Gamaredon Deploys GammaDrop, GammaLoad in Phishing Campaigns

The resurgence of Gamaredon’s activity highlights a classic yet effective cyber‑espionage playbook: weaponize a widely deployed third‑party application and pair it with tailored social engineering. By abusing CVE‑2025‑8088, the group bypasses traditional endpoint defenses, delivering malicious VBScript payloads hidden in seemingly innocuous archives. This approach leverages the trust users place in familiar file types while exploiting a vulnerability that remains unpatched in many legacy Windows environments. The shift from RAR to ARJ archives also reflects an adaptive tactic to evade signature‑based detection.

Technical analysis reveals a two‑stage loader chain designed for stealth and persistence. GammaDrop, the initial downloader, drops a VBScript into the Startup folder, ensuring execution on reboot. It then retrieves GammaLoad, an HTA file executed via mshta.exe, which creates a RunOnce registry entry and initiates periodic beaconing to Cloudflare Workers‑hosted C2 infrastructure. The use of legitimate‑looking user‑agent strings and fast‑flux DNS complicates network‑based detection, while the encoded victim identifiers enable precise targeting of follow‑up payloads. Such modularity allows the group to swap payloads without altering the delivery mechanism.

For organizations, especially government entities, the campaign serves as a reminder that cyber‑risk is often a function of basic hygiene. Promptly applying the WinRAR patch eliminates the primary infection vector, while enforcing strict DMARC, SPF, and DKIM policies thwarts email spoofing. Network segmentation and monitoring for anomalous HTA execution can further reduce exposure. As Gamaredon continues to rotate IP ranges and domain assets, threat‑intel sharing and real‑time blocklists become essential tools for defenders seeking to stay ahead of this persistent adversary.