Gamaredon Exploits WinRAR Path Traversal to Unleash GammaDrop Malware

A new investigation has unmasked a relentless spearphishing campaign by the Russian-aligned threat actor Gamaredon, exposing their active exploitation of a known WinRAR vulnerability to infiltrate Ukrainian state institutions.

The Cyber Threat Research Team at HarfangLab has released a detailed report documenting a dozen waves of spearphishing attacks that trace back to September 2025 and remain active today. The campaign targets critical infrastructure across several Ukrainian oblasts, employing compromised government email accounts to deliver persistent, auto-generated malware variants dubbed GammaDrop and GammaLoad.

Gamaredon—also tracked as Aqua Blizzard, Primitive Bear, and UAC-0010—has weaponized CVE-2025-8088, a path traversal vulnerability affecting WinRAR versions up to 7.13.

The threat actors use compromised email accounts—or spoofed addresses that bypass weak SPF and DMARC checks—to send seemingly legitimate documents, such as court summonses written in Ukrainian. Attached to these emails is a malicious RAR archive.

“Upon extraction, the PDF is written normally, while the ADS entry’s path traversal causes WinRAR to resolve the stream name as a file path, writing the VBS payload to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup, achieving persistence via the Startup folder,” the report explains.

This initial VBS payload, known as GammaDrop, is a heavily obfuscated downloader. Its primary function is to reach out to a Cloudflare Workers C2 server to fetch and execute the next stage of the attack.

Once GammaDrop secures a foothold, it pulls down GammaLoad, a two-layered VBScript wrapped inside an HTML script (HTA file).

According to the HarfangLab analysis, GammaLoad acts as a persistent C2 beacon. It profiles the infected host by collecting the computer name, system drive, and volume serial number. This data is then formatted and embedded directly into the User-Agent header of HTTP GET requests sent to the threat actor’s infrastructure.

“Both variants function as downloaders, while GammaLoad additionally established persistence and beacons victim data to the C2 server, enabling the operator to selectively deliver a tailored payload,” the report writes.

The malware utilizes a primary Cloudflare-proxied domain and a fallback .ru domain, looping every 3.5 minutes until the operator manually serves the final payload.

The report highlights Gamaredon’s rapid iteration of both tooling and infrastructure. The threat actor relies heavily on fast flux DNS, dynamic DNS providers, and compromised Ukrainian email relays. In a notable shift observed in May 2026, the group transitioned from using RAR archives to ARJ archives (disguised with .rar or .zip extensions) in an apparent attempt to bypass updated security filters.

“The supporting infrastructure combines Cloudflare Workers domains, fast flux DNS, dynamic DNS providers, and attacker-controlled email relays – all constantly evolving,” the report notes.

Gamaredon’s targeting remains laser-focused. Since their emergence in 2013, the group has almost exclusively targeted Ukraine. This latest campaign is no different, aiming squarely at regional directorates of the Security Service of Ukraine (SSU), military units, and local government offices across Odesa, Sumy, Lviv, and other key regions.

While the attack chain may lack technical novelty, it is highly effective. As the HarfangLab researchers concluded: “The group’s strength lies in its relentless operational tempo and scale.” By continuously rotating their infrastructure and mutating their VBScript tooling, Gamaredon ensures their campaigns remain a persistent and pervasive threat to Ukrainian cybersecurity.