Executive Summary
In 2025, the Russian-aligned APT group Gamaredon intensified its cyber operations against Ukrainian governmental and military institutions. ESET observed 35 distinct spear-phishing campaigns, primarily in the latter half of the year, utilizing archive attachments and XHTML files with HTML smuggling to deploy malicious HTA downloaders. These campaigns aimed to exfiltrate sensitive information to support Russian interests in the ongoing conflict. Gamaredon also exploited a WinRAR vulnerability (CVE-2025-8088) to achieve persistence by placing malicious files in the Windows Startup folder. Additionally, the group introduced six new PowerShell tools, including PteroDee and PteroCache, to enhance their malware arsenal. (thehackernews.com)
The group's reliance on third-party services grew significantly, employing tunnel services and serverless platforms to conceal their infrastructure. This evolution underscores the increasing sophistication of state-sponsored cyber threats and the necessity for robust cybersecurity measures to protect sensitive governmental data. (thehackernews.com)
Why This Matters Now
The escalation of Gamaredon's activities highlights the persistent and evolving cyber threats faced by nations, emphasizing the need for continuous vigilance and advanced defense mechanisms to safeguard national security interests.
Attack Path Analysis
Gamaredon initiated the attack with spear-phishing emails containing malicious attachments exploiting a WinRAR vulnerability (CVE-2025-8088) to deliver HTA downloaders. Upon execution, these downloaders installed additional payloads, such as PteroSand, establishing persistence by placing themselves in the Windows Startup folder. The attackers then utilized tools like PteroLNK and PteroPaste to infect USB and network drives, facilitating lateral movement within the network. Command and control were maintained through third-party services, including tunnel services and serverless worker platforms, to conceal their infrastructure. Sensitive data was exfiltrated using these channels, leveraging legitimate services to mask the data transfer. The impact of the attack was the unauthorized access and exfiltration of critical information from Ukrainian governmental and military institutions.
Kill Chain Progression
Initial Compromise
Description
Gamaredon initiated the attack with spear-phishing emails containing malicious attachments exploiting a WinRAR vulnerability (CVE-2025-8088) to deliver HTA downloaders.
Related CVEs
CVE-2025-8088
CVSS 8.8A path traversal vulnerability in WinRAR versions up to 7.13 allows attackers to execute arbitrary code by extracting a specially crafted archive.
Affected Products:
RARLAB WinRAR – <= 7.13
Exploit Status:
exploited in the wild
MITRE ATT&CK® Techniques
Spearphishing Attachment
Malicious File
Web Protocols
Ingress Tool Transfer
Obfuscated Files or Information
PowerShell
System Information Discovery
Exfiltration Over C2 Channel
Potential Compliance Exposure
Mapping incident impact across multiple compliance frameworks.
PCI DSS 4.0 – Malicious Software Prevention
Control ID: 6.4.3
NYDFS 23 NYCRR 500 – Cybersecurity Policy
Control ID: 500.03
DORA – ICT Risk Management Framework
Control ID: Article 5
CISA ZTMM 2.0 – Identity and Access Management
Control ID: 3.1
NIS2 Directive – Cybersecurity Risk Management Measures
Control ID: Article 21
Sector Implications
Industry-specific impact of the vulnerabilities, including operational, regulatory, and cloud security risks.
Government Administration
Primary target of Gamaredon APT spear-phishing campaigns against Ukrainian government infrastructure requires enhanced egress security and zero trust segmentation for protection.
Defense/Space
Critical military infrastructure faces ongoing Russian APT attacks requiring encrypted traffic protection, lateral movement prevention, and advanced threat detection capabilities.
Telecommunications
Communication infrastructure vulnerable to APT lateral movement and command control activities necessitates east-west traffic security and multicloud visibility controls.
Information Technology/IT
IT service providers managing Ukrainian infrastructure face exfiltration risks requiring cloud firewall protection, anomaly detection, and comprehensive security fabric implementation.
Sources
- Gamaredon Expands Ukraine Attacks with New Malware and Cloud Service Abusehttps://thehackernews.com/2026/06/gamaredon-expands-ukraine-attacks-with.htmlVerified
- ESET Research investigates Russian-aligned Gamaredon group – new toolset, alliances, and a reliance on legitimate serviceshttps://www.globenewswire.com/news-release/2026/06/25/3317651/0/en/eset-research-investigates-russian-aligned-gamaredon-group-new-toolset-alliances-and-a-reliance-on-legitimate-services.htmlVerified
- Gamaredon Exploits WinRAR Path Traversal to Unleash GammaDrop Malwarehttps://securityonline.info/gamaredon-winrar-exploit-cve-2025-8088-gammadrop-malware/Verified
Frequently Asked Questions
Cloud Native Security Fabric Mitigations and ControlsCNSF
Aviatrix Zero Trust CNSF is pertinent to this incident as it could have significantly limited the attacker's ability to move laterally and exfiltrate data by enforcing strict segmentation and identity-aware policies.
Control: Cloud Native Security Fabric (CNSF)
Mitigation: The attacker's ability to exploit the WinRAR vulnerability and deliver HTA downloaders would likely be constrained, reducing the initial compromise's effectiveness.
Control: Zero Trust Segmentation
Mitigation: The attacker's ability to escalate privileges and establish persistence would likely be constrained, limiting their control over compromised systems.
Control: East-West Traffic Security
Mitigation: The attacker's ability to move laterally within the network would likely be constrained, reducing the spread of the infection.
Control: Multicloud Visibility & Control
Mitigation: The attacker's ability to maintain command and control through concealed infrastructure would likely be constrained, disrupting their operations.
Control: Egress Security & Policy Enforcement
Mitigation: The attacker's ability to exfiltrate sensitive data using legitimate services would likely be constrained, reducing data loss.
The overall impact of unauthorized access and data exfiltration would likely be constrained, reducing the severity of the breach.
Impact at a Glance
Affected Business Functions
- Government Communications
- Military Operations
- Data Security
Estimated downtime: 14 days
Estimated loss: $5,000,000
Sensitive governmental and military information, including classified documents and strategic plans.
Recommended Actions
Key Takeaways & Next Steps
- • Implement East-West Traffic Security to monitor and control lateral movement within the network.
- • Deploy Zero Trust Segmentation to enforce least privilege access and limit the spread of malware.
- • Utilize Multicloud Visibility & Control to detect and respond to anomalous activities across cloud environments.
- • Enforce Egress Security & Policy Enforcement to prevent unauthorized data exfiltration.
- • Apply Inline IPS (Suricata) to detect and block known exploit patterns and malicious payloads.



