Listen to this Post

Introduction: The Invisible War Hidden Inside Windows
A new wave of cyber espionage has quietly escalated into something far more unsettling than traditional malware campaigns. Security researchers from Sekoia.io have uncovered an active operation attributed to the Russia-linked APT group Gamaredon, also known as ACTINIUM, Armageddon, and UAC-0010. What makes this campaign alarming is not just its target set, Ukrainian government, military, and critical infrastructure, but its near-total reliance on fileless execution techniques that abuse native Windows components and trusted cloud infrastructure.
This is not a simple malware drop. It is a carefully engineered, multi-stage intrusion ecosystem designed to live inside legitimate processes, blend into cloud traffic, and avoid leaving traditional forensic traces.
Summary of the Original Findings: A Silent, Layered Infection Machine
The investigation, initiated through a YARA-based hunting operation in January 2026, allowed researchers to reconstruct a large portion of Gamaredon’s evolving attack chain using more than 70 forensic artifacts extracted from compromised systems.
The attack begins with phishing-delivered XHTML files that leverage HTML Smuggling to deploy malicious archives. These archives exploit a WinRAR vulnerability (CVE-2025-8088) to silently drop hidden HTA files into Windows Startup folders. From there, Windows native tools like mshta.exe, VBScript, PowerShell, and scheduled tasks take over execution.
The campaign progresses into modular malware families such as GammaPhish, GammaLoad, GammaWorm, and GammaSteel. Each stage is designed to escalate stealth, persistence, and control while minimizing disk-based footprints.
Initial Entry: HTML Smuggling and Silent Exploitation
The infection chain begins with a weaponized XHTML file, likely delivered through spearphishing emails. Instead of directly attaching malware, attackers use HTML Smuggling to generate a malicious RAR archive inside the victim’s browser environment.
That archive exploits CVE-2025-8088, a critical WinRAR path traversal vulnerability affecting versions prior to 7.13. The exploit allows hidden HTA files to be placed directly into Windows Startup directories.
This ensures execution at the next login without requiring user interaction, turning routine system behavior into an automated infection trigger.
Living Off Windows: mshta.exe and Cloud Disguise
Once the HTA file executes, it launches mshta.exe to fetch remote payloads hosted on cloud infrastructure, particularly Supabase services.
To avoid detection, requests are masked using fake authentication patterns such as “www.bbc.com”
prefixes, a tactic designed to mislead casual inspection and even automated filters.
This stage, called GammaPhish, acts as a loader that fingerprints the system and prepares it for deeper infection chains.
GammaWorm: The Fileless Beast Inside NTFS
The most advanced component in the campaign is GammaWorm, a heavily obfuscated VBScript worm exceeding 20,000 lines of code. Its defining innovation lies in abusing NTFS Alternate Data Streams (ADS), a legitimate Windows feature intended for file metadata compatibility.
Instead of writing visible files, GammaWorm hides modules inside streams like:
%USERPROFILE%:GTR
:URL
:LNK
:SERVER
These hidden components are activated through scheduled tasks disguised as legitimate Windows maintenance operations such as DiskDiagnosticDataCollector, SilentCleanup, and SmartRetry.
The result is malware that effectively exists outside normal file visibility.
Propagation Strategy: USB, Network Lures, and Social Engineering
GammaWorm spreads aggressively across USB drives and network shares. It hides legitimate folders and replaces them with malicious shortcut files (LNKs).
These files use Ukrainian-language filenames designed to appear as military or government documents, increasing the likelihood of execution in targeted environments.
This is not just technical exploitation, it is behavioral manipulation built into the propagation layer.
Dead Drop Resolvers: Hiding Infrastructure in Plain Sight
Instead of relying on static command-and-control servers, GammaWorm uses Dead Drop Resolvers (DDRs). These are publicly accessible platforms such as Telegram posts, Telegram channels, Telegra.ph pages, Teletype.in content, and Cloudflare Workers endpoints.
These platforms store encrypted or encoded pointers to live C2 servers, which are then written into Windows registry keys under HKCU\Console.
This hybrid architecture makes traditional network-based blocking extremely difficult.
Infinite Loop Execution and Adaptive Control
GammaWorm operates in a continuous execution loop. It sends HTTP POST requests containing system fingerprint data hidden inside randomized headers rather than payload bodies.
Depending on server responses, it can:
Execute new VBScript payloads entirely in memory
Update its C2 configuration dynamically
Redirect communication channels without file modification
This creates a living malware system that evolves in real time.
GammaSteel: The Silent Data Exfiltration Engine
Researchers also identified GammaSteel, a modular PowerShell-based stealer that resides entirely in the Windows registry.
It consists of 71 encrypted modules protected by Windows DPAPI, making static analysis difficult. Its primary goal is data exfiltration, including documents from USB devices and local storage.
Stolen data is sent to S3-compatible cloud storage or fallback command servers controlled by operators.
Indicators of Compromise: What Defenders Should Hunt
Security teams should monitor for:
ADS creation in %USERPROFILE%
Suspicious registry activity under HKCUConsole
Execution of wscript.exe with colon-based paths
WinRAR exploitation artifacts
Unexpected scheduled tasks mimicking system maintenance
Sekoia researchers emphasize that due to rapid iteration and infrastructure volatility, full system reimaging is often the only reliable remediation.
What Undercode Say:
This campaign represents a shift from malware files to malware behavior
Windows native tools are now primary execution engines, not attackers’ tools
Fileless design drastically reduces forensic visibility
Cloud services are being weaponized as camouflage infrastructure
HTML Smuggling removes the need for traditional payload delivery
WinRAR exploitation shows continued relevance of legacy software vulnerabilities
ADS abuse demonstrates deep OS-level knowledge by attackers
Scheduled tasks are being weaponized as persistence anchors
Telegram and similar platforms are becoming infrastructure brokers
Attack chains are now modular rather than monolithic
Each stage of infection is independently replaceable
Obfuscation is no longer enough, architectural stealth is key
VBScript remains surprisingly effective in modern attacks
PowerShell continues to dominate post-exploitation frameworks
Registry-based malware reduces disk forensics effectiveness
USB propagation remains relevant in air-gapped or semi-isolated systems
Language-based social engineering improves execution rates
C2 hiding inside legitimate platforms reduces blocking accuracy
Randomized HTTP headers bypass signature detection
Malware now behaves like distributed microservices
Defense must shift toward behavioral analytics
Signature-based detection is increasingly obsolete
System maintenance tasks are high-value attack disguise targets
NTFS features are dual-use attack surfaces
Memory execution reduces endpoint artifact recovery
Multi-stage loaders increase detection complexity
Cloudflare Workers are becoming stealth relay nodes
Threat actors prefer infrastructure blending over custom hosting
Attack resilience is achieved through redundancy of channels
Live configuration updates prevent static mitigation
Cyber espionage now mirrors advanced software engineering
Living-off-the-land binaries dominate execution flow
Persistence mechanisms are becoming OS-native
Malware evolution cycles are shortening significantly
Attribution remains stable but infrastructure is highly dynamic
Defense requires cross-layer correlation of telemetry
Endpoint logs alone are insufficient for detection
Memory forensics becomes critical in analysis pipelines
Threat hunting must prioritize anomaly detection patterns
This is a blueprint for next-generation APT ecosystems
❌ The campaign attribution to Gamaredon is widely assessed as credible by multiple threat intelligence sources, but attribution always carries uncertainty in cyber operations
❌ CVE-2025-8088 details are consistent with described exploitation patterns, though real-world exploitation confirmation depends on vendor advisories and patch status
❌ Use of NTFS ADS, PowerShell, VBScript, and scheduled tasks is well-documented in real APT behavior and aligns with known Windows abuse techniques
✅ The described “fileless + cloud hybrid architecture” matches modern APT evolution trends observed in recent global threat reports
Prediction:
(+1) Cyberattacks will increasingly abandon traditional malware files in favor of fully memory-resident execution chains integrated with cloud APIs and legitimate enterprise services ☁️
(+1) Detection systems will shift toward AI-driven behavioral correlation across endpoint, network, and cloud telemetry rather than signature-based defenses 🔍
(-1) Organizations relying on legacy Windows infrastructure and unpatched third-party tools will face rapidly increasing compromise rates due to stealth exploitation growth ⚠️
Deep Analysis: System-Level Investigation Perspective
Detect NTFS Alternate Data Streams usage dir /r C:\Users\%USERNAME%
Inspect suspicious scheduled tasks
schtasks /query /fo LIST /v
Monitor script execution anomalies
Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational
Check registry persistence under console hive
reg query HKCUConsole
Detect mshta execution paths
Get-Process mshta -IncludeUserName
Monitor network connections from scripting engines
netstat -abno | findstr ESTABLISHED
Linux-side hunting via mounted forensic image
strings -a disk.img | grep -i supabase
Extract suspicious VBScript artifacts
grep -R "CreateObject" /mnt/forensic/
▶️ Related Video (82% Match):
🕵️📝Let’s dive deep and fact‑check.
🎓 Live Courses & Certifications:
Join Undercode Academy for Verified Certifications
🚀 Request a Custom Project:
Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands
References:
Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI
Image Source:
Unsplash
Undercode AI DI v2
🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]
📢 Follow UndercodeNews & Stay Tuned:
𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube




