Weaponizing CVE-2025-8088: Inside Gamaredon’s WinRAR Exploit Chain and GammaLoad C2
A sophisticated and highly persistent cyber-espionage campaign, attributed to the Gamaredon threat group (also identified as UAC-0010 or Shuckworm), is currently conducting large-scale operations against Ukrainian government infrastructure. This campaign is characterized by its use of multi-stage malware loaders and a relentless exploitation of software vulnerabilities to bypass traditional perimeter defenses.
At the core of this campaign is the continued exploitation of CVE-2025-8088, a critical directory traversal vulnerability found in WinRAR. This flaw allows an attacker to manipulate the extraction process, writing arbitrary files outside the intended destination directory. While the vulnerability has been a known issue since mid-2025, Gamaredon has demonstrated remarkable proficiency in weaponizing it to ensure high-impact delivery.
The attack vector begins with highly targeted spearphishing. Attackers utilize a dual-pronged approach: either hijacking legitimate government email accounts—such as a recent incident involving a local official in the Odessa Oblast—or employing sophisticated domain spoofing. These emails are engineered with high social engineering value, often masquerading as urgent legal notices or official court summons to manipulate users into interacting with malicious attachments.
According to detailed forensic analysis by Harfang Lab, researchers have identified at least 12 distinct waves of these phishing campaigns since September 2025. The technical payload typically consists of a malicious RAR archive containing a decoy PDF and a hidden VBScript payload, which is cleverly tucked away using NTFS Alternate Data Streams (ADS) to evade simple file-system scans.

When the user extracts the archive, the WinRAR directory traversal exploit triggers, silently writing a VBScript file directly into the %AppData%\Microsoft\Windows\Start Menu\Programs\Startup directory. This ensures that the malware achieves immediate persistence upon system reboot.
The Execution Chain: From GammaDrop to GammaLoad
The first stage of the infection is a component dubbed GammaDrop. This is a heavily obfuscated VBScript downloader that utilizes randomized variable naming and significant “junk code” insertion. These techniques are indicative of Gamaredon’s use of automated malware generation engines designed to frustrate signature-based detection systems.
Once executed, GammaDrop performs its primary function: retrieving the second-stage payload, GammaLoad. To blend in with legitimate web traffic, the attackers host this payload on Cloudflare Workers infrastructure. GammaLoad is delivered as an HTA (HTML Application) file and is subsequently executed via mshta.exe within a hidden window to minimize user visibility.
GammaLoad functions as a dual-purpose tool for both persistence and reconnaissance:
- Persistence: It establishes a
RunOnceregistry key to ensure continued execution. - Reconnaissance: It gathers granular system telemetry, including the computer name, system drive, and volume serial number. This data is then encoded and embedded into beaconing traffic, allowing the operators to fingerprint the infected host and tailor subsequent exploitation stages.
The intelligence gathered suggests that the Security Service of Ukraine (SSU) is the primary target, with significant activity concentrated across the Luhansk, Lviv, and Chernivtsi oblasts.

To maintain command and control (C2), GammaLoad utilizes dynamically generated URLs and disguises its communication by mimicking legitimate browser user-agent strings. While Cloudflare Workers serves as the primary transit, the group maintains fallback C2 infrastructure hosted on Russian domains. The malware operates on a consistent heartbeat, beaconing to the C2 servers approximately every 210 seconds (3.5 minutes).
Adaptive Tactics and Infrastructure Evasion
Gamaredon is not a static threat; they exhibit high operational adaptability. Recent observations from May 2026 indicate a shift in packaging: attackers are now utilizing ARJ archives disguised as standard .ZIP or .RAR files to bypass simple extension-based filters. Furthermore, some newer variants have been observed “streamlining” the infection chain by bypassing the GammaDrop stage entirely and deploying GammaLoad directly.
Their network evasion tactics are equally robust, employing a combination of fast-flux DNS, dynamic DNS providers, and short-lived domains. We have also noted an increase in the use of bot-like user-agent strings (such as Bingbot) to mask malicious traffic as legitimate search engine crawling.
A critical vulnerability exploited by the group is the lack of robust email authentication protocols across many targeted institutions. The absence of strictly enforced SPF, DKIM, and DMARC policies allows Gamaredon to spoof trusted domains with ease. Much of their phishing relay infrastructure appears to originate from the 194.58.66.0/24 subnet.
Mitigation Strategies
While the technical sophistication of the malware itself may seem moderate, the group’s ability to maintain a high operational tempo and pivot their delivery methods makes them a Tier-1 threat. To defend against these evolving campaigns, organizations should prioritize the following:
- Patch Management: Immediate patching of WinRAR and all file archiving utilities to mitigate directory traversal exploits.
- Email Security: Implementation and strict enforcement of DMARC (Reject policy), SPF, and DKIM to prevent domain spoofing.
- Endpoint Defense: Monitoring for suspicious executions of
mshta.exeand unauthorized writes to the Windows Startup directory. - Network Intelligence: Blocking known malicious subnets and monitoring for unusual beaconing patterns to Cloudflare Workers or unrecognized Russian domains.