Sekoia has published research documenting an active Gamaredon campaign targeting Ukrainian government, military, and critical infrastructure networks. The campaign uses NTFS Alternate Data Streams to conceal worm modules alongside legitimate files, a technique chosen specifically for its resistance to both standard file system inspection and forensic investigation. Sekoia confirmed the campaign was ongoing at the time of the report’s publication.
Initial Access Through CVE-2025-8088
Gamaredon gains initial access through the GammaPhish spear-phishing kit. Targets receive a malicious xHTML file that delivers a RAR archive exploiting CVE-2025-8088, a WinRAR path traversal vulnerability. The exploit drops a hidden HTA file directly into the Windows Startup folder, establishing persistence before the user takes any further action.
CVE-2025-8088 and Its Wider Exploitation
CVE-2025-8088 is not exclusive to Gamaredon. Sekoia’s research notes that the same WinRAR path traversal vulnerability has been used by Sandworm and Turla, two other threat actors with significant operational histories against European and Ukrainian targets. The convergence of multiple sophisticated actors on a single WinRAR flaw reflects its effectiveness as an initial access mechanism against organizations that have not patched or disabled RAR extraction capabilities.
NTFS Alternate Data Streams as a Hiding Layer
Once the HTA file has established a foothold and the worm component is active, Gamaredon stores its worm modules in NTFS Alternate Data Streams attached to legitimate files. ADS is a feature of the Windows NTFS file system that allows additional data to be appended to a file under a secondary stream name. Files with ADS attachments appear completely normal in Windows Explorer and most file listings — the stream contents are invisible without specifically querying for them. Most backup systems preserve ADS alongside primary file data, meaning the hidden modules survive backup-and-restore operations that might otherwise clear a compromise. This combination of invisibility and persistence makes ADS an effective storage layer for malware modules that need to survive casual investigation.
Propagation and Command-and-Control
After establishing itself on an initial host, the worm spreads to connected USB drives and accessible network shares using malicious LNK shortcut files. The LNK files carry Ukrainian-language filenames, designed to blend naturally into document collections on Ukrainian government and military workstations where Ukrainian-language files are expected and unexceptional.
Telegram and Cloudflare as Dead Drop Resolvers
Gamaredon’s command-and-control infrastructure uses a Dead Drop Resolver architecture. Rather than connecting directly to attacker-controlled servers — which can be blocked once identified — the malware retrieves C2 instructions and addresses from Telegram channels and Cloudflare-proxied endpoints. Both Telegram and Cloudflare are high-volume legitimate services that most organizations whitelist entirely. Network defenders see outbound traffic to domains associated with these services and cannot distinguish Gamaredon’s C2 communications from the ordinary Telegram and Cloudflare traffic their users generate. Blocking the C2 channel requires blocking the legitimate service, a trade-off most organizations are unwilling to make.
Forensic Resistance and Incident Response Implications
The specific combination of techniques Gamaredon has assembled in this campaign is oriented toward surviving discovery. NTFS ADS hides the worm modules from file system browsing and many forensic tools. The Startup folder HTA provides persistence that survives reboots. USB propagation ensures the worm reaches air-gapped or network-isolated systems that would otherwise be unreachable. Dead Drop Resolvers make C2 traffic blend into legitimate cloud service usage.
Incident responders investigating suspected Gamaredon infections need to explicitly query for ADS on files in directories where the worm is known to operate — a step not included in standard triage workflows. Organizations can use built-in Windows tooling to enumerate alternate data streams, but only if responders know to look. Sekoia’s research has been active since January 2026, giving defenders a documented profile of the campaign’s techniques, file naming patterns, and infrastructure indicators to act on.
