Russian cybercriminals are actively exploiting a known vulnerability in WinRAR, designated as CVE-2025-8088, to infiltrate Ukrainian organizations and exfiltrate sensitive data. This flaw, a path traversal vulnerability with a CVSS score of 8.4, was patched in July 2025. However, its continued exploitation underscores the persistent risks associated with unpatched software.
Two distinct Russian-aligned threat groups are leveraging this vulnerability. The first, identified as SHADOW-EARTH-066 (also known as UAC-0226), has been deploying an updated version of the GIFTEDCROOK information stealer. The second, Earth Dahu (also referred to as Gamaredon), has been targeting Ukrainian entities since at least 2013. Both groups have been observed utilizing this exploit as recently as April 2026.
The attack vector involves spear-phishing emails containing malicious RAR archives. When recipients open these archives using outdated versions of WinRAR, a decoy PDF is displayed while hidden files are silently placed into the Windows Startup folder. This method ensures that no immediate warnings are triggered, and the malicious payload executes automatically upon the next system login.
SHADOW-EARTH-066 has specifically targeted Ukrainian military innovation centers, law enforcement agencies, and local government bodies near Ukraine’s eastern border. Earth Dahu employs a similar approach, delivering espionage tools through HTML Application files loaded via Cloudflare Workers. Despite differences in their toolsets, both groups exploit the same unpatched vulnerability.
Other Russian-linked actors, including Sandworm, Turla, and Void Rabisu, have also exploited this vulnerability. The persistent abuse of a flaw that has been patched for nearly a year highlights a significant security gap: WinRAR lacks support for automatic updates or integration with standard enterprise patch management systems. This oversight makes it easy for organizations to overlook vulnerable versions, leaving them susceptible to exploitation.
The technical specifics of CVE-2025-8088 involve a path traversal flaw that allows attackers to write files outside the intended extraction directory using NTFS Alternate Data Streams. Malicious archives typically contain a visible decoy PDF alongside hidden payloads. These payloads include an LNK shortcut placed in the Startup folder, a PowerShell loader in the C:\ProgramData directory, and an encoded DLL in the same location. Upon the next system login, the LNK file triggers a nested PowerShell session that decodes and loads the final payload entirely in memory, utilizing direct NT system calls to bypass common API hooks.
The final payload, a DLL internally named result.dll, is an evolved form of the GIFTEDCROOK stealer. It targets web browsers such as Chrome, Edge, Opera, and Firefox to extract passwords, session cookies, and master decryption keys. Additionally, it scans for files across 35 extensions, including spreadsheets, email files, and KeePass databases. The stolen data is encrypted using dual-layer RC4 and transmitted over HTTPS to dedicated command-and-control servers. Following data exfiltration, the malware deletes itself to minimize detection.
This ongoing exploitation serves as a stark reminder of the critical importance of timely software updates. Organizations must prioritize patch management and ensure that all software, especially widely used tools like WinRAR, are kept up to date to mitigate the risk of such vulnerabilities being exploited.
