Russian Hackers Gamaredon Weaponize WinRAR Flaw for First Destructive Strike | #hacking | #cybersecurity | #infosec | #comptia | #pentest | #hacker


A Russian state-aligned hacking group spent 2025 quietly crossing a line it had avoided for more than a decade, according to new research from ESET, the Slovak cybersecurity firm. The group, tracked as Gamaredon and attributed by Ukraine’s Security Service (SBU) to the 18th Center of Information Security within Russia’s Federal Security Service (FSB), has spent more than a decade stealing data from Ukrainian government and military networks. In November 2025, it used a newly weaponized WinRAR vulnerability to deploy wiper malware against a Ukrainian target — the group’s first confirmed destructive operation, rather than espionage alone.

ESET’s report covers Gamaredon’s full 2025 calendar year and was published June 25, 2026, with The Hacker News’ syndicated coverage of the findings landing June 29, 2026. The firm recorded 35 distinct spear-phishing campaigns against fresh targets, the bulk of them concentrated in the second half of the year, alongside six brand-new PowerShell-based tools and the revival of a VBScript weaponizer last seen active in 2021.

WinRAR Flaw Becomes Weapon Against Ukraine

The technical centerpiece of Gamaredon’s 2025 escalation is CVE-2025-8088, a high-severity path-traversal vulnerability in WinRAR that ESET researchers themselves discovered during active exploitation in July 2025. The flaw abuses NTFS Alternate Data Streams to trick WinRAR into writing a hidden payload — commonly a malicious shortcut file — outside the folder a user actually chose to extract to, most often straight into the Windows Startup folder. The victim sees only an innocuous decoy file, such as a fake PDF, while a second hidden payload silently plants itself to run automatically the next time the machine reboots. WinRAR’s maker patched the bug in version 7.13 on July 30, 2025, but Gamaredon began exploiting it anyway from late September, using it to drop HTA downloaders directly into victims’ Startup folders.

The stakes go beyond persistence. Security firm ClearSky has separately reported that Gamaredon used CVE-2025-8088 in November 2025 to deploy wiper malware dubbed GamaWiper. For a group whose decade-long playbook has been built almost entirely around quiet data theft, a confirmed data-destroying operation marks a real shift in what a Gamaredon intrusion can now cost a victim — not just stolen documents, but wiped systems.

How Does Gamaredon Get Into Ukrainian Networks?

Most of Gamaredon’s 2025 campaigns still followed a tested formula: malicious archive attachments or XHTML files exploiting HTML smuggling, a technique that hides malicious code inside an otherwise innocent-looking web page or file to slip past email security filters. Once opened, these files deliver HTA downloaders that quietly install further payloads, including a tool called PteroSand, designed to siphon sensitive data from infected machines.

What changed is the depth of the group’s toolkit. ESET identified six new PowerShell-based tools introduced over the year: PteroDee and PteroCache, which fetch and run PowerShell payloads in memory; PteroDum, which does the same for VBScript payloads; PteroOdd, a minimal downloader that pulls a single PowerShell payload via the Telegra.ph API and appears tied to Gamaredon’s collaboration with a second FSB-linked group; PteroEffigy, which uses the GoFile cloud storage service to fetch command-and-control details; and PteroPaste, the most complex addition, which combines a downloader, a USB-infection mechanism, and a persistence component that repeatedly checks compromised machines for removable drives so it can spread further.

Older tools got new life, too. PteroLNK and PteroPaste enable lateral movement by planting malicious shortcut files on USB and network drives that execute when an unsuspecting user opens them. ESET also spotted a resurgence of PteroSetup, a VBScript-based tool first seen in 2021 and long believed retired, which scans removable and mapped drives for legitimate installer files and swaps them for self-extracting archives carrying a hidden downloader.

Hiding Behind Apps Millions of People Use Every Day

The more consequential shift, according to ESET, lies less in the malware itself than in how Gamaredon now hides its infrastructure. The group leaned increasingly on tunneling services, serverless worker platforms, dynamic DNS, and mainstream cloud storage to mask its command-and-control servers, making the operation harder for defenders to map and disrupt.

Legitimate platforms including Telegram, Telegraph, Dropbox, GoFile, Mastodon, and Cloudflare tunnels and workers have all been pressed into service as so-called dead-drop resolvers — places where compromised machines can quietly check in for instructions without ever contacting infrastructure that looks obviously malicious. The technique borrows directly from Cold War-era espionage tradecraft: rather than two operatives meeting directly, one leaves information in a public or hidden location for the other to retrieve later. For exfiltrating stolen data, ESET says upgraded file-stealing tools shifted their cloud storage destinations multiple times throughout the year, moving between S3-compatible providers before settling on a service called Intercolo by December.

This creates a genuine dilemma for defenders that the underlying tactics list doesn’t fully convey on its own: when an espionage operation routes its persistence and data theft through Dropbox, Telegram, or Cloudflare, simply blocking those services isn’t a realistic option for most organizations, since billions of legitimate users rely on the same platforms every day. Network defenders are increasingly forced to monitor and selectively scrutinize traffic to services they cannot afford to block outright — a structural problem that grows more acute the more APT groups adopt the same tactic.

ESET researcher Zoltán Rusnák said the group’s update schedule offers a clue to who is behind the keyboard. Many tool updates clustered around major Russian and Crimean holidays, with development pausing during the holidays themselves — a pattern Rusnák said is consistent with operators who work as government employees rather than independent criminal actors.

Gamaredon’s Decade of Attacks on Ukraine in Numbers

Gamaredon’s 2025 activity sits on top of a long, independently documented record. Ukraine’s SBU has attributed more than 5,000 cyberattacks on Ukrainian critical infrastructure and state institutions to the FSB officers behind the group, including intrusions targeting the Ministry of Foreign Affairs and the Ministry of Economic Development, with the explicit goal of accessing classified government documents and servers. Ukraine’s CERT-UA recorded 277 separate incidents attributed to Gamaredon in 2023 alone. Two FSB-linked operators connected to the group were sentenced in absentia to 15 years in prison by a Ukrainian court, while the European Council separately sanctioned individuals linked to Gamaredon for attacks with what it called “significant impact” on EU member-state and Ukrainian governments.

The group, which has also operated under the names Primitive Bear, Armageddon, Shuckworm, Actinium, and Aqua Blizzard depending on the security vendor doing the tracking, has been active since at least 2013 and is believed to operate out of Russian-occupied Crimea. Since Russia’s full-scale 2022 invasion, its targeting has expanded beyond Ukraine to include attempted intrusions against NATO members Bulgaria, Latvia, Lithuania, and Poland.

Pattern of Cooperation Among Russia-Aligned Groups

ESET’s research also points to growing coordination among Russia-aligned threat groups. The firm found that Gamaredon collaborated with Turla, another FSB-linked APT, on at least three occasions in 2025 — in February, April, and June — using Gamaredon tools including PteroGraphin and PteroPaste to deploy and restart Turla’s Kazuar backdoor on infected Ukrainian machines. ESET researchers Matthieu Faou and Zoltán Rusnák said they now believe with high confidence that the two FSB-affiliated groups are cooperating, with Gamaredon providing initial access that Turla then exploits.

Separately, ESET observed a different Russia-aligned actor, UAC-0099, conducting initial intrusions before handing validated targets off to the destructive group Sandworm for follow-up operations. The division of labor mirrors a structure familiar from conventional intelligence work: one team specializes in breaking in, another in what happens after.

What Organizations Can Do Right Now

ESET’s Jean-Ian Boutin, the firm’s director of threat research, recommended that organizations limit PowerShell access for non-administrative users and restrict scripting tools such as Windows Management Instrumentation where business needs allow, given Gamaredon’s heavy reliance on PowerShell-based malware. Defenders are also being urged to tighten controls around USB devices — scanning or sanitizing removable media, or banning unvetted drives outright — given the group’s long-standing use of infected USB drives as an infection vector. Updating WinRAR to version 7.13 or later closes the specific path used for the group’s Startup-folder persistence trick.

With the war in Ukraine showing no sign of ending, ESET expects Gamaredon to keep evolving its tactics and intensifying its operations against Ukrainian institutions. The group’s pivot toward destructive capability, its growing reliance on infrastructure that ordinary internet users depend on every day, and its deepening cooperation with other FSB-aligned operators together suggest an adversary settling in for a much longer fight than a single patched vulnerability can resolve.


Frequently Asked Questions

Is the Gamaredon hacking group really linked to Russia’s government?

Yes. Ukraine’s Security Service (SBU) has publicly attributed Gamaredon’s leadership to officers of the 18th Center of Information Security within Russia’s FSB, based in Russian-occupied Crimea. Multiple independent cybersecurity firms, including ESET, Microsoft, and Palo Alto Networks’ Unit 42, have separately corroborated the FSB connection.

What is CVE-2025-8088, and is my WinRAR installation affected?

CVE-2025-8088 is a path-traversal vulnerability in WinRAR for Windows, patched in version 7.13 on July 30, 2025. If you or your organization run an older version, updating immediately closes the flaw that Gamaredon and several other Russia-aligned groups have used to plant malware in the Windows Startup folder.

Why can’t security teams just block the cloud services Gamaredon is abusing?

Because the same services — Telegram, Dropbox, Cloudflare, Mastodon — are used by billions of legitimate users and businesses every day. Outright blocking them is often impractical, which is precisely why APT groups like Gamaredon have shifted toward hiding inside ordinary internet traffic rather than building easily blockable infrastructure of their own.

Has Gamaredon attacked targets outside Ukraine?

Yes. While Ukrainian government and military institutions remain its primary focus, Gamaredon has attempted intrusions against organizations in NATO member states including Bulgaria, Latvia, Lithuania, and Poland since Russia’s 2022 invasion of Ukraine, and two individuals linked to the group have been sanctioned by the European Council for attacks affecting EU governments.



Click Here For The Original Source.

——————————————————–

..........

.

.

National Cyber Security

FREE
VIEW