In January 2026, Sekoia’s Threat Detection & Research team uncovered an active campaign by the Russian-aligned Gamaredon group (also known as Primitive Bear or ACTINIUM) targeting Ukrainian entities. This campaign distinguishes itself through the exploitation of a WinRAR vulnerability to deploy a modular, nearly fileless spyware payload.
Defenders must act immediately. The actor leverages Alternate Data Streams (ADS) to hide malicious code within benign-looking files, effectively bypassing standard file-scanning mechanisms. Furthermore, the use of Telegram for Command and Control (C2) resolution allows the threat actor to blend in with legitimate traffic and complicate network blocking efforts. This post outlines the technical breakdown of this threat and provides actionable detection and remediation strategies.
Technical Analysis
Threat Actor: Gamaredon (APT28) Target: Ukrainian entities (Government, Military, Critical Infrastructure) Vector: Malicious WinRAR Archive
Attack Chain
- Initial Access: The campaign begins with a spear-phishing email delivering a RAR archive. Gamaredon exploits a specific vulnerability in WinRAR (identified as active in late 2025) to trigger code execution upon extraction or preview.
- Payload Delivery (Stealth): Instead of dropping a standalone executable, the malware writes a malicious payload into an Alternate Data Stream (ADS) attached to a legitimate file (e.g.,
readme.txt:payload.exe). This technique is "nearly fileless" because standard Windows Explorer and many antivirus engines do not scan streams by default. - Execution: The attacker utilizes native Windows utilities (such as
wmicorpowershell) to invoke the executable stored within the stream. - C2 Communication: The malware resolves its C2 infrastructure using Telegram. By leveraging Telegram's API and IP space, the actor obfuscates the true destination of the traffic, making it difficult to block via standard IP reputation lists without disrupting legitimate business communications.
Affected Components
- WinRAR: Versions containing the unpatched flaw exploited in late 2025.
- Windows NTFS: The file system structure allowing ADS.
- Network Layer: Outbound connections to Telegram domains/IPs initiated by non-standard processes.
Detection & Response
SIGMA Rules
YAML
---
title: Gamaredon WinRAR ADS Payload Execution
id: 8a2b1c3d-4e5f-6789-0123-456789abcdef
status: experimental
description: Detects execution of binaries hidden in Alternate Data Streams, a technique used by Gamaredon to hide payloads delivered via WinRAR exploits.
references:
- https://securityaffairs.com/193112/intelligence/gamaredon-uses-winrar-vulnerability-to-launch-modular-spy-campaign-on-ukrainian-targets.html
author: Security Arsenal
date: 2026/01/15
tags:
- attack.defense_evasion
- attack.t1564.004
logsource:
category: process_creation
product: windows
detection:
selection:
CommandLine|contains:
- ':\'
- ':$'
filter_legit_drivers:
Image|endswith:
- '\svchost.exe'
- '\services.exe'
filter_standard_streams:
CommandLine|contains:
- ':$DATA'
condition: selection and not 1 of filter*
falsepositives:
- Legacy software accessing file streams
- Administrative tools
level: high
---
title: Gamaredon Telegram C2 Resolution
id: 9b3c2d4e-5f6a-7890-1234-567890abcdef
status: experimental
description: Detects non-browser processes resolving or connecting to Telegram domains, indicative of Gamaredon C2 activity using Telegram for infrastructure.
references:
- https://securityaffairs.com/193112/intelligence/gamaredon-uses-winrar-vulnerability-to-launch-modular-spy-campaign-on-ukrainian-targets.html
author: Security Arsenal
date: 2026/01/15
tags:
- attack.command_and_control
- attack.t1102.002
logsource:
category: network_connection
product: windows
detection:
selection:
DestinationHostname|contains:
- 'telegram.org'
- 't.me'
Image|endswith:
- '\chrome.exe'
- '\firefox.exe'
- '\edge.exe'
- '\msedge.exe'
- '\opera.exe'
- '\telegram.exe'
filter: selection
condition: not filter
falsepositives:
- Legitimate messaging apps not whitelisted
level: medium
KQL (Microsoft Sentinel / Defender)
KQL — Microsoft Sentinel / Defender
// Hunt for Alternate Data Stream usage via PowerShell or CMD
DeviceProcessEvents
| where Timestamp > ago(30d)
| where ProcessCommandLine has ":"
| where ProcessCommandLine has ".exe" or ProcessCommandLine has ".dll"
| where ProcessCommandLine !contains ":$DATA"
| where ProcessCommandLine !contains ":\\Windows\\"
| project Timestamp, DeviceName, InitiatingProcessAccountName, ProcessCommandLine, InitiatingProcessFileName, FolderPath
| order by Timestamp desc
// Hunt for suspicious processes connecting to Telegram infrastructure
DeviceNetworkEvents
| where Timestamp > ago(7d)
| where RemoteUrl has "telegram.org" or RemoteUrl has "t.me"
| where InitiatingProcessFileName !in ("chrome.exe", "firefox.exe", "msedge.exe", "opera.exe", "telegram.exe")
| project Timestamp, DeviceName, InitiatingProcessFileName, RemoteUrl, RemoteIP, RemotePort
| order by Timestamp desc
Velociraptor VQL
VQL — Velociraptor
-- Hunt for processes spawning from suspicious ADS locations
SELECT Pid, Name, CommandLine, Exe, Username
FROM pslist()
WHERE Exe =~ ":\\" AND Name NOT IN ("svchost.exe", "explorer.exe")
Remediation Script (PowerShell)
PowerShell
# Remediation Script: Scan for Executable Payloads in ADS
# Run as Administrator
Write-Host "[+] Scanning C: drive for executables hidden in Alternate Data Streams..." -ForegroundColor Cyan
$Drives = @("C:\")
$SuspiciousExtensions = @(".exe", ".dll", ".bat", ".ps1", ".scr")
foreach ($Drive in $Drives) {
try {
# Find files with streams
$Files = Get-ChildItem -Path $Drive -Recurse -ErrorAction SilentlyContinue |
ForEach-Object {
Get-Item -Path $_.FullName -Stream * -ErrorAction SilentlyContinue
} |
Where-Object { $_.Stream -ne ':$DATA' }
foreach ($File in $Files) {
# Heuristic: Check if stream name resembles an executable or if the base file is a common decoy
if ($SuspiciousExtensions -contains [System.IO.Path]::GetExtension($File.Stream)) {
Write-Host "[!] Suspicious Stream Found: $($File.FileName) :: Stream: $($File.Stream)" -ForegroundColor Red
# Optional: Remove the stream (Uncomment to remediate)
# Remove-Item -Path "$($File.FileName)" -Stream $File.Stream -Force
}
}
}
catch {
Write-Host "[-] Error scanning $Drive : $_" -ForegroundColor Yellow
}
}
Write-Host "[+] Scan complete." -ForegroundColor Green
Remediation
Immediate Actions:
- Patch WinRAR: Ensure all endpoints are updated to the latest version of WinRAR released in late 2025 or early 2026. Verify that the build number addresses the specific vulnerability cited in Sekoia’s December 2025 intelligence.
- Isolate Affected Hosts: If the detection rules trigger, isolate the machine from the network immediately to prevent further C2 communication via Telegram.
- Block Telegram C2: If your organization does not use Telegram for business communications, block access to
telegram.organd known Telegram IP ranges at the firewall/proxy level. If Telegram is business-critical, restrict it to specific whitelisted binaries (e.g., the official client only).
Long-Term Hardening:
- ADS Auditing: Enable Advanced Audit Policy configuration for "Audit File System" and "Audit Kernel Object" to monitor the creation of Alternate Data Streams.
- Application Control: Implement Application Whitelisting (e.g., AppLocker) to prevent the execution of binaries from unconventional paths or streams.
- Email Filtering: Update secure email gateways to block RAR archives or sandbox them dynamically, specifically checking for archive exploits.
Related Resources
Security Arsenal Penetration Testing Services AlertMonitor Platform Book a SOC Assessment vulnerability-management Intel Hub
sigma-rulekql-detectionthreat-huntingdetection-engineeringsiem-detectiongamaredonwinraralternate-data-streams
Is your security operations ready?
Get a free SOC assessment or see how AlertMonitor cuts through alert noise with automated triage.