Russian FSB-Linked Worm Uses Hidden Windows Feature to Infiltrate Ukrainian Networks

FSB-linked GammaWorm targets Ukrainian systems using hard-to-detect methods; experts advise urgent WinRAR updates to thwart attacks.

By Content Team

Jun 1, 2026

ON THIS PAGE

Share

---

ON THIS PAGE

Want more insights like this?

Subscribe to our newsletter to get the latest software protection strategies delivered to your inbox.

By submitting your email, you consent to Codekeeper contacting you and agree to our privacy policy.

A Russian state-linked worm tied to the FSB's Gamaredon group is targeting Ukrainian government, military, and critical infrastructure — and it's remarkably hard to detect. Security firm Sekoia reconstructed an active infection chain first spotted in January 2026 that starts with a booby-trapped xHTML file, exploits a WinRAR path traversal flaw (CVE-2025-8088), and drops a hidden HTA file that runs on next login.

The worm, dubbed GammaWorm, hides its modules in NTFS Alternate Data Streams — a native Windows feature that leaves no visible trace in directory listings. It spreads via USB drives and network shares, pulls C2 addresses from Telegram and Cloudflare, and loops indefinitely as a backdoor. Sekoia recommends a full system wipe for infected machines and updating WinRAR to version 7.13 or later.

Source: Infosecurity Magazine

Share this article

Have questions about protecting your software?

Our escrow experts are standing by to help.

Book a free demo

YOU MAY ALSO LIKE

Fake Claude AI Sites Spread Malware Through Google Ads

Mar 11, 2026

Interlock Ransomware Exploited Cisco Zero-Day for Weeks Before Patch

Mar 21, 2026

North Korean Hackers Breach Popular Axios NPM Package in Supply Chain Attack

Apr 1, 2026

Cyber Attack Hits Northern Ireland School IT System During Critical Exam Period

Apr 13, 2026