Gamaredon Uses WinRAR Vulnerability to Launch Modular Spy Campaign on Ukrainian Targets

Gamaredon has launched a sophisticated spy campaign targeting Ukrainian entities by exploiting a vulnerability in WinRAR, allowing the group to deploy modular, nearly fileless malware. The malware hides its payloads in Windows streams and uses Telegram to resolve command and control servers, making it highly evasive. Sekoia's researchers discovered the campaign after creating a YARA rule in December 2025 to detect new initial access vectors, which generated a dozen hits by January 2026¹. The infection chain is notable for its modularity, evasion techniques, and persistence, surpassing previous Gamaredon campaigns. This campaign's success highlights the importance of monitoring for vulnerabilities in commonly used software like WinRAR, as threat actors can quickly exploit them to gain access to sensitive systems. The use of Telegram for C2 resolution also underscores the need for security teams to monitor non-traditional communication channels for malicious activity, so what matters most to practitioners is the campaign's demonstration of how quickly threat actors can adapt and evolve their tactics.