A new report reveals that the Russian state-linked Gamaredon group has developed a sophisticated worm, referred to as GammaWorm, that hides its components within Windows NTFS Alternate Data Streams, enabling it to infect Ukrainian networks almost undetected. This tool is part of an espionage campaign targeting Ukrainian government and military sectors.
The infection begins with a malicious xHTML file that exploits a WinRAR vulnerability (CVE-2025-8088), allowing the worm to persistently operate on compromised systems. Sekoia's analysis recommends that organizations affected by this worm should consider a full system wipe and update their WinRAR software to version 7.13 or later to mitigate the risk.