Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: fsb (2 articles)Clear

Gamaredon (FSB) exploits WinRAR to deliver GammaWorm and GammaSteel against Ukraine - resilient, highly obfuscated modular RAR chain

Sekoia has documented Gamaredon - a Russian state-sponsored intrusion set officially linked to the FSB - exploiting WinRAR via booby-trapped RAR archives to deliver the GammaWorm and GammaSteel malware against Ukrainian targets. The infection chain is described as resilient, massive, and highly obfuscated with a modular design whose configurations operators can update on the fly, making reuse likely. Gamaredon has a long history of targeting Ukrainian government, military, and critical-infrastructure entities through spear-phishing with malicious attachments. The disclosure coincides with related Ukraine-focused activity by UAC-0184 (PassMark BurnInTest LNK lures), UAC-0247 (HTA droppers against drone operators), and APT28's evolving PixyNetLoader delivering a COVENANT implant via CVE-2026-21509.

Check
Hunt for malicious RAR archives and WinRAR exploitation, GammaWorm and GammaSteel indicators, and spear-phishing with RAR attachments in Ukraine-facing operations. Apply Sekoia IoCs.
Affected
Ukrainian government, military, and critical-infrastructure entities - Gamaredon's persistent FSB-linked targets. Spear-phishing with booby-trapped RAR archives delivering modular, frequently-updated payloads is the vector.
Fix
Patch WinRAR to the latest version. Block RAR attachments at the email gateway where feasible. Restrict mshta and script execution. Hunt for GammaSteel exfiltration and GammaWorm persistence.

Russian FSB actor Turla rebuilds Kazuar backdoor as a modular peer-to-peer botnet

Microsoft Threat Intelligence detailed how Turla, the Russian state actor attributed by CISA to the FSB's Center 16, has transformed its .NET Kazuar backdoor from a monolithic implant into a modular peer-to-peer botnet ecosystem. The new architecture splits responsibilities across three component types - Kernel, Bridge, and Worker - and uses a leader-election mechanism so only one infected host actually talks to the external C2 server, dramatically reducing observable network noise. Turla (also tracked as Secret Blizzard, Snake, Venomous Bear, Uroburos, WRAITH) has been targeting government, diplomatic, and defense organizations across Europe, Central Asia, and Ukraine since 2017; recent operations also leverage Gamaredon for initial access before deploying Kazuar v3.

Check
Hunt for .NET assemblies sideloaded as COM objects with small loader stubs, look for Kazuar Worker behaviors (Outlook data, USB metadata, network shares enumeration), and review east-west traffic for low-volume peering between internal hosts.
Affected
Government, diplomatic, defense, and defense-adjacent organizations in Europe, Central Asia, and Ukraine. Historic FSB target patterns include foreign ministries, embassies, and defense contractors; Gamaredon initial-access activity widens the candidate set across Eastern European industry.
Fix
Block known Kazuar v3 hashes and infrastructure from Microsoft's report, deploy detections for the Kernel-Bridge-Worker P2P pattern (single external talker per cluster), and tighten Outlook PST and USB-history access with EDR rules.