Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
#CVE_2025_8088 #RomComGroup #APT44 #TEMP.Armageddon #Gamaredon #Turla #zeroplayer
https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
#Gamaredon
Gamaredon: Now Downloading via Windows Updates Best Friend “BITS”
#Gamaredon
https://blog.synapticsystems.de/gamaredon-now-downloading-via-windows-updates-best-friend/
#ESETresearch analyzed the #Gamaredon VBScript payload recently flagged by @ClearskySec. It wipes registry Run keys, scheduled tasks, and kills processes – however, our assessment is that this is likely to clean researchers’ machines, not a shift to destructive ops. https://x.com/ClearskySec/status/1995061537183011084
The script is similar to Gamaredon VBScripts we analyzed before. It removes all registry values under well-known Run/RunOnce keys + several legitimate keys commonly abused by Gamaredon. It also deletes all scheduled tasks and terminates PowerShell, VBScript, and Mshta processes.
Gamaredon often stores malicious files with random names in %USERPROFILE%. Instead of pinpointing specific files, the script recursively deletes everything from the C:\Users directory – collateral damage seems acceptable to Gamaredon operators.
This behavior suggests Gamaredon wants to erase traces when uninstalling its malware – most likely due to recognizing researcher environments – not a pivot to destructive activities. Espionage remains their primary goal. https://www.virustotal.com/gui/file/9a39423ec90dc06a3058279cd744c08d83252d1c7096633b9853e435cc205755
📰 Geopolitical Shift: Russian and North Korean State Hackers Found Sharing Attack Infrastructure
‼️ Unprecedented cyber alliance: Russian APT Gamaredon & North Korea's Lazarus Group caught sharing C2 attack infrastructure. The collaboration signals a dangerous escalation in state-sponsored threats. #ThreatIntel #APT #Gamaredon #Lazarus #CyberWa...
📢 Chevauchement d’infrastructure entre Gamaredon (RU) et Lazarus (KP) détecté par Gen
📝 Selon Gen Blogs (gendigital.com), Threat Research Team, le 19 novembre 2025, de nouveaux éléments indiquent un possible chevauchement d’in...
📖 cyberveille : https://cyberveille.ch/posts/2025-11-25-chevauchement-dinfrastructure-entre-gamaredon-ru-et-lazarus-kp-detecte-par-gen/
🌐 source : https://www.gendigital.com/blog/insights/research/apt-cyber-alliances-2025
#APT #Gamaredon #Cyberveille
Two of the world’s most prolific state-linked #cybercrime groups — #russia’s #Gamaredon and #NKorea’s #Lazarus collective — have been spotted sharing resources.
Experts found overlapping #tactics and shared #infrastructure between the two groups.
https://www.politico.eu/article/russia-north-korea-partner-cyber-crime-research-gamaredon-lazarus/
// Turla + Gamaredon : alliance inédite entre APT russes
⚠️ Deux groupes APT liés au Kremlin, Turla et Gamaredon, collaborent pour la première fois en Ukraine. Une synergie inquiétante entre cyber-espionnage et sabotage.
🔗 https://www.datasecuritybreach.fr/turla-et-gamaredon-la-collaboration-inedite-de-deux-apt-russes/
#APT #CyberEspionnage #Turla #Gamaredon #Ukraine #zataz @Damien_Bancal
#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives.
The same CVE was recently seen exploited in the wild by other groups (e.g., RomCom), and described by ESET Research in a blogpost - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
Now, Gamaredon is abusing it to drop malicious payloads via spearphishing lures, targeting Ukrainian governmental entities.
CVE-2025-8088 abuses a flaw in WinRAR’s handling of file paths in RAR archives. By crafting a file with ..\..\ sequences in its ADS, attackers can write files outside the extraction directory, which allows dropping files into the Startup folder.
IoCs:
🚨 VBS/Pterodo.CFC trojan
📄 6DF9312CD3EA11D94A01C4663C07907F6DFC59CB
D23B477B0103AFA8691E9AE9CE50912A2EA50D3B
AC6F459A218532F183004798936BB1A239349C20
0CDC5544413E80F78212E418E7936308A285E8DC
67A99D1D57116CD10B7082814B8CF25EB1FB9007
C8138F1CDD65FB4A3C93A7F7514C0133781FB89B
CDB0F9C6FC4120EFB911F5BB4E801300992BD560
CA0151D9AEE5408F3080CA108FA4EEB2C6785628
4626615651A9CC8CE0FD078DF281CA275D6D28C4
3EA2987D67A16450313E5DCC80C15C956F758486
0FC8B3117692C21A1750473771BCFB5D60CE306A
🌐documents-pdf.serveftp[.]com
document-ua.serveftp[.]com
pdf-download.serveftp[.]com
#ESET uncovers #Gamaredon–#Turla collaboration in #Ukraine cyberattacks
https://securityaffairs.com/182404/apt/eset-uncovers-gamaredon-turla-collaboration-in-ukraine-cyberattacks.html
#securityaffairs #hacking
Two of the Kremlin’s most active hack groups are collaborating, ESET says https://arstechni.ca/NMLz #advancedpersistentthreat #gamaredon #Security #Biz&IT #russia #turla #APT
📢 Analyse des cyberattaques de Gamaredon contre l'Ukraine en 2024
📝 ESET Research a publié une analyse détaillée des opérations de cyberespionnage menées par le groupe **Gamaredon** en 2024,...
📖 cyberveille : https://cyberveille.ch/posts/2025-07-05-analyse-des-cyberattaques-de-gamaredon-contre-l-ukraine-en-2024/
🌐 source : https://www.welivesecurity.com/en/eset-research/gamaredon-2024-cranking-out-spearphishing-campaigns-ukraine-evolved-toolset/
#Gamaredon #IOC #Cyberveille
Gamaredon Unleashes Six New Malware Tools for Stealth, Persistence, and Lateral Movement
https://gbhackers.com/gamaredon-unleashes-six-new-malware-tools/
#Infosec #Security #Cybersecurity #CeptBiro #Gamaredon #MalwareTools #Stealth #Persistence #LateralMovement
Russian APT 'Gamaredon' Hits Ukraine With Fierce Phishing
https://www.darkreading.com/cyberattacks-data-breaches/russian-apt-gamaredon-ukraine-phishing
#Infosec #Security #Cybersecurity #CeptBiro #Russian #APT #Gamaredon #Ukraine #FiercePhishing
#ESETresearch has conducted a comprehensive technical analysis of new malicious tools and significant updates observed in 2024 in the arsenal of the Russia-aligned #Gamaredon #APTgroup targeting Ukraine🇺🇦. https://www.welivesecurity.com/en/eset-research/gamaredon-2024-cranking-out-spearphishing-campaigns-ukraine-evolved-toolset/
In 2024, #Gamaredon returned to exclusively targeting Ukrainian governmental institutions, significantly increasing the size and frequency of its #spearphishing campaigns compared to previous years, as shown in the chart.
Besides spearphishing, #Gamaredon continues to use custom malware for lateral movement, weaponizing USB and now also network drives via updated versions of PteroLNK. Additionally, the new tool PteroTickle weaponizes Python apps converted to executables.
The VBScript version of PteroLNK has become the group’s most frequently updated tool. It now weaponizes network drives, hides targeted folders, and creates malicious LNK files using JavaScript executed by mshta.exe.
Gamaredon added stealthier methods to known tools. For example, PteroPSDoor now uses WMI event subscriptions and FileSystemWatcher to quietly monitor files, reducing noisy operations that could alert defenders.
The new tool PteroGraphin implements uncommon persistence via Excel add-ins, creating a hidden channel for payload delivery through Telegraph. Later, Gamaredon simplified its persistence, relying instead on scheduled tasks alone.
Another notable addition is PteroBox, a new PowerShell-based file stealer that exfiltrates files to Dropbox. It prioritizes sensitive documents, tracks exfiltrated files via MD5 hashes, and monitors USB insertions through WMI events
In 2024, Gamaredon went to great lengths to bypass network-based blocking. It increasingly hid its C&C servers behind Cloudflare tunnels and leveraged third-party DNS services, Codeberg repositories, and Telegraph posts to evade detection.
Our detailed technical analysis of the latest Gamaredon tools and techniques is available in the white paper: https://web-assets.esetstatic.com/wls/en/papers/white-papers/gamaredon-in-2024.pdf
IoCs are provided in the white paper and at https://github.com/eset/
Die jüngsten Enthüllungen zur Hackergruppe Gamaredon zeigen: es ist oft geopolitisches Kalkül. Seit Jahren wird vermutet, dass Russland Gruppen wie Gamaredon unterstützt oder gar direkt steuert.
#Gamaredon #CyberWar #Russland #Cyberangriff #KritischeInfrastrukturen
https://www.it-daily.net/it-sicherheit/cybercrime/hackergruppe-gamaredon
#Gamaredon : The Turncoat #Spies Relentlessly #Hacking #Ukraine
For the past decade, this group of #FSB #hackers—including “traitor” #Ukrainian intelligence officers—has used a grinding barrage of #intrusion campaigns to make life hell for their former countrymen and #cybersecurity defenders.
#security #privacy
https://www.wired.com/story/gamaredon-turncoat-spies-hacking-ukraine/
Russian hackers are upping their game—switching to stealthy PowerShell tactics and malicious drives to target military networks. How safe is our digital world when threats evolve so fast?
https://thedefendopsdiaries.com/gamaredons-evolving-cyber-threats-a-closer-look/
State-Sponsored Tactics: How Gamaredon and ShadowPad Operate and Rotate Their Infrastructure
#Gamaredon #RedFoxtrot #ShadowPad
https://hunt.io/blog/state-sponsored-activity-gamaredon-shadowpad
The russia-backed #Gamaredon group targets Ukraine once again in the ongoing campaign that employs DLL sideloading and exploits LNK files to spread #Remcos backdoor. Detect related #APT attacks with #Sigma rules from SOC Prime Platform.
https://socprime.com/blog/gamaredon-campaign-detection/?utm_source=x&utm_medium=social&utm_campaign=latest-threats&utm_content=blog-post
Client Info
Server: https://mastodon.social
Version: 2025.07
Repository: https://github.com/cyevgeniy/lmst