Gamaredon GammaWorm, SideCopy XenoRAT, and BTMOB MaaS Campaigns: OTX Pulse Analysis & Enterprise Detection Pack

Threat Summary

Recent OTX Pulse data reveals a convergence of state-sponsored cyberespionage and crimeware-as-a-service operations. We are observing three distinct, high-velocity campaigns:

Gamaredon (FSB): Continuing aggressive operations against Ukrainian entities via a complex infection chain involving HTML smuggling, weaponized RAR archives exploiting CVE-2025-8088, and HTA persistence.
SideCopy (APT36): Targeting the Afghan Ministry of Finance using spear-phishing with LNK files that leverage compromised .edu.af infrastructure to deliver XenoRAT.
BTMOB (SpySolr Evolution): A mobile-focused threat targeting Argentina and Brazil. This Malware-as-a-Service (MaaS) platform abuses Android accessibility services to steal data and maintain persistence, distributed via fake streaming and government apps.

Collectively, these threats emphasize the abuse of legitimate protocols (HTML/HTA), supply chain compromises (education domains), and mobile platform weaknesses to achieve espionage and financial theft.

Threat Actor / Malware Profile

Gamaredon Group (Russia/FSB)

Objective: Long-term cyberespionage against Ukrainian government, defense, and critical infrastructure.
Malware: GammaPhish, GammaLoad, GammaWorm, GammaSteal, Pteranodon.
Distribution: Phishing emails containing weaponized xHTML files.
TTPs:
- Initial Access: HTML smuggling to download RAR archives.
- Exploitation: Exploits CVE-2025-8088 (WinRAR) to extract HTA files recursively.
- Persistence: HTA files are dropped into Windows Startup directories.
- C2: Uses Cloudflare tunnels (trycloudflare.com) and compromised infrastructure to evade detection.

SideCopy / Transparent Tribe (Pakistan)

Objective: Espionage against Afghan government financial bodies.
Malware: XenoRAT (a commercially available but potent RAT).
Distribution: Spear-phishing with Pashto-language lure documents.
TTPs:
- Initial Access: Malicious LNK files disguised as staff directories.
- Execution: LNK triggers mshta.exe to fetch remote HTA payloads.
- Infrastructure: Utilizes compromised Afghan educational domains (abimj.edu.af) for payload hosting.

BTMOB (Unknown / MaaS)

Objective: Mobile surveillance and credential harvesting in Latin America.
Malware: BTMOB (evolution of SpySolr).
Distribution: Fake app stores impersonating streaming services, crypto platforms, and government agencies.
TTPs:
- Abuse: Heavy reliance on Android Accessibility Services to grant itself permissions silently.
- Capabilities: Keylogging, screen recording, and overlay attacks.

IOC Analysis

The current pulse data provides critical indicators across multiple vectors:

Exploits: Identification of CVE-2025-8088 is critical. This indicates a high-risk vulnerability in WinRAR that allows arbitrary code execution during archive extraction.
Network Infrastructure:
- IPs such as 104.194.140.6 (Gamaredon) and 103.132.98.224 (SideCopy) serve as C2 nodes.
- The use of trycloudflare.com subdomains by Gamaredon suggests an attempt to blend in with legitimate traffic and bypass static IP filtering.
- BTMOB utilizes a specific /24 range (191.96.x.x) for C2 operations.
Domain Compromise: abimj.edu.af (SideCopy) indicates a supply chain attack where legitimate educational infrastructure is hijacked for payload delivery.
File Hashes: A mix of MD5, SHA1, and SHA256 hashes are available for the HTA payloads, APK files, and loaders.

Operational Guidance: SOC teams should immediately block the listed IPs and domains at the perimeter. The presence of an HTA file with the associated MD5 hashes in the Startup folder is a definitive sign of compromise.

Detection Engineering

Sigma Rules

YAML

---
title: Potential Gamaredon HTML Smuggling and RAR Exploitation
id: 9a3c4d1e-5f6b-4a7c-8e9d-1f2a3b4c5d6e
description: Detects suspicious execution patterns associated with Gamaredon campaigns, specifically RAR extraction leading to HTA execution and use of WinRAR exploits.
status: experimental
date: 2026/06/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66555a4e1c2e3e4b5c6d7e8f
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        ParentImage|endswith: '\winrar.exe'
        Image|endswith: '\cmd.exe'
        CommandLine|contains: 'script.hta' # Generic heuristic for HTA execution from archive
    condition: selection
falsepositives:
    - Legitimate administrators extracting and running scripts
level: high
tags:
    - attack.initial_access
    - attack.execution
    - gamaredon
    - cve-2025-8088
---
title: SideCopy XenoRAT LNK Execution via mshta.exe
id: b4c5d6e7-6g7h-5i8j-9f0a-2b3c4d5e6f7g
description: Detects the execution of mshta.exe initiated by a .lnk file, a common TTP for SideCopy campaigns delivering XenoRAT.
status: experimental
date: 2026/06/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66555a4e1c2e3e4b5c6d7e90
logsource:
    category: process_creation
    product: windows
detection:
    selection:
        Image|endswith: '\mshta.exe'
        ParentImage|endswith: '\explorer.exe'
        CommandLine|contains: '.hta'
    filter_legit:
        CommandLine|contains: 'C:\Windows\System32'
    condition: selection and not filter_legit
falsepositives:
    - Administrative troubleshooting
level: high
tags:
    - attack.initial_access
    - attack.execution
    - apt36
    - sidecopy
    - xenorat
---
title: Cloudflare Tunnel C2 Activity (Gamaredon)
id: c5d6e7f8-7h8i-6j9k-0a1b-3c4d5e6f7g8h
description: Detects processes establishing connections to suspicious Cloudflare tunnel domains often used by Gamaredon for C2.
status: experimental
date: 2026/06/03
author: Security Arsenal
references:
    - https://otx.alienvault.com/pulse/66555a4e1c2e3e4b5c6d7e8f
logsource:
    category: network_connection
    product: windows
detection:
    selection:
        DestinationHostname|contains: '.trycloudflare.com'
        Initiated: 'true'
    condition: selection
falsepositives:
    - Legitimate developer use of Cloudflare tunnels
level: medium
tags:
    - attack.command_and_control
    - gamaredon
    - defense_evasion

KQL (Microsoft Sentinel)

KQL — Microsoft Sentinel / Defender

// Hunt for SideCopy and Gamaredon Network IOCs
let IOCs = dynamic([
    "104.194.140.6", "103.132.98.224", "191.96.225.241", "191.96.79.41", 
    "200.9.155.153", "195.160.221.203", "iiwdsxwamylbwwsoyrmj.supabase.co", 
    "quitethepastry.ru", "abimj.edu.af", "trycloudflare.com"
]);
DeviceNetworkEvents
| where RemoteIP in (IOCs) or RemoteUrl has_any (IOCs)
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteIP, RemoteUrl, RemotePort
| summarize count() by DeviceName, RemoteUrl
| order by count_ desc


kql
// Hunt for HTA persistence in Startup folders (Gamaredon)
DeviceFileEvents
| whereFolderPath contains "Start Menu\\Programs\\Startup"
| where FileName endswith ".hta"
| project Timestamp, DeviceName, FileName,FolderPath, SHA256, InitiatingProcessAccountName
| order by Timestamp desc

PowerShell Hunt Script

PowerShell

# Security Arsenal Threat Hunt: Gamaredon & SideCopy Persistence Check
# Checks for HTA files in Startup and Suspicious Scheduled Tasks

Write-Host "[+] Checking for suspicious HTA files in Startup directories..." -ForegroundColor Cyan

$StartUpPaths = @(
    "$env:APPDATA\Microsoft\Windows\Start Menu\Programs\Startup",
    "$env:ProgramData\Microsoft\Windows\Start Menu\Programs\Startup"
)

foreach ($Path in $StartUpPaths) {
    if (Test-Path $Path) {
        Get-ChildItem -Path $Path -Filter "*.hta" -ErrorAction SilentlyContinue | ForEach-Object {
            Write-Host "[!] Suspicious HTA found: $($_.FullName)" -ForegroundColor Red
            $Hash = Get-FileHash -Path $_.FullName -Algorithm MD5 -ErrorAction SilentlyContinue
            Write-Host "    MD5: $($Hash.Hash)"
        }
    }
}

Write-Host "[+] Checking for recent modifications to Run registry keys..." -ForegroundColor Cyan

$RunKeys = @(
    "HKCU:\Software\Microsoft\Windows\CurrentVersion\Run",
    "HKLM:\Software\Microsoft\Windows\CurrentVersion\Run"
)

foreach ($Key in $RunKeys) {
    if (Test-Path $Key) {
        Get-Item -Path $Key | ForEach-Object {
            $_.GetValueNames() | ForEach-Object {
                $Value = $_.GetValue($_)
                if ($Value -match "mshta" -or $Value -match ".hta" -or $Value -match "trycloudflare") {
                    Write-Host "[!] Suspicious persistence in $Key" -ForegroundColor Yellow
                    Write-Host "    Name: $_ | Value: $Value"
                }
            }
        }
    }
}

Write-Host "[+] Hunt complete." -ForegroundColor Green

Response Priorities

Immediate (0-4 hours)

Block IOCs: Immediately block all listed IPs (191.96.x.x, 104.194.140.6, etc.) and domains (abimj.edu.af, trycloudflare.com subdomains) on perimeter firewalls and proxies.
Endpoint Isolation: Isolate any endpoints with alerts related to mshta.exe spawned by LNK files or winrar.exe dropping files to Startup.

24 Hours

Vulnerability Scan: Identify systems running unpatched versions of WinRAR vulnerable to CVE-2025-8088.
Mobile Audit: If MDM is in place, query for the installation of apps matching the BTMOB hashes or requesting excessive Accessibility Services.
Supply Chain Check: Investigate logs for any interactions with abimj.edu.af or other unexpected educational domains.

1 Week

Architecture Hardening: Implement application control (AppLocker) to block mshta.exe execution from Office documents and LNK files for general user populations.
User Awareness: Distribute specific briefings regarding the spear-phishing lures used by SideCopy (Pashto language) and Gamaredon (archival exploits).

Related Resources

Security Arsenal Incident Response Managed SOC & MDR Services AlertMonitor Threat Detection From The Dark Side Intel Hub