been observed hiding its components inside a little-used Windows file feature, allowing it to spread across Ukrainian networks while leaving almost no trace on infected machines.

According to new analysis from Sekoia, the worm is the latest tool of Gamaredon, a long-running espionage group that Ukraine's security service has formally tied to Russia's Federal Security Service (FSB). The group focuses almost entirely on Ukraine, targeting government, military and critical infrastructure to steal documents and keep long-term access.

Working from artifacts on compromised hosts and more than 70 samples from a partner, the team reconstructed an infection chain seen in January 2026 and still active at the time of writing. The campaign has moved almost entirely to fileless VBScript, a clear step up in stealth from Gamaredon's earlier tooling.

The intrusion began with a booby-trapped xHTML file that, once opened, smuggled a malicious RAR archive onto the target's machine. Sekoia tracks this initial-access stage as GammaPhish. The archive exploited CVE-2025-8088, a path traversal flaw in WinRAR that Google's threat analysts have separately tied to Sandworm, Turla and other Russian operators. Abusing the bug planted a hidden HTA file in the Windows Startup folder, which ran at the next login and fetched the next payload from a remote server. A decoy PDF kept the victim unaware.

GammaWorm is where the campaign's stealth becomes clear, Sekoia explained. Rather than dropping files on disk, the worm hid its modules in NTFS Alternate Data Streams, a native Windows feature that lets data ride alongside an existing file without appearing in standard directory listings. Once active, it set up persistence through scheduled tasks disguised as routine maintenance and concealed its work by changing registry settings that govern file visibility. It then propagated to USB sticks and network drives, hiding genuine folders and swapping them for malicious shortcuts that carried provocative Ukrainian-language filenames meant to lure users into opening them.

For command-and-control (C2), GammaWorm pulled live server addresses from legitimate public services, including Telegram and Cloudflare, using them as dead drops before saving the details to the registry. The worm then looped indefinitely as a backdoor, ready to execute whatever code its operators sent.

Sekoia warned that the safest response to infection is a full wipe: 'The malware's reliance on Dead Drop Resolvers (DDR) allows it to constantly download fresh payloads, meaning that cleaning attempts often result in fallback mechanisms restoring the malware.' Organizations were also urged to update WinRAR to version 7.13 or later, which closes the flaw exploited during the initial compromise.

This latest campaign reflects a broader trend: Russian APT groups continue to refine stealth techniques, moving away from file-based binaries to memory-resident and stream-hiding malware. For Ukrainian defenders, the combination of a fileless worm, dead-drop resolvers, and aggressive propagation makes GammaWorm particularly challenging to eradicate without complete system reimaging.

This new report from Trend Micro details how two distinct threat actor campaigns, SHADOW-EARTH-066 (UAC-0226) and Earth Dahu (Gamaredon), are continuing to exploit the WinRAR path traversal vulnerability CVE-2025-8088 against Ukrainian organizations. SHADOW-EARTH-066 has updated its GIFTEDCROOK information stealer and shifted its initial access vector from macro-enabled documents to exploit chains leveraging this WinRAR flaw, demonstrating a rapid evolution in their tactics.

The new reporting details how two distinct Russia-aligned groups, Earth Dahu and SHADOW-EARTH-066, are actively exploiting CVE-2025-8088, a path traversal vulnerability in WinRAR, to target Ukrainian organizations. SHADOW-EARTH-066 has shifted from macro droppers to crafted RAR archives containing hidden payloads that deploy the GIFTEDCROOK stealer, now exfiltrating data via dedicated C2 servers instead of Telegram. Earth Dahu, meanwhile, has integrated the flaw into its espionage toolchain since at least September 2025, using an HTA-to-VBScript chain to deploy GammaPhish and related modules.

Synthesized by Vypr AI