Gamaredon’s Unfolding Toolkit: GammaPhish and GammaWorm

SOC Prime Team

Gamaredon’s Unfolding Toolkit: GammaPhish and GammaWorm

Detection stack

AIDR
Alert
ETL
Query

Threat Report
Attack Flow
Detections
Simulations

Summary

Gamaredon, a Russian state-backed APT group, continues to run long-term espionage operations against Ukrainian government institutions, military bodies, and critical infrastructure. Its modular infection chain begins with a spearphishing document, abuses a WinRAR path traversal flaw, and then relies on VBScript, alternate data streams, and dead-drop resolvers to spread, persist, and retrieve additional payloads. The campaign also makes use of legitimate services such as Telegram, Cloudflare, and Supabase for command-and-control activity. Detection remains challenging because the attackers heavily abuse built-in Windows functionality and fileless execution methods.

Investigation

Sekoia TDR reconstructed the January 2026 intrusion chain by examining more than 70 artifacts collected from compromised systems. Their analysis identified the initial phishing component, GammaPhish, followed by the VBScript loader GammaLoad, the self-propagating worm GammaWorm, and the PowerShell stealer GammaSteel, which stores modules in the registry. Researchers also documented GammaWorm’s use of alternate data streams and scheduled tasks for persistence, along with repeated network requests to multiple dead-drop resolver domains. The investigation mapped how each component supported the broader infection chain and long-term foothold.

Mitigation

Because the malware can continuously fetch new payloads through dead-drop resolvers, the safest remediation approach is often a full system rebuild. Defensive efforts should focus on detecting suspicious alternate data stream creation, RunOnce registry modifications, scheduled tasks with unusual names, and outbound traffic from non-browser processes to known resolver domains. Blocking identified command-and-control infrastructure and applying strict scanning controls to email attachments can also reduce the likelihood of initial compromise.

Response

If this activity is detected, isolate the affected host immediately, collect volatile evidence, and perform full forensic acquisition. Remove files hidden in alternate data streams, delete the malicious RunOnce registry entry, and disable any related scheduled tasks. Known resolver domains and IP addresses should be blocked at the network edge, and endpoint detections should be updated to identify the observed command lines and fileless execution patterns.

"graph TB %% Class definitions classDef technique fill:#c2f0c2 classDef malware fill:#ffcc99 classDef process fill:#ffeb99 classDef action fill:#99ccff classDef operator fill:#ff9900 %% Malware node malware_gamma_worm["Malware – Name: GammaWorm Type: Worm Capabilities: Propagation via removable media, ADS storage, webu2011based C2"] class malware_gamma_worm malware %% Step 1 u2013 Phishing step1_phishing["Action – T1566.001 Phishing: Spearphishing Attachment Victims receive spearu2011phishing emails containing an embedded xHTML file that initiates download of a malicious RAR archive"] class step1_phishing technique %% Step 2 u2013 Exploitation for Client Execution step2_exploit["Action – T1203 Exploitation for Client Execution RAR archive exploits CVEu20112025u20118088 (WinRAR pathu2011traversal) to write a malicious HTA file into the useru2019s Startup folder"] class step2_exploit technique %% Step 3 u2013 Mshta Proxy Execution step3_mshta["Action – T1218.005 System Binary Proxy Execution: Mshta HTA file launches mshta.exe with a remote payload URL, providing code execution"] class step3_mshta technique %% Step 4 u2013 Active Setup Persistence step4_active_setup["Action – T1547.014 Boot or Logon Autostart Execution: Active Setup Malicious HTA resides in %AppData%\Microsoft\Windows\Start Menu\Programs\Startup and runs at each user logon"] class step4_active_setup technique %% Step 5 u2013 Shortcut Modification Persistence step5_shortcut["Action – T1547.009 Boot or Logon Autostart Execution: Shortcut Modification GammaWorm creates LNK shortcuts that appear as folders; opening them triggers mshta.exe to run the ~.gif worm"] class step5_shortcut technique %% Step 6 u2013 Hide Artifacts via ADS step6_ads["Action – T1564.004 Hide Artifacts: NTFS File Attributes Core modules are written to Alternate Data Streams such as %USERPROFILE%:GTR and %USERPROFILE%:save to evade normal listings"] class step6_ads technique %% Step 7 u2013 LNK Icon Smuggling step7_lnk_icon["Action – T1027.012 Obfuscated Files or Information: LNK Icon Smuggling Malicious LNK shortcuts use forged icons to disguise their true purpose"] class step7_lnk_icon technique %% Step 8 u2013 Scheduled Task Persistence step8_task["Action – T1053 Scheduled Task/Job Creates tasks (DiskDiagnosticDataCollector, SilentCleanup, SmartRetry) that launch ADS modules on a recurring schedule"] class step8_task technique %% Step 9 u2013 Dead Drop Resolver C2 step9_dead_drop["Action – T1102.001 Web Service: Dead Drop Resolver Retrieves C2 configuration from public services (supabase.co, graph.org, workers.dev, teletype.in, telegra.ph, Telegram)"] class step9_dead_drop technique %% Step 10 u2013 Bidirectional C2 Communication step10_bidirectional["Action – T1102.002 Web Service: Bidirectional Communication Posts HTTP requests with fingerprint data hidden in the Useru2011Agent header"] class step10_bidirectional technique %% Step 11 u2013 Oneu2011Way C2 Communication step11_one_way["Action – T1102.003 Web Service: Oneu2011Way Communication Fetches configuration updates via HTTP 200/404 responses without expecting a reply"] class step11_one_way technique %% Step 12 u2013 Protocol Impersonation step12_impersonation["Action – T1001.003 Data Obfuscation: Protocol or Service Impersonation Uses legitimate HTTP/HTTPS traffic patterns and randomised headers to blend with normal network activity"] class step12_impersonation technique %% Step 13 u2013 Removable Media Discovery step13_removable["Action – T1025 Data from Removable Media Executes WMI queries to enumerate logical disks and locate USB drives or network shares for propagation"] class step13_removable technique %% Step 14 u2013 Taint Shared Content step14_taint["Action – T1080 Taint Shared Content Places malicious LNK shortcuts in shared folders so they execute when another user opens them"] class step14_taint technique %% Step 15 u2013 Exfiltration to Cloud Storage step15_exfil["Action – T1567.002 Exfiltration Over Web Service: Exfiltration to Cloud Storage Harvested documents are uploaded to an S3u2011compatible bucket"] class step15_exfil technique %% Step 16 u2013 Transfer Data to Cloud Account step16_transfer["Action – T1537 Transfer Data to Cloud Account Fallback mechanism that sends stolen data to a cloud account when primary storage is unavailable"] class step16_transfer technique %% Connections showing the attack flow step1_phishing –>|leads to| step2_exploit step2_exploit –>|delivers| step3_mshta step3_mshta –>|establishes| step4_active_setup step4_active_setup –>|adds| step5_shortcut step5_shortcut –>|stores in| step6_ads step6_ads –>|obfuscates via| step7_lnk_icon step7_lnk_icon –>|supports| step8_task step8_task –>|schedules| step9_dead_drop step9_dead_drop –>|provides C2 for| step10_bidirectional step10_bidirectional –>|communicates with| step11_one_way step11_one_way –>|complements| step12_impersonation step12_impersonation –>|hides traffic for| step13_removable step13_removable –>|enables spread to| step14_taint step14_taint –>|facilitates data theft to| step15_exfil step15_exfil –>|fallback to| step16_transfer step16_transfer –>|final stage of data exfiltration| malware_gamma_worm "

Attack Flow

Attack Narrative & Commands:
An operator has obtained the GammaWorm payload (a compiled PE) and wishes to achieve persistence while remaining hidden from traditional file listings. The attacker writes the payload into an NTFS Alternate Data Stream named GTR inside the user’s profile directory. Windows will treat the ADS as part of the normal file (%USERPROFILE%gamma.exe:GTR). Because the ADS name matches the rule’s hard‑coded list, any file‑creation event that includes “:GTR” under %USERPROFILE% will fire the detection.

# Step 1 – Prepare a dummy malicious binary (e.g., a base64‑encoded PowerShell one‑liner)
$malicious = [System.Convert]::FromBase64String(
    "TVqQAAMAAAAEAAAA//8AALgAAAAAAAAAQAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAA" +
    "AAAAAAAAAAAAAAAwAAAAA4AAAAA")
$payloadPath = "$env:USERPROFILEgamma.exe"

# Step 2 – Write the binary to the primary file (optional; the ADS can exist without a primary file)
[IO.File]::WriteAllBytes($payloadPath, $malicious)

# Step 3 – Write the same binary (or a different payload) into the ADS named GTR
$adsPath = "$payloadPath:GTR"
Set-Content -Path $adsPath -Value $malicious -Encoding Byte

Regression Test Script: (self‑contained; can be run on any Windows host with PowerShell 5+)

# GammaWorm ADS Persistence Simulation – triggers detection rule
try {
    # Create a placeholder host file
    $hostFile = "$env:USERPROFILEgamma.exe"
    $dummyBytes = [byte[]] (0x4D,0x5A,0x90,0x00) # Minimal PE header
    [IO.File]::WriteAllBytes($hostFile, $dummyBytes)

    # Write malicious payload into the ADS named "GTR"
    $ads = "$hostFile:GTR"
    Set-Content -Path $ads -Value $dummyBytes -Encoding Byte

    Write-Host "ADS 'GTR' created successfully at $ads"
} catch {
    Write-Error "Simulation failed: $_"
}

Cleanup Commands:

# Remove the ADS and the placeholder host file
$hostFile = "$env:USERPROFILEgamma.exe"
$ads = "$hostFile:GTR"

# Delete ADS (requires Sysinternals Streams.exe or PowerShell 5+)
if (Test-Path $ads) {
    Remove-Item -Path $ads -Force
    Write-Host "Removed ADS GTR."
}

# Delete the main file
if (Test-Path $hostFile) {
    Remove-Item -Path $hostFile -Force
    Write-Host "Removed host file gamma.exe."
}

Join SOC Prime's Detection as Code platform to improve visibility into threats most relevant to your business. To help you get started and drive immediate value, book a meeting now with SOC Prime experts.

Join for Free