Russia-Linked APTs Still Exploiting Patched WinRAR Flaw to Target Ukraine

Two Russia-aligned cyber-espionage campaigns have continued weaponizing CVE-2025-8088, a path-traversal vulnerability in WinRAR patched in July 2025, to compromise Ukrainian organizations nearly a year after the fix was released. Researchers Hiroyuki Kakara and Feike Hacquebord of Trend Micro attributed the ongoing activity to Earth Dahu (also tracked as Gamaredon) and SHADOW-EARTH-066 (UAC-0226), warning that "unmanaged software keeps an exploited entry point open long after the fix ships."

The SHADOW-EARTH-066 campaign represents a notable shift in tradecraft, replacing the group's earlier Excel macro droppers with crafted RAR archives that contain a decoy PDF alongside three hidden payloads smuggled outside the extraction directory via NTFS Alternate Data Streams (ADS). One of those payloads is a Windows shortcut (.lnk) planted in the Startup folder for persistence, which triggers a cmd.exe-launched PowerShell loader that side-loads an updated GIFTEDCROOK stealer ("result.dll") in memory. The malware targets stored passwords and cookies from Chromium-based browsers (Chrome, Edge, Opera) and Mozilla Firefox, then harvests documents matching specific file extensions before exfiltrating the data to dedicated command-and-control servers, a pivot from its previous reliance on Telegram.

Earth Dahu, meanwhile, has incorporated CVE-2025-8088 into its arsenal since at least September 2025, layering the WinRAR exploit onto an HTA-to-VBScript infection chain that deploys espionage modules tracked as GammaPhish, GammaLoad, and GammaSteel. The group is known for sustaining long-term, industrial-scale access to compromised entities, with internal RAR timestamps indicating the chain remained operational through at least April 10, 2026. Organizations and individuals alike can mitigate exposure by promptly updating WinRAR, monitoring Startup folder additions, and auditing browser credential stores—users should check whether saved passwords have been compromised using an online password strength and breach analyzer, while security teams can correlate suspicious outbound traffic and domain activity with a WHOIS lookup to identify newly registered C2 infrastructure.