Gamaredon's GammaWorm Hides in Windows Itself. Your File Scanner Will Miss It.

Russia's FSB-linked Gamaredon group has been running a campaign against Ukraine since at least January 2026 that most endpoint detection tools are structurally blind to. The mechanism is NTFS Alternate Data Streams, and understanding why it works is more useful than a list of indicators.

Here is the technique, explained without jargon.

Every file on a Windows NTFS filesystem has a primary data stream — the content you see when you open the file. What most people do not know is that NTFS also supports additional, hidden data streams attached to the same file. You can store arbitrary data in these alternate streams and it is invisible in Windows Explorer, invisible to most antivirus file scanners, and invisible in directory listings. The streams exist. The file size shown to the user does not include them. Only specific tools that explicitly ask for ADS content will show them.

Gamaredon's GammaWorm stores its core modules in five alternate data streams on the user's own profile directory:

The stream named GTR holds a clone of the worm itself. The stream named save holds a killswitch. The stream named URL holds the Dead Drop Resolver module that fetches live C2 addresses. The stream named LNK holds the propagation module that spreads the worm by replacing legitimate directories with malicious shortcut files. The stream named SERVER holds a configuration clone.

The worm's actual executable is a file called tilde-dot-gif — a name chosen to look like a temporary file. It is twenty thousand lines of obfuscated VBScript. When security tools scan the filesystem looking for malware, they look at files. This malware is not in files in any way that most scanners understand. It is in the metadata layer of a directory.

The full infection chain starts with a WinRAR archive.

CVE-2025-8088 is a path traversal vulnerability in WinRAR versions before 7.13. When a victim opens a malicious RAR file, the path traversal allows the attacker to write files outside the intended extraction directory. Gamaredon uses this to drop a GammaPhish HTML Application payload — a file with an HTA extension disguised with a Ukrainian document filename. The lures include names that translate to subpoena forms, accounting records, classified documents, and photographs of prisoners of war.

GammaPhish runs through mshta.exe and downloads GammaLoad, a VBScript downloader. GammaLoad then retrieves either GammaWorm or GammaSteel depending on the target.

GammaSteel is the information stealer. It identifies files by extension, captures them, and exfiltrates them to an AWS S3 bucket or an attacker-controlled fallback server. GammaWorm is the persistence and propagation engine. It creates scheduled tasks at seven and ten-minute intervals to maintain execution, hides in NTFS ADS as described above, and replaces legitimate directories with LNK shortcut files that execute the worm when opened by anyone who navigates the filesystem.

The C2 architecture is specifically designed to be resilient to infrastructure takedowns.

Rather than hardcoding a C2 server address, GammaWorm uses Dead Drop Resolvers — publicly accessible pages on platforms that are difficult to block. The attacker posts the current C2 address to Telegram channels, Telegra.ph pages, Teletype.in posts, and Cloudflare Workers endpoints. GammaWorm reads these pages, extracts the C2 address, and stores it in Windows registry keys under the Console path — keys that look like legitimate Windows configuration entries.

When the attacker needs to change their C2 infrastructure, they update the Telegram post. Every infected machine checks in, reads the new address, updates its registry, and continues operating. There is no hardcoded address to block. The C2 infrastructure rotates freely. The registry keys look like normal Windows Console settings.

The confirmed indicators we have indexed as of this morning include the two malware MD5 hashes from Sekoia's research, the C2 IP at 104.194.140.6, the C2 and DDR domain quitethepastry.ru, a Cloudflare tunnel DDR, a Telegra.ph DDR, a Teletype.in DDR, the Telegram channel at t.me/s/teotori, and a Supabase-hosted GammaPhish lure. All are in our STIX feed.

The detection gap to close: searching for wscript.exe executions where the path argument contains a colon character. ADS are accessed with the syntax filename:streamname, and a wscript.exe call with a colon in the path is GammaWorm or nothing. That is the behavioral detection that catches what file scanning misses.

Gamaredon has been active since at least 2013. They are not sophisticated in the way that state-level actors are sometimes imagined — no zero-day operating system exploits, no custom implants burning millions in research. Their sophistication is operational. They pick techniques that are structurally hard to detect, abuse legitimate platforms for C2, and maintain persistent access through methods that most defenders are not specifically looking for.

The NTFS ADS technique is not new. Security researchers have known about it for decades. Gamaredon is using it against Ukraine in 2026 because most EDR deployments in most organizations are not configured to hunt for it. That gap is not technical. It is a detection priority question.

Update WinRAR to 7.13 or later. Hunt for wscript.exe with colon-containing path arguments. Add the IOC set to your blocklist. The rest of the technique — the Telegram DDRs, the ADS hiding, the fake temp-file name — all depends on getting GammaPhish onto the machine in the first place.

How do AI models see YOUR brand?

AIPM has audited 250+ domains. 15 seconds. Free while still in beta.

Audit your site now → aipmsec.com