FSB’s matryoshka #1/3 – Gamaredon’s gifts that keeps unpacking – GammaPhish and GammaWorm

Gamaredon, a cyberespionage group operated by Russia's FSB, conducts long-term intrusion operations targeting Ukrainian government, military, and critical infrastructure. This analysis documents their 2026 infection chain, which uses HTML smuggling with weaponized xHTML files delivering RAR archives that exploit CVE-2025-8088 to extract HTA files into Windows Startup directories. The chain deploys GammaPhish for initial access, GammaLoad for staging, GammaWorm for propagation via USB and network drives, and GammaSteal for exfiltration. The architecture is nearly fileless, leveraging NTFS Alternate Data Streams to conceal modules and using Dead Drop Resolvers on legitimate platforms like Telegram and Cloudflare for C2 infrastructure. Every stage functions as an independent backdoor capable of executing arbitrary VBScript, representing a shift from their historical Pteranodon framework to a modular ecosystem designed for persistent espionage.

Pulse ID: 6a1dde0927ce7587f79534ee
Pulse Link: https://otx.alienvault.com/pulse/6a1dde0927ce7587f79534ee
Pulse Author: AlienVault
Created: 2026-06-01 19:31:21

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#BackDoor #Cloud #CyberSecurity #Cyberespionage #Espionage #Gamaredon #Government #HTML #InfoSec #Military #OTX #OpenThreatExchange #RAT #Russia #Telegram #UK #USB #Ukr #Ukrainian #VBS #Windows #Worm #bot #AlienVault

Reloaded in a modern Remcos RAT Infection

Analysts discovered a new Remcos RAT infection chain starting with a batch file executing encoded commands that creates hidden directories and retrieves encrypted payloads. Unlike earlier campaigns relying on PowerShell-hosted .NET loaders, this variant incorporates DonutLoader shellcode and AutoIt-based staging for in-memory payload delivery. The infection begins with a phishing email containing a malicious batch file named Bestellung.CMD. The chain abuses legitimate Windows utilities including cscript.exe and SyncAppvPublishingServer.vbs to execute Base64-encoded payloads. Additional components are downloaded from cloud storage, including 7Zip tools and password-protected archives containing obfuscated JScript. The final payload consists of DonutLoader shellcode that injects Remcos RAT version 7.2.1 Pro into colorcpl.exe, enabling remote control, credential harvesting, keystroke logging, and additional payload deployment.

Pulse ID: 6a1a2dd905d9f8c4474cb45e
Pulse Link: https://otx.alienvault.com/pulse/6a1a2dd905d9f8c4474cb45e
Pulse Author: AlienVault
Created: 2026-05-30 00:22:49

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#7Zip #Autoit #Cloud #CredentialHarvesting #CyberSecurity #Email #InfoSec #NET #OTX #OpenThreatExchange #Password #Phishing #PowerShell #RAT #Remcos #RemcosRAT #ShellCode #VBS #Windows #Word #ZIP #bot #AlienVault

Operation Dragon Whistle: UNG002 Targets Chinese Academia via Weaponized Institutional Lure

A sophisticated spear-phishing campaign designated Operation Dragon Whistle has been identified targeting Changzhou University in China. The threat actor UNG002 leveraged highly contextual social engineering by impersonating official university communications regarding mandatory 2026 National Student Physical Fitness and Health Standards testing, which directly impacts graduation eligibility. The attack chain begins with a weaponized ZIP file containing a malicious LNK file disguised as a PDF document. Upon execution, it triggers a VBScript that simultaneously displays a legitimate-looking decoy document while deploying a multi-stage infection chain involving DLL sideloading via Bandizip.exe, anti-debugging techniques, and ultimately delivering a Cobalt Strike Beacon payload entirely in memory. The campaign demonstrates advanced evasion capabilities and utilizes Chinese cloud infrastructure hosted on Alibaba Cloud for command and control operations.

Pulse ID: 6a0db1f45208b8cf1b2b1571
Pulse Link: https://otx.alienvault.com/pulse/6a0db1f45208b8cf1b2b1571
Pulse Author: AlienVault
Created: 2026-05-20 13:07:00

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#China #Chinese #Cloud #CobaltStrike #CyberSecurity #InfoSec #LNK #OTX #OpenThreatExchange #PDF #Phishing #RAT #SideLoading #SocialEngineering #SpearPhishing #VBS #ZIP #bot #AlienVault

Analyzing TAX#TRIDENT: Fake Indian Tax Lures Pivot Across ZIP, VBS, Stego and PHP-Wrapped VBS Delivery

Pulse ID: 6a0f1990ade1c88361439eb5
Pulse Link: https://otx.alienvault.com/pulse/6a0f1990ade1c88361439eb5
Pulse Author: CyberHunter_NL
Created: 2026-05-21 14:41:20

Be advised, this data is unverified and should be considered preliminary. Always do further verification.

#CyberSecurity #India #InfoSec #OTX #OpenThreatExchange #PHP #VBS #ZIP #bot #CyberHunter_NL

What with Paul McCartney on SNL this weekend, I asked our son if he could name the 4 Beatles. He could only name one. Then I asked our twenty something waiter if he knew them and he could only name 2 of them.

I told my son that this summer he's going to VBS (Vacation Beatles School). Which Beatles doc should I make him watch with me?

#TheBeatles #Music #JohnPaulGeorgeRingo #Rock #VBS

...to whom it may concern:

#CH #Politik #Landesverteidigung #Armee #VBS #armasuisse

https://bsky.app/profile/antongerashchenko.bsky.social/post/3mihnwgppic2d

...die spinnen!

#VBS noch mehr Geld, um #us Kriegsverbrechen zu finanzieren

https://www.srf.ch/news/dialog/umstrittener-ruestungskauf-desastroese-bewertung-fuer-die-kuenftige-pistole-der-schweizer-armee

#VBS #us #ch #politik #Landesverteidigung #Armee #beschaffungswesen #lobbyismus #korruption #F35 #Patriot