The Threat CodexJan 28
Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088
#CVE_2025_8088 #RomComGroup #APT44 #TEMP.Armageddon #Gamaredon #Turla #zeroplayer
https://cloud.google.com/blog/topics/threat-intelligence/exploiting-critical-winrar-vulnerability
Diverse Threat Actors Exploiting Critical WinRAR Vulnerability CVE-2025-8088 | Google Cloud Blog

Espionage and financially motivated threat actors are exploiting critical WinRAR vulnerability CVE-2025-8088.

Google Cloud Blog
The Threat CodexJan 19
Gamaredon: Now Downloading via Windows Updates Best Friend “BITS”
#Gamaredon
https://blog.synapticsystems.de/gamaredon-now-downloading-via-windows-updates-best-friend/
Gamaredon: Now Downloading via Windows Updates Best Friend "BITS" - Synaptic Security Blog

by Robin Dost There’s yet another update in Gamaredons GamaLoad scripts, which pushed me to write this article and to slightly revisit my previous post “Defending Against Gamaredon: Practical Controls That Actually Work“. In this article, I distinguish between GamaLoad and Pterodo. I still consider GamaLoad a transitional stage, primarily implemented as a defensive layer […]

Synaptic Security Blog
ESET ResearchDec 5
#ESETresearch analyzed the #Gamaredon VBScript payload recently flagged by @ClearskySec. It wipes registry Run keys, scheduled tasks, and kills processes – however, our assessment is that this is likely to clean researchers’ machines, not a shift to destructive ops. https://x.com/ClearskySec/status/1995061537183011084
The script is similar to Gamaredon VBScripts we analyzed before. It removes all registry values under well-known Run/RunOnce keys + several legitimate keys commonly abused by Gamaredon. It also deletes all scheduled tasks and terminates PowerShell, VBScript, and Mshta processes.
Gamaredon often stores malicious files with random names in %USERPROFILE%. Instead of pinpointing specific files, the script recursively deletes everything from the C:\Users directory – collateral damage seems acceptable to Gamaredon operators.
This behavior suggests Gamaredon wants to erase traces when uninstalling its malware – most likely due to recognizing researcher environments – not a pivot to destructive activities. Espionage remains their primary goal. https://www.virustotal.com/gui/file/9a39423ec90dc06a3058279cd744c08d83252d1c7096633b9853e435cc205755
ClearSky Cyber Security (@ClearskySec) on X

A new wiper attack has been identified by ClearSky Cyber Security affecting Ukraine. We named this wiper "GamaWiper" (VBS-based wiper). The intrusion chain begins with the exploitation of a vulnerable WinRAR version (CVE-2025-80880). We assess with moderate confidence that this

X (formerly Twitter)
CyberNetsecIONov 26

📰 Geopolitical Shift: Russian and North Korean State Hackers Found Sharing Attack Infrastructure

‼️ Unprecedented cyber alliance: Russian APT Gamaredon & North Korea's Lazarus Group caught sharing C2 attack infrastructure. The collaboration signals a dangerous escalation in state-sponsored threats. #ThreatIntel #APT #Gamaredon #Lazarus #CyberWa...

🔗 https://cyber.netsecops.io/articles/unprecedented-collaboration-found-between-russian-gamaredon-and-north-korean-lazarus…

CyberVeille.chNov 25
📢 Chevauchement d’infrastructure entre Gamaredon (RU) et Lazarus (KP) détecté par Gen
📝 Selon Gen Blogs (gendigital.com), Threat Research Team, le 19 novembre 2025, de nouveaux éléments indiquent un possible chevauchement d’in...
📖 cyberveille : https://cyberveille.ch/posts/2025-11-25-chevauchement-dinfrastructure-entre-gamaredon-ru-et-lazarus-kp-detecte-par-gen/
🌐 source : https://www.gendigital.com/blog/insights/research/apt-cyber-alliances-2025
#APT #Gamaredon #Cyberveille
Chevauchement d’infrastructure entre Gamaredon (RU) et Lazarus (KP) détecté par Gen

Selon Gen Blogs (gendigital.com), Threat Research Team, le 19 novembre 2025, de nouveaux éléments indiquent un possible chevauchement d’infrastructure entre les APT russes Gamaredon et nord-coréens Lazarus, pointant vers une étape inédite de coopération transnationale dans le cyberespace. Le 24 juillet 2025, les systèmes de Gen, qui suivent les serveurs C2 de Gamaredon via des canaux Telegram/Telegraph connus, ont bloqué l’IP 144[.]172[.]112[.]106. Quatre jours plus tard (28 juillet), le même serveur hébergeait une version obfusquée d’InvisibleFerret (attribué à Lazarus), livrée via une structure d’URL identique à celle de la campagne ContagiousInterview (leurres de recrutement). Bien que l’IP puisse être un proxy/VPN, la proximité temporelle et le schéma d’hébergement partagé suggèrent une réutilisation d’infrastructure et, avec une confiance modérée, une collaboration opérationnelle. Il reste indéterminé si Lazarus a utilisé un serveur contrôlé par Gamaredon ou un même point client partagé.

CyberVeille
The Ukrainian TribuneNov 23

Two of the world’s most prolific state-linked #cybercrime groups — #russia’s #Gamaredon and #NKorea’s #Lazarus collective — have been spotted sharing resources.

Experts found overlapping #tactics and shared #infrastructure between the two groups.

https://www.politico.eu/article/russia-north-korea-partner-cyber-crime-research-gamaredon-lazarus/

ZATAZ - "\o/"Sep 29

// Turla + Gamaredon : alliance inédite entre APT russes

⚠️ Deux groupes APT liés au Kremlin, Turla et Gamaredon, collaborent pour la première fois en Ukraine. Une synergie inquiétante entre cyber-espionnage et sabotage.

🔗 https://www.datasecuritybreach.fr/turla-et-gamaredon-la-collaboration-inedite-de-deux-apt-russes/

#APT #CyberEspionnage #Turla #Gamaredon #Ukraine #zataz @Damien_Bancal

ESET ResearchSep 26
#ESETresearch has observed #Gamaredon exploiting CVE-2025-8088 (#WinRAR path traversal) in an ongoing spearphishing campaign. This vulnerability allows arbitrary file write via crafted RAR archives.
The same CVE was recently seen exploited in the wild by other groups (e.g., RomCom), and described by ESET Research in a blogpost - https://www.welivesecurity.com/en/eset-research/update-winrar-tools-now-romcom-and-others-exploiting-zero-day-vulnerability/
Now, Gamaredon is abusing it to drop malicious payloads via spearphishing lures, targeting Ukrainian governmental entities.
CVE-2025-8088 abuses a flaw in WinRAR’s handling of file paths in RAR archives. By crafting a file with ..\..\ sequences in its ADS, attackers can write files outside the extraction directory, which allows dropping files into the Startup folder.
IoCs:
🚨 VBS/Pterodo.CFC trojan
📄 6DF9312CD3EA11D94A01C4663C07907F6DFC59CB
D23B477B0103AFA8691E9AE9CE50912A2EA50D3B
AC6F459A218532F183004798936BB1A239349C20
0CDC5544413E80F78212E418E7936308A285E8DC
67A99D1D57116CD10B7082814B8CF25EB1FB9007
C8138F1CDD65FB4A3C93A7F7514C0133781FB89B
CDB0F9C6FC4120EFB911F5BB4E801300992BD560
CA0151D9AEE5408F3080CA108FA4EEB2C6785628
4626615651A9CC8CE0FD078DF281CA275D6D28C4
3EA2987D67A16450313E5DCC80C15C956F758486
0FC8B3117692C21A1750473771BCFB5D60CE306A
🌐documents-pdf.serveftp[.]com
document-ua.serveftp[.]com
pdf-download.serveftp[.]com
securityaffairsSep 21
#ESET uncovers #Gamaredon#Turla collaboration in #Ukraine cyberattacks
https://securityaffairs.com/182404/apt/eset-uncovers-gamaredon-turla-collaboration-in-ukraine-cyberattacks.html
#securityaffairs #hacking
ESET uncovers Gamaredon–Turla collaboration in Ukraine cyberattacks

ESET found evidence that Russia-linked groups Gamaredon and Turla collaborated in cyberattacks on Ukraine between February and April 2025.

Security Affairs
Ars Technica NewsSep 19
Two of the Kremlin’s most active hack groups are collaborating, ESET says https://arstechni.ca/NMLz #advancedpersistentthreat #gamaredon #Security #Biz&IT #russia #turla #APT
Two of the Kremlin’s most active hack groups are collaborating, ESET says

Turla is getting a helping hand from Gamaredon. Both are units of Russia’s FSB.

Ars Technica