FSB Group Gamaredon Hides Worm in Windows Data Streams

The Gamaredon group, long linked to Russia’s FSB, has refined its intrusion toolkit by moving away from traditional file‑dropping malware toward fileless techniques that exploit native Windows features. By leveraging NTFS Alternate Data Streams, GammaWorm can conceal malicious code alongside legitimate files, evading standard antivirus scans and file‑system audits. This evolution mirrors a broader trend among state‑sponsored actors to adopt stealthier delivery mechanisms that blend into everyday system artifacts, complicating threat‑intel attribution and response.

Technical analysis reveals the campaign’s initial foothold hinges on a compromised xHTML file that drops a malicious RAR archive exploiting CVE‑2025‑8088, a path‑traversal vulnerability in WinRAR. The archived payload plants a hidden HTA file in the Startup folder, which then launches a VBScript‑based worm. GammaWorm spreads laterally through USB drives and network shares, swapping genuine folders for malicious shortcuts with provocative Ukrainian‑language names, while persisting via scheduled tasks and registry tweaks that hide its presence.

For defenders, the incident highlights the critical need for rapid patch management and deeper visibility into alternate data streams and scheduled‑task artifacts. Updating WinRAR to version 7.13 or later eliminates the initial exploit vector, while endpoint detection platforms should be tuned to flag hidden ADS usage and unusual shortcut behavior. Given the worm’s reliance on dead‑drop resolvers via public services, network monitoring for anomalous DNS and TLS traffic to Telegram or Cloudflare endpoints can provide early indicators of compromise. A full system wipe remains the most reliable remediation, as partial cleaning often triggers the worm’s fallback mechanisms to reinstall itself.