Gamaredon Hides a Fileless GammaWorm Inside NTFS Alternate Data Streams to Spy on Ukraine

GammaWorm is not new tradecraft — NTFS Alternate Data Streams have been a defender's footnote for two decades — and that is exactly why Gamaredon's revival of it is the story. The technique works again because most modern endpoint tooling has quietly stopped looking.

KYIV, UKRAINE — On June 1, 2026, the French threat-intelligence firm Sekoia published a technical analysis of GammaWorm, a fileless worm deployed by the FSB-linked Russian threat actor Gamaredon against targets in Ukraine. According to Sekoia's research, the worm hides its modules inside NTFS Alternate Data Streams — a long-standing Windows file-system feature that allows additional data to ride alongside a file without appearing in standard directory listings — and chains that hiding place with fileless VBScript execution to survive the routine 'scan files on disk' detection baseline that most defenders rely on.

Infosecurity Magazine reported the Sekoia disclosure on the same day. Ukraine's Security Service has formally tied Gamaredon to Russia's Federal Security Service (FSB); the group focuses almost entirely on Ukraine, targeting government, military, and critical infrastructure to steal documents and maintain long-term access.

What Happened

On June 1, 2026, Sekoia published the first installment of a three-part research series on Gamaredon, titled 'FSB's Matryoshka 1/3: Gamaredon's Gifts That Keep Unpacking — GammaPhish and GammaWorm.' Working from artifacts on compromised hosts and more than 70 samples shared by a partner, Sekoia's team reconstructed an infection chain first observed in January 2026 and still active at the time of writing. The campaign has shifted almost entirely to fileless VBScript — a clear step up in stealth from Gamaredon's earlier batch-and-EXE tooling. Infosecurity Magazine reported the disclosure the same day.

Sekoia tracks the initial-access stage as GammaPhish. The intrusion begins with a booby-trapped xHTML file that, once opened, smuggles a malicious RAR archive onto the target's machine. The archive exploits CVE-2025-8088, a path-traversal flaw in WinRAR that Google's threat analysts have separately tied to Sandworm, Turla, and other Russian operators. Abusing the bug plants a hidden HTA file in the Windows Startup folder, which runs at the next login and fetches the next-stage payload from a remote server. A decoy PDF keeps the victim unaware. The handoff stage that follows — the actual implant — is what Sekoia has named GammaWorm.

A Worm That Lives in Hidden Streams

GammaWorm is where the campaign's stealth becomes clear. Rather than drop its modules on disk, the worm hides them inside NTFS Alternate Data Streams (ADS) — a native Windows feature, dating to the original NTFS file system, that lets additional data ride alongside an existing file without appearing in standard directory listings, in Windows Explorer, or in the file size reported by `dir`. To enumerate ADS attachments at all, a defender has to ask for them explicitly with `dir /R` or PowerShell's `Get-Item -Stream *`. Most endpoint tooling does not. Once active, GammaWorm sets up persistence through scheduled tasks disguised as routine maintenance and conceals its work by changing registry settings that govern file visibility. It then propagates to USB sticks and network drives, hiding genuine folders and swapping them for malicious shortcuts that carry provocative Ukrainian-language filenames designed to lure users into opening them. The result is an implant whose every artifact — the modules, the persistence, the propagation lures — is engineered to avoid the places defenders actually look.

Why a 20-Year-Old Trick Works in 2026

NTFS Alternate Data Streams have been documented since the late 1990s, and a generation of incident-response handbooks treats ADS enumeration as basic forensics hygiene. The reason GammaWorm can still hide there in 2026 is that defender tooling has drifted. Most modern EDR products inventory 'what is on disk' by enumerating files in the standard way Windows Explorer does, which by design does not surface alternate streams. A campaign that lives inside ADS therefore survives the very scans that defenders trust to find malware on a host. Sekoia's research is a reminder that older tradecraft re-emerges when the defensive baseline forgets about it — a pattern The CyberSignal has watched repeatedly through 2026, including in the Verizon DBIR 2026 finding that vulnerability exploitation just overtook credential theft as the number-one initial-access method. GammaWorm is the same lesson in a different layer: when defenders stop hunting for a technique, the technique becomes operationally viable again.

Dead Drop C2, Why Cleanup Is Not Enough

For command-and-control, GammaWorm pulls live server addresses from legitimate public services — including Telegram and Cloudflare — used as dead drops, then saves the resolved details to the local registry. The worm loops indefinitely as a backdoor, ready to execute whatever code its operators send. Sekoia's explicit guidance is that the safest response to a confirmed infection is a full wipe, not selective cleanup. The reason is structural: 'The malware's reliance on Dead Drop Resolvers (DDR) allows it to constantly download fresh payloads, meaning that cleaning attempts often result in fallback mechanisms restoring the malware.' In practical terms, a defender who deletes the visible artifacts but misses a single registered C2 channel will watch the implant rebuild itself the next time the host reaches Telegram or Cloudflare. The DDR pattern also means that traditional network-level indicators — block lists of malicious IPs — are less useful here than usual, because the operator's reachable address is whatever Telegram or Cloudflare is currently serving.

Scope and Impact

Several specifics are not asserted in the public reporting that informs this article and should not be assumed. Sekoia documented the infection chain through artifacts on compromised hosts and more than 70 samples shared by a partner, but the number of distinct Ukrainian organizations compromised, the dwell time on victim networks, and the volume of documents exfiltrated are not publicly stated. Whether the January 2026 reconstructed chain represents the first deployment of GammaWorm or a snapshot of an older operation is also not detailed. The downstream targets of Gamaredon's collection — the specific Ukrainian agencies, military units, or critical-infrastructure operators hit — are not enumerated in the public account, and the threat actor's broader 2026 tasking calendar is not described. Readers who require those specifics for an operational decision should consult Sekoia's primary research and the Infosecurity Magazine reporting directly.

GammaWorm does not arrive in isolation. It lands in a week that has produced disclosed Russia-aligned activity from multiple angles — including GreyVibe, the Russia-aligned operation that weaponized ChatGPT and Gemini against Ukrainian targets, and the Russian intelligence operation using fake Western technology companies as front cover for cyber-spying. It also lands in the same calendar window as ESET's October 2025 to March 2026 APT report, which catalogued Sandworm's DynoWiper alongside Lazarus and AxiosOps activity, and the Kazuar / Secret Blizzard botnet that abused Signal Desktop on Russian operations. Read together, the picture is straightforward: Russian state-aligned cyber-espionage is running on a continuous, multi-toolkit tempo against Ukraine and Ukraine-aligned organizations, and GammaWorm is the latest disclosed piece of that workload — alongside parallel China-aligned activity such as Operation Dragon Weave's AdaptixC2 campaign against the Czech Republic and Taiwan disclosed the same day.

For CISOs at Ukrainian organizations and at Ukraine-aligned or cross-border supply-chain targets, the practical scope of GammaWorm is twofold. First, the immediate threat model: a known FSB-linked operator has fielded a fileless worm whose defining feature is engineered avoidance of the on-disk inventory most EDR products perform by default — which is reason enough to brief executive and board stakeholders that 'our EDR did not flag anything' is no longer sufficient assurance against this class of activity. Second, the technical implication: any Windows fleet that supports Ukrainian operations, hosts Ukraine-related data, or sits in a supply chain that touches Ukrainian government or military customers should add NTFS Alternate Data Stream enumeration to its standing hunt program, regardless of whether Gamaredon is in the direct threat model. The ADS-living pattern generalizes beyond Gamaredon, and a hunt built today against this brief will pay back the next time an actor — Russia-aligned or otherwise — reaches for the same shelf.

Response and Attribution

For SOC and threat-hunting teams, the immediate action is an NTFS Alternate Data Stream sweep. Pre-script an ADS-enumeration hunt across the Windows fleet — `dir /R` at the command line, `Get-Item -Stream *` in PowerShell, or the equivalent capability in your EDR if it supports it — and treat any unexpected stream attached to a file under user profiles, temp directories, or removable media as a finding to be triaged, not noise. Add detection logic for process execution from ADS streams: a `cmd.exe`, `powershell.exe`, `wscript.exe`, or `rundll32.exe` invoked against a stream rather than a file path is the canonical signal that something is living off the alternate-data-stream feature. Patch WinRAR to version 7.13 or later to close CVE-2025-8088, the GammaPhish initial-access vector. Hunt the Windows Startup folder for unfamiliar HTA files, scheduled tasks for entries disguised as routine maintenance, and registry settings that govern file visibility for unauthorized changes. Coordinate any confirmed Ukrainian-targeted Gamaredon activity with CERT-UA.

For incident response, follow Sekoia's explicit guidance: a confirmed GammaWorm infection should be remediated by full host wipe, not selective cleanup. The worm's Dead Drop Resolver C2 channels — addresses pulled live from legitimate public services like Telegram and Cloudflare and stored in the registry — mean that a partial cleanup will be silently undone the next time the host reaches one of those services. Reimage from a known-clean baseline, rotate any credentials the host had access to, and audit lateral movement from the infected host to other systems on the network and to USB or network-drive assets the host could write to. Treat propagation as assumed until disproven, given GammaWorm's documented USB and network-share spreading behaviour.

For CISOs, the broader lesson of GammaWorm is forensics-fundamentals. NTFS Alternate Data Streams are a 20-year-old technique that re-emerged as operationally viable because defender tooling drifted away from inspecting them. The same pattern is likely to repeat in 2026 with other techniques that have left the active-hunt repertoire — Windows Management Instrumentation persistence, BITS-job abuse, and registry-resident payloads among them. The defensive response is not new tools but a refreshed standing audit of what the existing tools actually look at, and a willingness to add older techniques back to the hunt program when threat-intel disclosures like Sekoia's surface them. Pair this brief with The CyberSignal's recent coverage of GreyVibe's Russia-aligned use of ChatGPT and Gemini against Ukrainian targets and the Russian intelligence operation using fake Western companies for cyber-spying for the multi-vector Russia-aligned cluster currently in motion against Ukraine.

The CyberSignal Analysis

Signal 01 — Old Tradecraft Works Again When Defenders Stop Looking

Most coverage of GammaWorm will lead with 'fileless' or 'Russia-linked,' and both labels are accurate. The detail that deserves the spotlight is that NTFS Alternate Data Streams are not a novel attacker invention — they have been documented since the late 1990s and were a standard incident-response check for the better part of two decades. The reason Gamaredon's revival of the technique is operationally effective in 2026 is that most modern EDR products inventory files the way Windows Explorer does, which by design ignores alternate streams. A campaign that lives in ADS therefore survives the very scan that defenders trust. The takeaway for security leaders is uncomfortable but clear: the fact that 'we have EDR' is not the same as 'we are looking at the places attackers actually hide.' Older techniques re-emerge in production every time the active-hunt repertoire forgets about them, and the only durable defense is a standing audit of what the existing tools cover and a willingness to add older checks back when threat-intel disclosure surfaces them.

Signal 02 — Dead Drop C2 Makes Block Lists a Weaker Defense

GammaWorm's command-and-control channel does not phone home to a fixed adversary-owned domain or IP. Instead, the worm pulls live server addresses from legitimate public services — Telegram and Cloudflare — used as Dead Drop Resolvers, then saves whatever address it resolves to into the local registry. That design has two consequences defenders cannot ignore. The first is that traditional network-block-list defenses lose much of their value: the reachable address is whatever Telegram or Cloudflare happens to be serving, and blocking those services wholesale is operationally untenable in most organizations. The second is that partial cleanup of an infected host is worse than useless. Sekoia's guidance is explicit — a confirmed infection should be remediated by full wipe, because the DDR channel will rebuild the implant from any surviving registry entry. Both points generalize beyond Gamaredon to every actor using legitimate public-cloud or messaging infrastructure for C2, a category that has expanded sharply through 2026.

Signal 03 — Ukraine Is the Continuous Workload, Not an Incident

GammaWorm is one operation in a quarter that has produced disclosed Russia-aligned activity against Ukraine on overlapping calendars. GreyVibe's weaponization of public-AI chatbots against Ukrainian targets, the Russian intelligence operation using fake Western technology companies as cover for cyber-spying, ESET's October 2025 to March 2026 APT report cataloguing Sandworm's DynoWiper, and now Gamaredon's GammaWorm — these are not isolated incidents but the continuous tempo Ukrainian defenders and their allied supply chains are actually living. The implication is organizational, not technical. A continuous workload requires a continuous response cadence: standing CERT-UA coordination, persistent hunting against the techniques Russia-aligned operators are currently fielding, refreshed executive risk framings that name FSB and GRU tasking as ongoing rather than episodic, and a willingness to treat the next named campaign as already in motion. GammaWorm is the brief at hand; the workload it belongs to will not slow down.

Sources