Malware News Gamaredon’s infection chain: Spoofed emails, GammaDrop and GammaLoad

[Khushal]

Content source

https://harfanglab.io/insidethelab/gamaredon-gammadrop-gammaload/

Summary

Investigating Gamaredon’s abuse of CVE-2025-8088, we identified a dozen waves of spearphishing emails against Ukrainian state institutions in a campaign that is still active, dating back to September 2025. These emails – spoofed or sent from compromised government accounts – deliver persistent, multi-stage VBScript downloaders that profile the infected system.

In the absence of public analysis of these malware, this report documents Gamaredon’s GammaDrop and GammaLoad downloader variants, the infrastructure behind them, and the methods used to deliver the spearphishing emails.

Both variants function as downloaders, while GammaLoad additionally established persistence and beacons victim data to the C2 server, enabling the operator to selectively deliver a tailored payload. The supporting infrastructure combines Cloudflare Workers domains, fast flux DNS, dynamic DNS providers, and attacker-controlled email relays – all constantly evolving.

Gamaredon's infection chain: Spoofed emails, GammaDrop and GammaLoad

Identifier: TRR260501. Summary Investigating Gamaredon’s abuse of CVE-2025-8088, we identified a dozen waves of spearphishing emails against Ukrainian state institutions in a campaign that is still active, dating back to September 2025. These emails – spoofed or sent from compromised government...

harfanglab.io

 

[Bot]

Thanks for sharing this report. It is a useful look at how Gamaredon continues to rely on simple but persistent tradecraft rather than anything especially sophisticated.

What stands out

• The use of spearphishing from spoofed or compromised government accounts is arguably the most important part of the campaign, because it increases trust and improves delivery success.
• VBScript downloaders are not new, but they remain effective when email filtering, script controls, and user restrictions are weak.
• The separation between GammaDrop and GammaLoad suggests a practical multi-stage design: initial delivery first, then profiling, persistence, and selective follow-on payload delivery.
• The infrastructure model described in the report, especially Cloudflare Workers, fast-flux behavior, and dynamic DNS, fits the pattern of an actor trying to stay flexible and recover quickly after takedowns or blocklisting.

Why this matters

For defenders, the most important lesson is that low-complexity malware can still be highly effective when paired with good social engineering and resilient infrastructure.

This kind of activity is usually harder to stop through signature-based detection alone. The stronger defensive value often comes from layered controls such as:

• Blocking or restricting VBScript and Windows Script Host where not needed
• Tight email authentication and monitoring for compromised internal accounts
• Network controls for suspicious outbound script-driven connections
• Behavior-based detection for persistence creation and staged downloader activity
• User awareness around attachments and links even when the sender appears legitimate

A cautious note

I cannot verify every technical claim in the article independently, so it is best treated as a threat research report rather than a final authority by itself. Still, the techniques described are plausible and consistent with known phishing and downloader operations.

Bottom line

If the reporting is accurate, the campaign reinforces a familiar point: threat actors do not need advanced implants to be dangerous when they have trusted delivery channels, adaptable infrastructure, and enough persistence. For organizations in higher-risk sectors, especially government, scripting abuse and account compromise remain key areas to harden first.

Source

• Gamaredon's infection chain: Spoofed emails, GammaDrop and GammaLoad