NEWS
Gamaredon’s Windows Worm Turns NTFS Streams Into a Cleanup Trap
Gamaredon’s Windows worm has turned NTFS Alternate Data Streams into a persistence problem for Ukrainian defenders, hiding VBScript modules where normal directory views will not show them and then using USB drives, network shares and public web services to keep access alive. Sekoia, a French cybersecurity company, says the campaign began with a WinRAR path traversal flaw and remained active when its researchers published the analysis on June 1, 2026.
The hard part is remediation. When the same infection chain can fetch fresh code, rewrite registry values and spread through shared drives, deleting a visible file may leave the operator with another route back in.
The Windows Feature Became the Hiding Place
In Sekoia’s GammaPhish and GammaWorm analysis, the worm’s quietest trick sits in an old Windows corner. It stores pieces of itself in NTFS Alternate Data Streams (ADS, a Windows file system feature that lets extra data sit alongside a file or directory without showing in normal listings).
Microsoft’s own NTFS streams documentation says these alternate streams are not normally visible and need commands such as DIR with the R option to display them. That matters because a responder browsing a user’s profile or a shared drive may see the folder while missing the hidden stream attached to it.
- Over 70 artifacts from compromised hosts helped Sekoia reconstruct the chain.
- More than 20,000 lines appeared after deobfuscation of one VBScript worm sample.
- Two ADS slots carried early control logic, one for a clone of the worm and one for a killswitch.
The design suits Gamaredon, which has long favored volume and persistence over polished restraint. The new report shows the group making a small Windows feature do heavy operational work.
A WinRAR Bug Opened the Door
The first step was not the stream trick. Sekoia says the chain started with a weaponized xHTML file that smuggled a malicious RAR archive onto the machine. The victim still had to open the archive, but once extracted with a vulnerable Windows version of WinRAR, the path traversal flaw could drop an HTA file into the user’s Startup folder.
Google Threat Intelligence Group, Google’s threat research unit, described CVE-2025-8088 exploitation across Russian, Chinese and criminal operations, including campaigns where archives hide malicious entries behind decoy documents. RARLAB, WinRAR’s developer, fixed the flaw in the WinRAR 7.13 release notes and said the issue affected Windows versions of WinRAR, RAR, UnRAR and related components.
| Layer | Trusted Thing Abused | Defender Problem |
|---|---|---|
| GammaPhish lure | xHTML file and decoy document | User sees a plausible document flow |
| Archive exploit | WinRAR extraction behavior | Startup persistence can be planted during extraction |
| GammaWorm storage | NTFS data streams | Modules sit outside normal folder views |
| Command lookup | Telegram and Cloudflare hosted pages | Bad traffic blends with common web services |
That stack is why patching the archiver is necessary but not enough for machines that already ran the payload. The exploit gets the operator in. Later stages give the operator ways to stay.
The Worm’s Loop Turns Cleanup Into Rebuild
Once active, GammaWorm uses Windows scheduled tasks and registry edits to keep moving. Sekoia observed task names that resemble maintenance work, including DiskDiagnosticDataCollector, SilentCleanup and SmartRetry, with some modules firing every seven or ten minutes. It also changes Explorer settings that govern hidden files, protected operating system files and file extensions.
Command-and-control (C2, the channel an attacker uses to send instructions to malware) does not rely on one fixed server. The worm pulls live locations from public services, a pattern MITRE ATT&CK, a public adversary behavior knowledge base, calls the dead drop resolver technique. Those pages point the infected host toward fresh infrastructure, which makes blocklists age quickly.
cleaning attempts often result in fallback mechanisms restoring the malware.
Sekoia’s Threat Detection & Research team wrote that line in its June 1 report, and it is the most practical sentence in the whole analysis. A hidden stream can be removed. A host that keeps rebuilding its network map and running arbitrary VBScript from memory calls for a complete wipe, not a hopeful cleanup.
Ukraine Saw the Pattern Before
Gamaredon’s latest chain has new packaging, but the target set is familiar. The Security Service of Ukraine (SSU, the country’s domestic security agency) publicly tied the Armagedon group to Russia’s Federal Security Service (FSB, Russia’s main internal security service) in 2021, saying the unit was responsible for more than 5,000 cyber attacks against Ukrainian state bodies and attempted infections of more than 1,500 government computer systems.
The SSU described goals that still match the current campaign: access to critical infrastructure, theft of restricted information, psychological influence and disruption. Sekoia’s timeline adds a technical arc. Older tooling revolved around Pteranodon, then separate families such as GammaLoad, GammaSteel and GammaWorm took over.
That shift matters for defenders outside Ukraine too. A technique tested against ministries and military offices can become a general playbook once it proves cheap, repeatable and hard to clean. Google’s WinRAR report already shows the same vulnerability crossing lines between espionage crews and financially motivated malware operators.
Detection Moves From Files to Behavior
A normal file sweep is the wrong center of gravity here. The useful signals come from script hosts, scheduled tasks, stream enumeration and outbound lookups that do not fit the process that made them.
- Inventory WinRAR first, then update vulnerable Windows installs to 7.13 or later.
- Enumerate ADS on high-risk hosts with command-line tools instead of relying on Windows Explorer.
- Alert when wscript.exe or mshta.exe runs content from user profile paths containing stream-style colons.
- Review newly created scheduled tasks that borrow trusted maintenance names or fire every few minutes.
- Correlate script-host traffic to Telegram, Teletype, Telegra.ph, Cloudflare Workers and Supabase with follow-on connections to new domains or IP addresses.
- Limit USB use and monitor network shares where shortcut files suddenly replace real folders.
The point is not to ban every legitimate service the worm touches. That would break normal business before it found the operator. The better test is sequence: a script process reaches a public page, saves a new address, then talks to an unfamiliar endpoint.
The First Door Can Close While Access Remains
For unaffected machines, the fastest win is boring: remove the vulnerable archiver build. WinRAR’s fix was released months before Sekoia’s report, and Google warned in January that slow patching was keeping the flaw useful for several threat groups. Every help desk image, shared workstation and forensic lab box running older WinRAR deserves a check.
For suspected infections, the decision is harsher. A responder has to assume the visible shortcut, the registry key and the ADS copy are only parts of the same machine. If one stage can restore another, then a partial cleanup creates a false sense of control.
There is also a policy lesson for defenders who usually treat cloud and messaging traffic as too noisy to inspect. Gamaredon did not need Telegram or Cloudflare to be malicious services. It needed them to be ordinary enough that nobody wanted to scrutinize the process making the request.
If the asset is clean, patching WinRAR closes the exposed entry point. If the worm has run, rebuild decisions need to move faster than the next login.
AI Boom Leaves Pre-ChatGPT Startups in a Funding Drought
DriveSurge Spreads ClickFix Malware, Then Sells the Victims
Carnival Data Breach Exposes 6 Million in a Repeat Failure
US Smartphone Shipments Slip 3% as Memory Costs Loom
Microsoft Fixes Windows 11 KB5089549 Update Install Failure
Oregon Upgrades 911 for Smartphones in a Slow National Shift
AI Outages Drive Downtime Costs to a Record $600 Billion
Xbox’s Own Game Pass Page Leaked Seven Showcase Games Early
How to Set Up Android Guest Mode (and Why Samsung Lacks It)
Samsung Boosts Galaxy Z Fold 8 Output as Flip 8 Gets Cut
Andreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
Cathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
Ghana CSA Plants Office In Ho As Volta Cybercrime Climbs
Hormuud Bets $19 Down Will Finally Pull Somalia Online
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
Apple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
Metalenz Polar ID Hides Face Unlock Under OLED Smartphone Screens
Google AI Overviews Adds Subscribed Label, Reddit Quotes Inline
Asha Sharma Reshuffles Xbox Leadership In Race To Project Helix
Audible Faces Nationwide Class Action Over Expiring Credits
-
CRYPTO4 weeks agoAndreessen Horowitz Bets $2.2B on Crypto’s Quiet Cycle
-
CRYPTO3 weeks agoCathie Wood Calls SpaceX IPO Demand ‘Voracious’ Ahead Of $1.75T Debut
-
NEWS4 weeks agoGhana CSA Plants Office In Ho As Volta Cybercrime Climbs
-
APPS4 weeks ago
Google’s Buried Page Reveals 500 Niche Websites Still Making Cash
-
NEWS4 weeks agoHormuud Bets $19 Down Will Finally Pull Somalia Online
-
NEWS4 weeks agoApple Strikes Preliminary Deal For Intel To Make iPhone And Mac Chips
-
NEWS4 weeks agoMetalenz Polar ID Hides Face Unlock Under OLED Smartphone Screens
-
AI3 weeks agoGoogle AI Overviews Adds Subscribed Label, Reddit Quotes Inline