GamaWiper
GamaWiper is a wiper malware attributed with medium confidence to the Russia-linked Gamaredon threat actor, which is officially linked by the Security Service of Ukraine to Russia’s FSB. Reporting states that ClearSky observed Gamaredon deploying GamaWiper in data-wiping attacks against Ukrainian organizations, marking a notable destructive component alongside the group’s traditional espionage activity. The malware has been associated with campaigns targeting Ukrainian military, governmental, political, administrative, and broader Ukrainian organizations. Supporting reporting states that Gamaredon extensively abused WinRAR path traversal vulnerabilities, including CVE-2025-8088 and CVE-2025-6218, in phishing-driven intrusion chains using malicious RAR archives to deliver Visual Basic Script malware and deploy GamaWiper. High-confidence context ties the malware to destructive operations conducted by Gamaredon in late 2025; however, the provided content does not include detailed technical internals, persistence mechanisms, or specific indicators of compromise unique to GamaWiper itself.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
According to Sekoia, the attack consists of exploiting the bug CVE-2025-8088, a path traversal bug in WinRAR, to run an HTML App payload called GammaPhish, which is later used to get a VBScript payload from the C2 server.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Finally, in December 2025, ClearSky Cyber Security highlighted a new malware attributed to Gamaredon with medium confidence: GamaWiper.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Alternative spelling/name for the destructive wiper later normalized in this report as GammaWipe.
GamaWiper is a destructive wiper malware deployed by Gamaredon, marking a shift from espionage to destructive operations.
GamaWiper is a destructive wiper malware deployed by Gamaredon, marking a shift from espionage to destructive operations.
Data-wiping malware deployed in attacks against Ukrainian organizations (attributed in reporting to Gamaredon APT activity).
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.