Gamaredon Deploys Fileless Worm Hidden in NTFS Alternate Data Streams to Spy on Ukrainian Targets
Russian state-linked APT group Gamaredon is using a fileless worm that hides components in NTFS alternate data streams, allowing it to spread across Ukrainian networks with minimal forensic traces.
A Russian state-linked worm has been observed hiding its components inside a little-used Windows file feature, allowing it to spread across Ukrainian networks while leaving almost no trace on infected machines.
According to new analysis from Sekoia, the worm is the latest tool of Gamaredon, a long-running espionage group that Ukraine's security service has formally tied to Russia's Federal Security Service (FSB). The group focuses almost entirely on Ukraine, targeting government, military and critical infrastructure to steal documents and keep long-term access.
Working from artifacts on compromised hosts and more than 70 samples from a partner, the team reconstructed an infection chain seen in January 2026 and still active at the time of writing. The campaign has moved almost entirely to fileless VBScript, a clear step up in stealth from Gamaredon's earlier tooling.
The intrusion began with a booby-trapped xHTML file that, once opened, smuggled a malicious RAR archive onto the target's machine. Sekoia tracks this initial-access stage as GammaPhish. The archive exploited CVE-2025-8088, a path traversal flaw in WinRAR that Google's threat analysts have separately tied to Sandworm, Turla and other Russian operators. Abusing the bug planted a hidden HTA file in the Windows Startup folder, which ran at the next login and fetched the next payload from a remote server. A decoy PDF kept the victim unaware.
GammaWorm is where the campaign's stealth becomes clear, Sekoia explained. Rather than dropping files on disk, the worm hid its modules in NTFS Alternate Data Streams, a native Windows feature that lets data ride alongside an existing file without appearing in standard directory listings. Once active, it set up persistence through scheduled tasks disguised as routine maintenance and concealed its work by changing registry settings that govern file visibility. It then propagated to USB sticks and network drives, hiding genuine folders and swapping them for malicious shortcuts that carried provocative Ukrainian-language filenames meant to lure users into opening them.
For command-and-control (C2), GammaWorm pulled live server addresses from legitimate public services, including Telegram and Cloudflare, using them as dead drops before saving the details to the registry. The worm then looped indefinitely as a backdoor, ready to execute whatever code its operators sent.
Sekoia warned that the safest response to infection is a full wipe: 'The malware's reliance on Dead Drop Resolvers (DDR) allows it to constantly download fresh payloads, meaning that cleaning attempts often result in fallback mechanisms restoring the malware.' Organizations were also urged to update WinRAR to version 7.13 or later, which closes the flaw exploited during the initial compromise.
This latest campaign reflects a broader trend: Russian APT groups continue to refine stealth techniques, moving away from file-based binaries to memory-resident and stream-hiding malware. For Ukrainian defenders, the combination of a fileless worm, dead-drop resolvers, and aggressive propagation makes GammaWorm particularly challenging to eradicate without complete system reimaging.