Last updated: July 5, 2026 at 9:01 AM UTC
All 557 Vulnerability 199 Breach 106 Threat 245 Defense 7
Tag: russia-apt (2 articles)Clear

Gamaredon (FSB) exploits WinRAR to deliver GammaWorm and GammaSteel against Ukraine - resilient, highly obfuscated modular RAR chain

Sekoia has documented Gamaredon - a Russian state-sponsored intrusion set officially linked to the FSB - exploiting WinRAR via booby-trapped RAR archives to deliver the GammaWorm and GammaSteel malware against Ukrainian targets. The infection chain is described as resilient, massive, and highly obfuscated with a modular design whose configurations operators can update on the fly, making reuse likely. Gamaredon has a long history of targeting Ukrainian government, military, and critical-infrastructure entities through spear-phishing with malicious attachments. The disclosure coincides with related Ukraine-focused activity by UAC-0184 (PassMark BurnInTest LNK lures), UAC-0247 (HTA droppers against drone operators), and APT28's evolving PixyNetLoader delivering a COVENANT implant via CVE-2026-21509.

Check
Hunt for malicious RAR archives and WinRAR exploitation, GammaWorm and GammaSteel indicators, and spear-phishing with RAR attachments in Ukraine-facing operations. Apply Sekoia IoCs.
Affected
Ukrainian government, military, and critical-infrastructure entities - Gamaredon's persistent FSB-linked targets. Spear-phishing with booby-trapped RAR archives delivering modular, frequently-updated payloads is the vector.
Fix
Patch WinRAR to the latest version. Block RAR attachments at the email gateway where feasible. Restrict mshta and script execution. Hunt for GammaSteel exfiltration and GammaWorm persistence.

WithSecure: Russia-linked GREYVIBE targets Ukraine with AI-assisted malware via PhantomMail, PhantomRelay RAT, and ClickFix fake-CAPTCHA chains

WithSecure has attributed persistent attacks against Ukraine and Ukraine-related entities since at least August 2025 to GREYVIBE, a previously undocumented Russian-speaking group operating in the Russian time zone and aligned with Kremlin intelligence interests. Victims span military, government, civilian, and business organizations. The group uses spear-phishing (PhantomMail, delivering JavaScript loaders from Google Drive and 4sync), a PowerShell RAT called PhantomRelay, and ClickFix-style fake-CAPTCHA pages (PhantomClick) impersonating Zoom and a fake adult-club site (PrincessClub). WithSecure describes GREYVIBE as low-to-moderately sophisticated, hampered by repeated OPSEC mistakes, but increasingly relying on generative AI and LLMs to accelerate malware development. Some members have ties to the broader Russian cybercrime ecosystem.

Check
Hunt for PhantomRelay PowerShell RAT activity and JavaScript loaders from Google Drive or 4sync links. Block known GREYVIBE ClickFix domains impersonating Zoom. Apply WithSecure IoCs.
Affected
Ukrainian military, government, civilian, and business organizations and Ukraine-related entities. Delivery via spear-phishing, fake CAPTCHA pages, and fraudulent adult-club websites since August 2025.
Fix
Block GREYVIBE C2 and loader-hosting domains per WithSecure. Restrict PowerShell for standard users. Train staff against ClickFix fake-CAPTCHA 'paste this command' prompts. Monitor Google Drive/4sync archive downloads.