THE article discusses a multi-faceted cyber espionage campaign executed by the Russia-linked APT group, Gamaredon, targeting Ukraine. The group has exploited a vulnerability in WinRAR (CVE-2025-8088) to deploy modular, fileless malware, which operates through techniques like HTML smuggling and utilizes NTFS Alternate Data Streams (ADS) to conceal its presence on infected machines.
The campaign features innovative elements such as C2 resolution via Telegram and extensive use of VBScript, complicating detection and remediation efforts. The new malware architecture is characterized by a high level of obfuscation and persistence, indicating a significant evolution in Gamaredon's tactics while retaining some of their longstanding methods.