GammaWipe
GammaWipe is a destructive malware family in Sekoia’s unified “Gamma” taxonomy for the Russia-linked Gamaredon threat actor, also referred to as GamaWiper. The reporting ties it to Gamaredon’s modular intrusion ecosystem alongside GammaPhish, GammaLoad, GammaWorm, and GammaSteel, and indicates it may be deployed depending on operator objectives and target profile. Sekoia reported that Gamaredon’s infection chains targeting Ukrainian victims used weaponized XHTML spearphishing attachments and booby-trapped RAR archives exploiting the WinRAR path traversal vulnerability CVE-2025-8088 to establish initial access, after which GammaLoad could fetch additional payloads such as GammaWipe. The broader campaign was attributed to the Russian state-sponsored group Gamaredon, officially linked to Russia’s FSB, which has a longstanding focus on Ukrainian government, military, and critical infrastructure entities. ClearSky Cyber Security later highlighted GamaWiper in December 2025 with medium-confidence attribution to Gamaredon, describing it as malware intended to completely wipe a device and noting that it appeared to be used exclusively against security researchers during sandbox analysis. No specific technical indicators or detailed implementation characteristics for GammaWipe beyond its destructive wiping purpose and aliasing as GamaWiper are directly provided in the source content.
Hunt this family in your stack
Mallory pivots from this family to the IOCs, detections, and named campaigns that touch your stack, and pages you when something new lands.
Vulnerabilities exploited
1 CVE Mallory has correlated with this family across public research and vendor advisories. Each row links to the full Mallory page for that vulnerability.
According to Sekoia, the attack consists of exploiting the bug CVE-2025-8088, a path traversal bug in WinRAR, to run an HTML App payload called GammaPhish, which is later used to get a VBScript payload from the C2 server.
Groups observed using it
1 distinct threat actor attributed by public researchers. Open in Mallory to see the full evidence chain and overlapping campaigns.
Sekoia has now aligned the naming under a single taxonomy using the “Gamma” prefix: GammaPhish for initial access, GammaLoad for staging, GammaWorm for propagation, GammaSteel for data theft, and GammaWipe for destruction.
Recent activity
4 sources tracked across advisories, community write-ups, and news. New activity surfaces here as Mallory finds it.
Destructive component in Gamaredon’s modular malware taxonomy, intended for destruction.
A wiper malware strain that may be deployed through the same Gamaredon infection chain depending on the intended target.
A wiper malware family that may be distributed through the same Gamaredon infection sequence depending on operational objectives.
A destructive wiper attributed to Gamaredon with medium confidence, intended to completely wipe a device. The report says it appears to be used against security researchers during sandbox analysis and was not observed on final victims.
The version that knows your environment.
Match every observed IP, domain, and hash against your live telemetry.
Named campaigns wielding this family, with evidence pinned to each claim.
CVEs this family uses for access and lateral movement.
YARA, Sigma, Snort, and vendor rules, auto-deployed to your SIEM.
Every documented technique, ranked by evidence weight.
Reddit, Mastodon, and CTI community discussion around this family.