WinRAR Flaw Exploited by Russia-Aligned Groups to Outlaw Criminals in Ukraine
Two Russian-linked cyber attack campaigns have continued to use a security flaw in WinRAR to target Ukrainian organizations, nearly a year after the vulnerabilities were released.
Activity was revealed by Trend Micro on Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226). Includes exploit CVE-2025-8088, a path-breaking flaw that allows an attacker to write files outside the output directory using NTFS Alternate Data Streams (ADS). Compiled by WinRAR in July 2025.
The findings show how “unregulated software keeps an exploited entry point open long after ships are repaired,” Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord said in an analysis published Monday.
The WinRAR exploit chain exploited by SHADOW-EARTH-066 is a departure from the large Excel droppers previously used by a threat actor to deliver a hacker named GIFTEDCROOK. The latest iteration uses crafted RAR archives with fake PDF files and three hidden ADS payloads outside the extraction directory to initiate the infection.
This includes a Windows Shortcut (LNK) file placed in the Startup folder to run automatically every time the user logs on. This, in turn, creates a PowerShell loader with “cmd.exe,” which then uses the DLL loading in memory to finally launch the updated version of GIFTEDCROOK (“result.dll”).
The malware targets passwords and cookies from Chromium-based browsers (Google Chrome, Microsoft Edge, and Opera) and Mozilla Firefox, in addition to harvesting documents such as certain extensions from the victim’s machine. When the data is exported to an external server, all malicious artifacts are removed to close the forensic trail.
A significant change from Telegram as a filtering channel to dedicated control and control servers (C2), an important change that may coincide with Russia’s blocking of the messaging platform in the country earlier this February.
The second Russian-affiliated hacking group to exploit CVE-2025-8088 is Earth Dahu, which has had the bug in place since at least September 2025. The enemy is known for its “industrial effort” to maintain long-term access to vulnerable organizations.
“Earth Dahu exploited the vulnerability through a series of HTA-to-VBScript infections that deliver spyware modules,” Trend Micro noted. “Based on RAR’s internal file timestamps and naming conventions, the series remained valid until at least April 10, 2026.”
This attack, as recently documented by Sekoia last week, leads to the use of GammaPhish, an HTML Application (HTA), which is used to retrieve a VBScript loader called GammaLoad. The central loader then delivers additional modules such as GammaSteel.
GammaLoad “is a collection of VBScripts designed to ensure continuous access and use of payloads over time by using Dead Drop Resolvers (DDR),” said Sekoia, adding that it is used to install a dropper designed to launch a VBScript loader responsible for using GammaSteel, complete information for thieves that can change in real time.
“WinRAR is deeply embedded in the day-to-day operations of Ukrainian organizations, making it an attractive target for exploitation,” Trend Micro said. “The combination of both government-backed groups and independently monitored groups with a single vulnerability shows the level of cyber threats Ukraine faces.”
