Two Russia-aligned cyber espionage groups are continuing to exploit a critical WinRAR vulnerability to target Ukrainian organizations, nearly a year after the software vendor released a security patch.
According to new research from Trend Micro, the campaigns have been attributed to the threat groups Earth Dahu (Gamaredon) and SHADOW-EARTH-066 (UAC-0226). Both actors are actively leveraging CVE-2025-8088, a path traversal vulnerability in WinRAR that allows attackers to write malicious files outside the intended extraction directory using NTFS Alternate Data Streams (ADS).
The flaw was patched in July 2025, yet researchers warn that many organizations remain vulnerable due to outdated or unmanaged software installations.
Unpatched Systems Remain an Easy Target
Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord noted that the continued exploitation of CVE-2025-8088 highlights a common cybersecurity challenge.
“Unmanaged software keeps an exploited entry point open long after the fix ships.”
The vulnerability is proving particularly attractive to threat actors targeting Ukrainian organizations, where WinRAR remains widely used in everyday operations.
SHADOW-EARTH-066 Adopts New Malware Delivery Technique
Trend Micro observed a significant shift in the attack methods used by SHADOW-EARTH-066.
Previously, the group relied on malicious Excel macros to distribute its information-stealing malware known as GIFTEDCROOK. The latest campaign instead uses specially crafted RAR archives containing:
- A decoy PDF document
- Three hidden ADS payloads
- A malicious Windows Shortcut (LNK) file
Once extracted, the LNK file is secretly placed in the Windows Startup folder, ensuring it executes automatically whenever the victim logs into their system.
The shortcut launches a PowerShell-based loader through cmd.exe, which then performs in-memory DLL loading to deploy an updated version of the GIFTEDCROOK malware.
GIFTEDCROOK Targets Browser Data and Sensitive Documents
The updated malware is designed to steal:
- Saved passwords
- Browser cookies
- Sensitive files and documents
Targeted browsers include:
- Google Chrome
- Microsoft Edge
- Opera
- Mozilla Firefox
After collecting data, the malware exfiltrates it to attacker-controlled infrastructure before deleting malicious artifacts from the compromised device, making forensic investigations more difficult.
Shift Away From Telegram
Researchers also identified a notable operational change.
Earlier versions of the malware used Telegram as a communication and data exfiltration channel. However, newer attacks now rely on dedicated command-and-control (C2) servers.
The transition may be linked to Russia’s decision to block Telegram earlier this year, forcing threat actors to adopt alternative infrastructure.
Earth Dahu Expands Use of CVE-2025-8088
The second threat actor exploiting the WinRAR flaw is Earth Dahu, also known as Gamaredon.
Trend Micro says the group has been weaponizing CVE-2025-8088 since at least September 2025. Earth Dahu is well known for conducting large-scale espionage operations and maintaining long-term access within compromised networks.
Researchers discovered that the group uses the vulnerability as part of an HTA-to-VBScript infection chain designed to deploy espionage-focused malware modules.
Evidence from internal file timestamps suggests the campaign remained active through at least April 10, 2026.
GammaPhish and GammaLoad Deliver Persistent Access
The attack chain closely resembles activity recently documented by cybersecurity firm Sekoia.
In these campaigns, the WinRAR exploit ultimately deploys GammaPhish, a malicious HTML Application (HTA). GammaPhish then retrieves a VBScript downloader called GammaLoad, which serves as a platform for delivering additional malware components.
GammaLoad is designed to:
- Maintain persistent access to infected systems
- Deploy payloads over extended periods
- Use Dead Drop Resolvers (DDR) to locate attacker infrastructure
One of the primary payloads delivered through this framework is GammaSteel, a sophisticated information-stealing tool capable of continuously monitoring file activity and collecting sensitive data from infected machines.
Ukraine Remains a Prime Cyber Espionage Target
Security researchers warn that the convergence of multiple Russia-linked threat groups around a single vulnerability demonstrates the intensity of cyber operations targeting Ukraine.
Because WinRAR is deeply integrated into daily workflows across many Ukrainian organizations, attackers continue to see value in exploiting systems that have not been updated.
The ongoing abuse of CVE-2025-8088 serves as another reminder that applying security patches promptly remains one of the most effective defenses against cyber espionage and malware campaigns.
