Threat Intelligence Russian hackers exploit WinRAR vulnerability for data theft June 2, 2026 Share By SC Staff As reported by The Hacker News, the Russian hacking group Gamaredon is actively exploiting a WinRAR vulnerability, CVE-2025-8088, to deploy various malware families for data theft and network propagation. The exploitation chain begins with a weaponized HTML Application payload called GammaPhish, which retrieves intermediate Visual Basic Script (VBScript) downloaders known as GammaLoad, according to Sekoia. These scripts are designed to fingerprint host systems, update network configurations, and fetch arbitrary VBScript payloads from command-and-control (C2) servers. One such payload is GammaWorm, a VBScript worm that establishes persistence through scheduled tasks and replaces legitimate directories with malicious LNK files to execute arbitrary code. To evade detection, GammaWorm uses legitimate platforms like Telegram for C2 communication and NTFS Alternate Data Streams to conceal its modules. Another malware family, GammaSteel, is a modular information stealer that captures files with specific extensions and exfiltrates them to an AWS S3 bucket or a fallback server. Sekoia noted that the infection sequences are modular and adaptable, with the potential to deploy other malware like GammaWipe. Gamaredon, linked to Russia's FSB, has a history of targeting Ukraine, particularly government and critical infrastructure entities, using spear-phishing emails with malicious RAR archives. This sophisticated infection chain highlights the group's resilient and obfuscated design, likely to be reused in future operations. Source: The Hacker News SC Staff Related Threat Intelligence SideCopy group targets Afghanistan’s Ministry of Finance with Xeno RAT SC Staff June 2, 2026 The campaign commences with a spear-phishing email containing a ZIP archive with a malicious LNK file written in Pashto, designed to exploit the familiarity of the language within the Afghan government. Threat Intelligence Crypto whales and executives face rising physical attacks SC Staff June 1, 2026 The public ledger that underpins cryptocurrency, while enabling transparency, also exposes wealthy holders, known as whales, to identification and targeting by hackers and con artists. Threat Intelligence Digital Intelligence Lab launches observatory to connect cyber events with geopolitical context SC Staff June 1, 2026 The DIL Observatory maps cyber incidents, including ransomware attacks, data breaches, and cyber militia activity, alongside their geopolitical and social contexts. Related Events Cybercast Better Threat Intelligence Between Public and Private Sectors On-Demand Event Virtual Conference Nationwide Cybersecurity Summit 2025: Safeguarding America’s Digital Future On-Demand Event Virtual Conference Securing the Future of Finance: Strategies to Counter Modern Cyber Threats On-Demand Event Get daily email updates SC Media's daily must-read of the most current and pressing daily news Business Email By clicking the Subscribe button below, you agree to SC Media Terms of Use and Privacy Policy . Subscribe Related Terms Backdoor DNS Spoofing Deauthentication Attack Defacement Distributed Scans Domain Hijacking DumpSec Google Hacking Password Cracking Reconnaissance You can skip this ad in 5 seconds