The Russian-linked Gamaredon threat group has been leveraging an unpatched WinRAR vulnerability to deliver a modular, nearly fileless malware framework against Ukrainian targets, according to reporting by Security Affairs. The campaign showcases a notable evolution in the group's tradecraft, combining a widely used archive utility as an initial access vector with stealthy payload staging techniques designed to evade conventional endpoint detection.
How the Attack Works
Rather than writing malicious executables to disk in the traditional manner, Gamaredon operators stash payloads inside NTFS Alternate Data Streams (ADS) — a legitimate Windows filesystem feature that allows data to be attached to files without appearing in standard directory listings. By hiding malicious components in these hidden streams, the campaign dramatically reduces the forensic footprint left on compromised machines.
The malware further obscures its command-and-control infrastructure by resolving C2 addresses through the Telegram messaging platform's API. This tactic blends malicious network traffic with the enormous volume of legitimate Telegram usage, making network-level detection considerably more difficult.
The specific WinRAR vulnerability being exploited has not yet been publicly identified. Sekoia's Threat Detection & Research team, which has been tracking the campaign, is expected to release a comprehensive technical analysis that should clarify the underlying CVE and provide patch-specific guidance.
Community-Driven Detection Pays Off
In late December 2025, Sekoia published a YARA detection rule designed to hunt for the group's initial access techniques. The proactive release bore fruit quickly — by January 2026, the rule had already produced approximately a dozen confirmed detections, demonstrating that intelligence-led, community-driven threat hunting can keep pace with even sophisticated fileless campaigns.
The speed of these results underscores a valuable lesson for defenders: while nearly fileless malware significantly raises the detection bar, it is not invisible. Targeted hunting rules informed by adversary intelligence can close the gap, provided security teams are actively monitoring for indicators of compromise rather than relying solely on signature-based tools.
A Reusable Playbook
Although the campaign is directed at Ukrainian entities, the technical combination of a common software exploit, NTFS ADS abuse for payload staging, and a major messaging platform for C2 resolution constitutes a transferable playbook. Other advanced persistent threat groups are likely to observe and adapt these techniques for operations against different targets and geographies.
For IT security teams globally, the practical takeaways are clear. Organisations should ensure that WinRAR installations are promptly updated once a patch becomes available. Security operations centres should also consider hunting for suspicious ADS usage — a technique that remains undermonitored in many environments. Network monitoring strategies should further account for the possibility that legitimate third-party services such as Telegram can be co-opted as covert infrastructure by threat actors.
What Comes Next
Sekoia has indicated that a full technical breakdown of the attack chain — from initial archive delivery through ADS-based staging to Telegram-mediated C2 communication — is forthcoming. That report is expected to provide defenders with more granular indicators and mitigation advice.
In the meantime, the campaign serves as a reminder that state-sponsored groups continue to innovate at every stage of the kill chain, and that collaborative, open threat intelligence sharing remains one of the most effective countermeasures available to the security community.
據 Security Affairs 報導,與俄羅斯有關聯的 Gamaredon 威脅組織正在利用一個尚未修補的 WinRAR 漏洞,針對烏克蘭目標投放一個模組化、近乎無檔案的惡意軟件框架。此活動展示了該組織技術手法的顯著演進,結合了廣泛使用的壓縮軟件作為初始入侵載體,並採用隱蔽的有效載荷部署技術,旨在規避傳統的端點偵測。
攻擊如何運作
與傳統方式將惡意可執行檔案寫入磁碟不同,Gamaredon 的操作者將有效載荷隱藏在 NTFS 替代數據流(ADS)中 —— 這是一種合法的 Windows 檔案系統功能,允許數據附加到檔案而不顯示在標準目錄列表中。透過將惡意組件隱藏在這些隱藏流中,此活動大幅減少了受感染機器上留下的取證痕跡。
該惡意軟件進一步透過 Telegram 訊息平台的 API 解析 C2(命令與控制)地址,從而混淆其 C2 基礎設施。此策略將惡意網絡流量與龐大的合法 Telegram 使用量混雜在一起,使得網絡層級的偵測變得極為困難。
目前尚不清楚被利用的具體 WinRAR 漏洞。一直在追蹤此活動的 Sekoia 威脅偵測與研究團隊預計將發布一份全面的技術分析,屆時應能釐清相關的 CVE 並提供針對該修補程式的具體指引。
社群驅動偵測見成效
2025 年 12 月下旬,Sekoia 發布了一條 YARA 偵測規則,旨在搜尋該組織的初始入侵技術。這項主動發布的成果很快見效 —— 截至 2026 年 1 月,該規則已產生約十數次確認偵測,證明了情報導向、社群驅動的威脅追蹤能夠跟上甚至是最為複雜的無檔案攻擊活動。
這些成果的取得速度凸顯了對防禦者的寶貴教訓:儘管近乎無檔案的惡意軟件大幅提高了偵測門檻,但它並非無法偵測。透過對手情報所制定的針對性追蹤規則能夠彌補差距,前提是安全團隊主動監控入侵指標,而非僅僅依賴基於簽名的工具。
一套可複用的行動手冊
儘管此活動針對的是烏克蘭實體,但其結合常見軟件漏洞利用、濫用 NTFS ADS 部署有效載荷,以及利用大型訊息平台進行 C2 解析的技術組合,構成了一套可轉移的行動手冊。其他進階持續性威脅(APT)組織很可能會觀察並調整這些技術,用於針對不同目標和地理區域的行動。
對於全球的 IT 安全團隊而言,實際的要點十分明確。機構應確保 WinRAR 安裝在修補程式發布後能及時更新。安全營運中心亦應考慮追蹤可疑的 ADS 使用情況 —— 此技術在許多環境中仍未受到充分監控。網絡監控策略還應考慮到合法的第三方服務(如 Telegram)可能被威脅行為者挪用為隱蔽基礎設施的可能性。
後續發展
Sekoia 已表示,將針對攻擊鏈 —— 從初始壓縮檔案投放,到基於 ADS 的部署,再到透過 Telegram 進行的 C2 通信 —— 發布完整的技術分析。該報告預計將為防禦者提供更細粒度的指標和緩解建議。
與此同時,此活動提醒我們,國家支持的組織在殺傷鏈的每個階段持續創新,而協作、開放的威脅情報共享,仍然是安全社群可採用的最有效對抗措施之一。