Sekoia has documented Gamaredon - a Russian state-sponsored intrusion set officially linked to the FSB - exploiting WinRAR via booby-trapped RAR archives to deliver the GammaWorm and GammaSteel malware against Ukrainian targets. The infection chain is described as resilient, massive, and highly obfuscated with a modular design whose configurations operators can update on the fly, making reuse likely. Gamaredon has a long history of targeting Ukrainian government, military, and critical-infrastructure entities through spear-phishing with malicious attachments. The disclosure coincides with related Ukraine-focused activity by UAC-0184 (PassMark BurnInTest LNK lures), UAC-0247 (HTA droppers against drone operators), and APT28's evolving PixyNetLoader delivering a COVENANT implant via CVE-2026-21509.
WithSecure has attributed persistent attacks against Ukraine and Ukraine-related entities since at least August 2025 to GREYVIBE, a previously undocumented Russian-speaking group operating in the Russian time zone and aligned with Kremlin intelligence interests. Victims span military, government, civilian, and business organizations. The group uses spear-phishing (PhantomMail, delivering JavaScript loaders from Google Drive and 4sync), a PowerShell RAT called PhantomRelay, and ClickFix-style fake-CAPTCHA pages (PhantomClick) impersonating Zoom and a fake adult-club site (PrincessClub). WithSecure describes GREYVIBE as low-to-moderately sophisticated, hampered by repeated OPSEC mistakes, but increasingly relying on generative AI and LLMs to accelerate malware development. Some members have ties to the broader Russian cybercrime ecosystem.