A Russian state-linked worm tied to the FSB's Gamaredon group is targeting Ukrainian government, military, and critical infrastructure — and it's remarkably hard to detect. Security firm Sekoia reconstructed an active infection chain first spotted in January 2026 that starts with a booby-trapped xHTML file, exploits a WinRAR path traversal flaw (CVE-2025-8088), and drops a hidden HTA file that runs on next login.
The worm, dubbed GammaWorm, hides its modules in NTFS Alternate Data Streams — a native Windows feature that leaves no visible trace in directory listings. It spreads via USB drives and network shares, pulls C2 addresses from Telegram and Cloudflare, and loops indefinitely as a backdoor. Sekoia recommends a full system wipe for infected machines and updating WinRAR to version 7.13 or later.
Source: Infosecurity Magazine