Russian APT Gamaredon Uses Fileless VBScript Worm Hidden in NTFS Streams for Espionage in Ukraine

FSB-Linked Gamaredon APT Deploys Stealthy Fileless Worm Against Ukrainian Targets

HIGH
June 1, 2026
5m read
Threat ActorMalwareCyberattack

Related Entities

Threat Actors

Gamaredon

Organizations

FSB

Products & Tech

VBScriptNTFS

MITRE ATT&CK Techniques

G0047

Gamaredon Group

T1564.004

NTFS File Attributes

T1059.005

Visual Basic

T1566.001

Spearphishing Attachment

T1027

Obfuscated Files or Information

Full Report

Executive Summary

The Russian state-sponsored threat actor Gamaredon (also known as Shuckworm, Primitive Bear), attributed to Russia's Federal Security Service (FSB), has upgraded its toolkit. In a recent campaign targeting Ukraine, the group is using a new fileless worm written in VBScript. This malware is notable for its use of NTFS alternate data streams (ADS) to store its malicious code, making it highly evasive to traditional file-based scanning. The objective of the campaign remains cyber-espionage, focusing on data exfiltration and maintaining long-term, persistent access to the networks of high-value Ukrainian targets.

Threat Overview

Gamaredon is one of the most active and persistent APT groups targeting Ukraine. This latest campaign, observed since January 2026, shows the group's continuous effort to refine its tradecraft for improved stealth and effectiveness. The primary targets are Ukrainian government, military, and critical infrastructure organizations.

The use of a fileless worm is a significant advancement. By residing in memory or hidden file system locations like ADS, the malware avoids writing traditional executable files to disk, which are the primary target for most antivirus software. This allows the worm to establish a durable foothold for long-term intelligence collection.

Technical Analysis

The attack chain leverages several advanced techniques to achieve its goals:

  1. Initial Access: Gamaredon typically relies on spear-phishing emails (T1566.001) containing malicious attachments, often LNK files or documents with remote templates.
  2. Execution: Once the initial payload is executed, it downloads the VBScript worm.
  3. Defense Evasion & Persistence (T1564.004): This is the key innovation. The worm's VBScript code is not saved in a standard .vbs file. Instead, it is written to an NTFS Alternate Data Stream of a legitimate-looking file or directory. For example, the code might be stored in C:\Users\Public\Music:worm.vbs. This stream is not visible in Windows Explorer or with a standard dir command, making it very difficult to find.
  4. Execution from ADS: The malware then uses techniques to execute the script directly from the hidden stream, often via scheduled tasks or WMI event subscriptions (T1047) that call wscript.exe with the specific ADS path.
  5. Espionage: The worm's primary payload is designed to search for and exfiltrate documents with specific keywords or file types (T1560) to an attacker-controlled C2 server.

Impact Assessment

The impact of this campaign is strategic espionage. The goal is not immediate disruption but the long-term theft of sensitive government and military intelligence from Ukraine. By maintaining persistent, stealthy access, Gamaredon can monitor communications, steal strategic plans, and gather intelligence that provides a significant advantage to the Russian Federation. For the targeted Ukrainian entities, this represents a severe and ongoing national security threat.

IOCs β€” Directly from Articles

No specific technical Indicators of Compromise (IOCs) were provided in the source articles.

Cyber Observables β€” Hunting Hints

Hunting for this threat requires looking beyond the standard file system.

Type
command_line_pattern
Value
dir /r
Description
This command can be used to reveal alternate data streams on files and directories. Suspicious streams on common files are a red flag.
Type
process_name
Value
wscript.exe or cscript.exe
Description
Monitor for execution of the Windows script hosts, especially if they are launched by scheduled tasks or WMI with unusual command-line arguments.
Type
command_line_pattern
Value
wscript.exe C:\path\file:stream.vbs
Description
A command line that includes a colon (:) after a filename is a strong indicator of execution from an alternate data stream.
Type
log_source
Value
PowerShell Logs (Script Block Logging)
Description
Enable PowerShell logging to capture the content of executed scripts, which may reveal the VBScript payload being decoded or launched.

Detection & Response

  1. ADS Scanning: Use specialized tools (like Sysinternals streams.exe) or EDR solutions capable of scanning for and analyzing the content of NTFS alternate data streams. This is a form of D3FEND's System File Analysis.
  2. Script Block Logging: Enable PowerShell and WMI script block logging and forward these logs to a SIEM. This will capture the content of the malicious VBScript when it executes, regardless of where it is stored.
  3. Process Monitoring: Monitor for wscript.exe or cscript.exe being launched by suspicious parent processes like svchost.exe (for scheduled tasks) or WmiPrvSE.exe (for WMI). This is covered by D3FEND's Process Analysis.

Mitigation

  1. PowerShell Constrained Language Mode: Deploy PowerShell in Constrained Language Mode where possible, which limits its ability to call arbitrary Win32 APIs and execute complex malicious scripts.
  2. Application Control (M1038): Use application control solutions like AppLocker to restrict the execution of script interpreters like wscript.exe in user-writable locations or for standard users.
  3. Email Security: Implement robust email security to block the initial spear-phishing emails that are Gamaredon's primary entry vector.
  4. User Training (M1017): Train high-risk users in government and military roles to identify and report sophisticated spear-phishing attempts.

Timeline of Events

1
January 1, 2026
The campaign using the fileless VBScript worm was first observed.
2
June 1, 2026
This article was published

MITRE ATT&CK Mitigations

Execution Prevention

M1038enterprise

Use application control to restrict the execution of script interpreters like wscript.exe, especially for standard users.

Audit

M1047enterprise

Enable and collect detailed logging, such as command-line process creation and PowerShell script blocks, to detect the execution of fileless malware.

Restrict Web-Based Content

M1021enterprise

Use email and web gateways to block malicious attachments and downloads that serve as the initial vector for Gamaredon.

D3FEND Defensive Countermeasures

System File Analysis

D3-SFAMaps to MITREM1047
D3FEND

To specifically counter Gamaredon's use of NTFS alternate data streams (ADS), security teams in Ukraine must deploy tools capable of inspecting this hidden part of the file system. This can be accomplished with an advanced EDR solution that has this feature, or by running periodic sweeps with tools like Sysinternals' streams.exe. The analysis should focus on finding executable content (like VBScript) within the ADS of otherwise benign files (e.g., JPEGs, TXT files) in common user directories. Detections should be configured to alert on the presence of any data in ADS for file types that should not have it. This directly targets the malware's primary hiding mechanism.

Process Analysis

D3-PAMaps to MITREM1049
D3FEND

Implement detailed process and command-line logging on all endpoints. The key to detecting this fileless worm is to spot its execution. Create specific detection rules that look for the Windows Script Host (wscript.exe or cscript.exe) being launched with a command line that includes a colon : in the file path (e.g., wscript.exe C:\Users\Public\file.txt:evil.vbs). This syntax is a tell-tale sign of execution from an alternate data stream. Correlating this with the parent process (e.g., a scheduled task or WMI) can provide high-confidence alerts of a Gamaredon compromise, even if the script itself is never written to a conventional file.

Timeline of Events

1
January 1, 2026

The campaign using the fileless VBScript worm was first observed.

Sources & References

FSB Group Gamaredon Hides Worm in Windows Data Streams
Infosecurity Magazineβ€’June 1, 2026

Article Author

Jason Gomes

Jason Gomes

β€’ Cybersecurity Practitioner

Cybersecurity professional with over 10 years of specialized experience in security operations, threat intelligence, incident response, and security automation. Expertise spans SOAR/XSOAR orchestration, threat intelligence platforms, SIEM/UEBA analytics, and building cyber fusion centers. Background includes technical enablement, solution architecture for enterprise and government clients, and implementing security automation workflows across IR, TIP, and SOC use cases.

Threat Intelligence & AnalysisSecurity Orchestration (SOAR/XSOAR)Incident Response & Digital ForensicsSecurity Operations Center (SOC)SIEM & Security AnalyticsCyber Fusion & Threat SharingSecurity Automation & IntegrationManaged Detection & Response (MDR)
LinkedIn

Tags

GamaredonAPTFSBRussiaUkraineFileless MalwareVBScriptNTFSEspionage

πŸ“’ Share This Article

Help others stay informed about cybersecurity threats

🎯 MITRE ATT&CK Mapped

Every tactic, technique, and sub-technique used in this threat has been identified and mapped to the MITRE ATT&CK framework for consistent, actionable threat language.

🧠 Enriched & Analyzed

Observables and indicators of compromise (IOCs) have been extracted and cataloged. Risk has been assessed and correlated with known threat actors and historical campaigns.

πŸ›‘οΈ Actionable Guidance

Detection rules, incident response steps, and D3FEND-aligned mitigation strategies are included so your team can act on this intelligence immediately.

πŸ”— STIX Visualizer

Structured threat data is packaged as a STIX 2.1 bundle and can be visualized as an interactive graph β€” relationships between actors, malware, techniques, and indicators.

⚑ Sigma Generator

Sigma detection rules are derived from the threat techniques in this article and can be converted for deployment across any major SIEM or EDR platform.