Ghost in Windows: How Gamaredon’s Fileless Cyber Warfare Is Silently Infiltrating Ukrainian Systems + Video

Listen to this Post

Featured Image

Introduction: The Invisible War Hidden Inside Windows

A new wave of cyber espionage has quietly escalated into something far more unsettling than traditional malware campaigns. Security researchers from Sekoia.io have uncovered an active operation attributed to the Russia-linked APT group Gamaredon, also known as ACTINIUM, Armageddon, and UAC-0010. What makes this campaign alarming is not just its target set, Ukrainian government, military, and critical infrastructure, but its near-total reliance on fileless execution techniques that abuse native Windows components and trusted cloud infrastructure.

This is not a simple malware drop. It is a carefully engineered, multi-stage intrusion ecosystem designed to live inside legitimate processes, blend into cloud traffic, and avoid leaving traditional forensic traces.

Summary of the Original Findings: A Silent, Layered Infection Machine

The investigation, initiated through a YARA-based hunting operation in January 2026, allowed researchers to reconstruct a large portion of Gamaredon’s evolving attack chain using more than 70 forensic artifacts extracted from compromised systems.

The attack begins with phishing-delivered XHTML files that leverage HTML Smuggling to deploy malicious archives. These archives exploit a WinRAR vulnerability (CVE-2025-8088) to silently drop hidden HTA files into Windows Startup folders. From there, Windows native tools like mshta.exe, VBScript, PowerShell, and scheduled tasks take over execution.

The campaign progresses into modular malware families such as GammaPhish, GammaLoad, GammaWorm, and GammaSteel. Each stage is designed to escalate stealth, persistence, and control while minimizing disk-based footprints.

Initial Entry: HTML Smuggling and Silent Exploitation

The infection chain begins with a weaponized XHTML file, likely delivered through spearphishing emails. Instead of directly attaching malware, attackers use HTML Smuggling to generate a malicious RAR archive inside the victim’s browser environment.

That archive exploits CVE-2025-8088, a critical WinRAR path traversal vulnerability affecting versions prior to 7.13. The exploit allows hidden HTA files to be placed directly into Windows Startup directories.

This ensures execution at the next login without requiring user interaction, turning routine system behavior into an automated infection trigger.

Living Off Windows: mshta.exe and Cloud Disguise

Once the HTA file executes, it launches mshta.exe to fetch remote payloads hosted on cloud infrastructure, particularly Supabase services.

To avoid detection, requests are masked using fake authentication patterns such as “www.bbc.com”
prefixes, a tactic designed to mislead casual inspection and even automated filters.

This stage, called GammaPhish, acts as a loader that fingerprints the system and prepares it for deeper infection chains.

GammaWorm: The Fileless Beast Inside NTFS

The most advanced component in the campaign is GammaWorm, a heavily obfuscated VBScript worm exceeding 20,000 lines of code. Its defining innovation lies in abusing NTFS Alternate Data Streams (ADS), a legitimate Windows feature intended for file metadata compatibility.

Instead of writing visible files, GammaWorm hides modules inside streams like:

%USERPROFILE%:GTR

:URL

:LNK

:SERVER

These hidden components are activated through scheduled tasks disguised as legitimate Windows maintenance operations such as DiskDiagnosticDataCollector, SilentCleanup, and SmartRetry.

The result is malware that effectively exists outside normal file visibility.

Propagation Strategy: USB, Network Lures, and Social Engineering

GammaWorm spreads aggressively across USB drives and network shares. It hides legitimate folders and replaces them with malicious shortcut files (LNKs).

These files use Ukrainian-language filenames designed to appear as military or government documents, increasing the likelihood of execution in targeted environments.

This is not just technical exploitation, it is behavioral manipulation built into the propagation layer.

Dead Drop Resolvers: Hiding Infrastructure in Plain Sight

Instead of relying on static command-and-control servers, GammaWorm uses Dead Drop Resolvers (DDRs). These are publicly accessible platforms such as Telegram posts, Telegram channels, Telegra.ph pages, Teletype.in content, and Cloudflare Workers endpoints.

These platforms store encrypted or encoded pointers to live C2 servers, which are then written into Windows registry keys under HKCU\Console.

This hybrid architecture makes traditional network-based blocking extremely difficult.

Infinite Loop Execution and Adaptive Control

GammaWorm operates in a continuous execution loop. It sends HTTP POST requests containing system fingerprint data hidden inside randomized headers rather than payload bodies.

Depending on server responses, it can:

Execute new VBScript payloads entirely in memory

Update its C2 configuration dynamically

Redirect communication channels without file modification

This creates a living malware system that evolves in real time.

GammaSteel: The Silent Data Exfiltration Engine

Researchers also identified GammaSteel, a modular PowerShell-based stealer that resides entirely in the Windows registry.

It consists of 71 encrypted modules protected by Windows DPAPI, making static analysis difficult. Its primary goal is data exfiltration, including documents from USB devices and local storage.

Stolen data is sent to S3-compatible cloud storage or fallback command servers controlled by operators.

Indicators of Compromise: What Defenders Should Hunt

Security teams should monitor for:

ADS creation in %USERPROFILE%

Suspicious registry activity under HKCUConsole

Execution of wscript.exe with colon-based paths

WinRAR exploitation artifacts

Unexpected scheduled tasks mimicking system maintenance

Sekoia researchers emphasize that due to rapid iteration and infrastructure volatility, full system reimaging is often the only reliable remediation.

What Undercode Say:

This campaign represents a shift from malware files to malware behavior

Windows native tools are now primary execution engines, not attackers’ tools

Fileless design drastically reduces forensic visibility

Cloud services are being weaponized as camouflage infrastructure

HTML Smuggling removes the need for traditional payload delivery

WinRAR exploitation shows continued relevance of legacy software vulnerabilities

ADS abuse demonstrates deep OS-level knowledge by attackers

Scheduled tasks are being weaponized as persistence anchors

Telegram and similar platforms are becoming infrastructure brokers

Attack chains are now modular rather than monolithic

Each stage of infection is independently replaceable

Obfuscation is no longer enough, architectural stealth is key

VBScript remains surprisingly effective in modern attacks

PowerShell continues to dominate post-exploitation frameworks

Registry-based malware reduces disk forensics effectiveness

USB propagation remains relevant in air-gapped or semi-isolated systems

Language-based social engineering improves execution rates

C2 hiding inside legitimate platforms reduces blocking accuracy

Randomized HTTP headers bypass signature detection

Malware now behaves like distributed microservices

Defense must shift toward behavioral analytics

Signature-based detection is increasingly obsolete

System maintenance tasks are high-value attack disguise targets

NTFS features are dual-use attack surfaces

Memory execution reduces endpoint artifact recovery

Multi-stage loaders increase detection complexity

Cloudflare Workers are becoming stealth relay nodes

Threat actors prefer infrastructure blending over custom hosting

Attack resilience is achieved through redundancy of channels

Live configuration updates prevent static mitigation

Cyber espionage now mirrors advanced software engineering

Living-off-the-land binaries dominate execution flow

Persistence mechanisms are becoming OS-native

Malware evolution cycles are shortening significantly

Attribution remains stable but infrastructure is highly dynamic

Defense requires cross-layer correlation of telemetry

Endpoint logs alone are insufficient for detection

Memory forensics becomes critical in analysis pipelines

Threat hunting must prioritize anomaly detection patterns

This is a blueprint for next-generation APT ecosystems

❌ The campaign attribution to Gamaredon is widely assessed as credible by multiple threat intelligence sources, but attribution always carries uncertainty in cyber operations
❌ CVE-2025-8088 details are consistent with described exploitation patterns, though real-world exploitation confirmation depends on vendor advisories and patch status
❌ Use of NTFS ADS, PowerShell, VBScript, and scheduled tasks is well-documented in real APT behavior and aligns with known Windows abuse techniques
✅ The described “fileless + cloud hybrid architecture” matches modern APT evolution trends observed in recent global threat reports

Prediction:

(+1) Cyberattacks will increasingly abandon traditional malware files in favor of fully memory-resident execution chains integrated with cloud APIs and legitimate enterprise services ☁️
(+1) Detection systems will shift toward AI-driven behavioral correlation across endpoint, network, and cloud telemetry rather than signature-based defenses 🔍
(-1) Organizations relying on legacy Windows infrastructure and unpatched third-party tools will face rapidly increasing compromise rates due to stealth exploitation growth ⚠️

Deep Analysis: System-Level Investigation Perspective

Detect NTFS Alternate Data Streams usage
dir /r C:\Users\%USERNAME%

Inspect suspicious scheduled tasks

schtasks /query /fo LIST /v

Monitor script execution anomalies

Get-WinEvent -LogName Microsoft-Windows-PowerShell/Operational

Check registry persistence under console hive

reg query HKCUConsole

Detect mshta execution paths

Get-Process mshta -IncludeUserName

Monitor network connections from scripting engines

netstat -abno | findstr ESTABLISHED

Linux-side hunting via mounted forensic image

strings -a disk.img | grep -i supabase

Extract suspicious VBScript artifacts

grep -R "CreateObject" /mnt/forensic/

▶️ Related Video (82% Match):

🕵️‍📝Let’s dive deep and fact‑check.

🎓 Live Courses & Certifications:

Join Undercode Academy for Verified Certifications

🚀 Request a Custom Project:

Secure, high-velocity infrastructure and disruptive technological engineering. Contact our engineering team for high-tier development and proprietary systems:
[email protected]
💎 Smart Architecture | 🛡️ Secure by Design | ⭐ Trusted by Thousands

References:

Reported By: cyberpress.org
Extra Source Hub (Possible Sources for article):
https://www.quora.com/topic/Technology
Wikipedia
OpenAi & Undercode AI

Image Source:

Unsplash
Undercode AI DI v2

🔐JOIN OUR CYBER WORLD [ CVE News • HackMonitor • UndercodeNews ]

💬 Whatsapp | 💬 Telegram

📢 Follow UndercodeNews & Stay Tuned:

𝕏 formerly Twitter 🐦 | @ Threads | 🔗 Linkedin | 🦋BlueSky | 🐘Mastodon | 📺Youtube