CVE-2025-8088 — Russia-Linked APTs Are Still Pwning Unpatched WinRAR Installs in Ukraine

CVE-2025-8088 — Russia-Linked APTs Are Still Pwning Unpatched WinRAR Installs in Ukraine

by
with no comment
Exploit DevelopmentMalwareVulnerability Analysis
Original text: “Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088”Pierluigi Paganini, Security Affairs (June 10, 2026). Trend Micro’s reporting and the two illustrations below are reproduced with attribution; prose is original analysis.
Diagram of CVE-2025-8088 WinRAR path-traversal exploit chain
Trend Micro’s overview of the CVE-2025-8088 exploit chain — phishing RAR → path-traversal write via NTFS ADS → Startup-folder execution. Source: original article (Trend Micro).

Executive Summary

Pierluigi Paganini’s Security Affairs writeup — built on a June 2026 Trend Micro report — documents that CVE-2025-8088, the WinRAR path-traversal-via-NTFS-Alternate-Data-Streams vulnerability patched in WinRAR 7.13 back in July 2025, is still an active initial-access vector for Russia-aligned threat actors targeting Ukrainian organisations almost a year after the fix shipped. Two distinct clusters are running campaigns built around the same primitive: Earth Dahu (a.k.a. Gamaredon) and SHADOW-EARTH-066 (a.k.a. UAC-0226). The exploit primitive is straightforward — a victim opens what looks like a Ukrainian court summons or a Ministry of Defence registry PDF inside a RAR archive, and in the background WinRAR silently writes additional files to locations outside the extraction directory, including the Windows Startup folder, where they run on the next login.

The two groups share the entry point and nothing else. SHADOW-EARTH-066 ships a compiled C++ stealer chain that drops three artefacts (LNK shortcut, obfuscated PowerShell loader, SUB-encoded DLL payload), uses direct NT system calls to load the final stage entirely in memory, and self-cleans on the way out. The final payload, internally named result.dll, is a direct evolution of GIFTEDCROOK aimed at Chrome/Edge/Opera/Firefox credential stores plus 35 file extensions including KeePass databases and OpenVPN configs — exfiltrated via dual-layer RC4-over-HTTPS to seven IPs on a Malaysian VPS with PoPs in France, the Netherlands and Switzerland, all sharing the URI path /rcv/. Gamaredon’s approach is structurally different: a single HTA or VBScript drops into Startup, executes via mshta.exe on next login, and pulls VBScript modules from Cloudflare Workers subdomains and Dynamic DNS. The two clusters share no infrastructure — both independently picked the same bug because it works.

The Bug: Path Traversal via NTFS Alternate Data Streams

CVE-2025-8088 is a CVSS 8.4 path traversal in WinRAR’s archive extraction logic. The interesting part isn’t the “path traversal” family classification — that’s well-trodden territory — it’s the mechanism. By placing maliciously-crafted NTFS Alternate Data Stream entries inside a RAR, an attacker can convince WinRAR to silently materialise additional files at attacker-chosen absolute paths during extraction. The user sees the decoy document they expected; the side files arrive in places the user never asked for, with no warning and no extra prompt.

RarLab fixed it in version 7.13, which shipped in July 2025. Trend Micro’s recap, which Security Affairs quotes, captures both the precision of the bug and why it matters:

WinRAR is deeply embedded in daily operations across Ukrainian organizations, making it an attractive target for exploitation. CVE-2025-8088 is a path traversal flaw (CVSS 8.4), patched in WinRAR 7.13 in July 2025, that allows an attacker to silently write files outside the extraction directory via NTFS Alternate Data Streams.

Trend Micro

The standard exploitation pattern across both clusters is a one-shot: the archive lands in a phishing inbox under a believable Ukrainian-government pretext (court summons, Ministry of Defence registry entry, military-equipment manifest), the user double-clicks, the decoy PDF opens, the user’s instinct is to read the document — and in the same moment WinRAR has already dropped a shortcut, a script, or a loader into %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup or C:\ProgramData\. The next time the machine boots, the workload runs.

Once the victim opens the archive, no further interaction is needed; they see only a decoy document. All the samples we analyzed exploit this vulnerability.

Trend Micro

SHADOW-EARTH-066 (UAC-0226): A Polished C++ Stealer Chain

SHADOW-EARTH-066’s 2026 campaign is a meaningful technical step up from what the cluster ran in 2025. The earlier operation used Excel macro droppers with hardcoded Telegram bot tokens in plaintext — an arrangement that any string-search rule would flag in seconds. The current build is professional-grade by comparison.

The latest sample carries an April 9, 2026 timestamp. The CVE-2025-8088 path traversal drops three files in one shot:

  • A LNK shortcut in the Startup folder — the persistence trigger that fires on next login.
  • A heavily-obfuscated PowerShell loader in C:\ProgramData\.
  • A SUB-encoded DLL payload in the same ProgramData directory.

The loader is the interesting piece. It uses direct NT system calls (skipping the user-mode hooked stubs that EDRs typically watch in ntdll) to load the final DLL entirely in memory. The decoded payload never touches disk — file-based detection has nothing to hash. Once the DLL is resident, the loader fires it.

The payload — internally named result.dll — is a direct evolution of the GIFTEDCROOK stealer family. It targets Chrome, Edge, Opera, and Firefox: decrypting browser master keys, pulling stored passwords and session cookies, and bypassing Chrome’s App-Bound Encryption. Beyond browser data, it walks Documents, Downloads, and TEMP, picking up 35 file extensions worth of harvest material — documents, spreadsheets, presentations, plus KeePass database files and OpenVPN configuration files. The exfiltration channel is dual-layer RC4-encrypted HTTPS to a small bank of dedicated C2 IPs.

CVE-2025-8088 WinRAR exploitation infrastructure overview
Campaign infrastructure summary — SHADOW-EARTH-066’s direct-IP C2 vs Gamaredon’s Cloudflare-Workers-proxied delivery. Source: original article (Trend Micro).

Trend Micro attributes the C2 backbone to seven IPs hosted on a Malaysian VPS provider with points of presence in France, the Netherlands, and Switzerland. Every node uses the same URI path: /rcv/. After exfil, the loader deletes the three staging artefacts from disk. As Trend Micro puts it:

The stealer operates as a one-shot execution. After cleanup, no startup mechanism and no staging files remain on the endpoint.

Trend Micro

For incident response that’s a deliberate — and effective — tradeoff. Persistence is sacrificed for forensic invisibility. Once the run completes, there’s nothing on the box to find unless the responder has process-creation telemetry that survived the moment of execution.

Earth Dahu (Gamaredon): Script-Based, Proxy-Behind-Cloudflare

Gamaredon’s use of CVE-2025-8088 is structurally different. Where SHADOW-EARTH-066 ships compiled code with an embedded stealer, Gamaredon drops a single HTA or VBScript file into Startup via the same path-traversal primitive. On next login, mshta.exe picks up the HTA, which fetches VBScript modules from external infrastructure and runs whichever espionage module the campaign needs that week. ClearSky has additionally reported a wiper component delivered through the same chain — same entry vector, different post-exploitation goal.

Trend Micro flags the Gamaredon adoption as long-running:

Since at least September 2025, Earth Dahu has also incorporated CVE-2025-8088 into its operations. We first reported on this adoption in a private intelligence report distributed through Trend Vision One in December 2025, when Earth Dahu used the vulnerability with an HTA-to-VBScript infection chain that delivered espionage modules. Based on RAR internal file timestamps and file naming conventions, the chain remained active through at least April 10, 2026.

Trend Micro

Two craft details from the Gamaredon side are worth highlighting for defenders.

Compromised Ukrainian Exchange servers as the sending platform. Many of the spear-phishing emails originate from previously-compromised mailboxes on Ukrainian government Exchange deployments. One cluster Trend Micro mapped shows four different sending mailboxes all routing through a single internal source IP — consistent with one compromised workstation pumping email through multiple legitimate accounts. That makes content-based and sender-reputation filtering essentially useless: the email comes from a trusted government domain, signed by its own DKIM key.

HTTP basic-auth @-notation domain spoofing in the C2 URLs. The HTA files embed URLs structured like hxxps://ssu[.]gov[.]ua@malicious[.]workers[.]dev. To anyone glancing at the URL bar or a log line, the prefix “ssu.gov.ua” (the Security Service of Ukraine’s domain) is what registers; the actual destination — everything to the right of @ — is a Cloudflare Workers subdomain the attacker controls. Spoofed prefixes Trend Micro observed include Ukrainian government domains and major news organisations (BBC, Deutsche Welle). It’s old technique, recycled because it still works against humans and against shallow log-parsing rules.

Two Campaigns, One Vulnerability — And No Shared Infrastructure

The cleanest way to characterise the convergence is that the two clusters share an entry point and nothing else. SHADOW-EARTH-066 is compiled C++ with static libcurl, direct NT syscalls, and direct-IP C2. Gamaredon is script-based tooling (HTA + VBScript) proxied through Cloudflare Workers. There is no overlap in infrastructure, code base, or implant style. Both groups independently looked at the bug landscape in 2025 and concluded that CVE-2025-8088 was a reliable, durable initial-access primitive worth building tooling around.

That convergence is the loud signal in the report. When unrelated mature operators bet on the same vulnerability simultaneously, it tells you the vulnerability has economic properties that make it worth investing in even after the patch is out.

Why the Patch Doesn’t Reach the Endpoints

The reason these campaigns keep landing on July-2025-patchable installations in mid-2026 isn’t novel; it’s structural. WinRAR has several specific properties that make enterprise patching unusually hard:

  • No auto-update. WinRAR does not silently roll users forward to current versions the way browsers and OS components do. A user who installed WinRAR in 2019 to handle one RAR will likely still be running that 2019 build today.
  • Not in standard patch-management channels. WSUS, SCCM, Intune, and Group Policy don’t cover WinRAR out of the box. Bringing it into MDM requires custom packaging.
  • Inventory visibility is poor. Confirming patch status across a fleet means either deploying third-party software-inventory tooling or running manual audits. Neither happens reliably for utility apps that aren’t in the “flagship” risk register.
  • The user installed it personally. A meaningful fraction of WinRAR installs in any large organisation are user-installed, often years ago, sometimes on personal devices that happen to handle work email.

The combination — widely deployed, infrequently updated, sitting outside enterprise patch channels — is the textbook profile of an attractive APT target. CVE-2018-20250, a previous WinRAR vulnerability disclosed seven years ago, was still being exploited in targeted attacks for years after its patch. The same pattern is now running with CVE-2025-8088, and there is no reason to expect a faster end-of-life than the 2018 case.

Despite CVE-2025-8088 was patched in WinRAR 7.13 in July 2025, yet at the time of writing, multiple threat actor groups continued to build new exploit samples with fresh lure documents and use this vulnerability as a reliable initial access vector against Ukrainian organizations. The convergence of both established state-backed groups and independently tracked clusters on a single vulnerability reflects the scale of the cyber threats that Ukraine faces.

Trend Micro

Key Takeaways

  • CVE-2025-8088 is patched but the installations aren’t. WinRAR 7.13 fixed the bug in July 2025; eleven months later, fresh exploit samples with current lure documents are still landing against Ukrainian targets. The patch gap is a fleet-management problem, not a vendor problem.
  • The exploit primitive is silent file drop, not file-open trickery. Victims see the decoy PDF and never see the side files written via NTFS ADS into Startup or C:\ProgramData\. There is no security prompt to bypass.
  • SHADOW-EARTH-066 (UAC-0226) shipped a meaningful tooling upgrade in 2026. The plaintext-Telegram Excel-macro days are gone; the current chain uses obfuscated PowerShell, SUB-encoded DLLs, direct NT syscalls, and memory-resident loading, with a self-cleaning step on exit.
  • result.dll is a GIFTEDCROOK evolution targeting the full browser stack plus KeePass and OpenVPN configs. It bypasses Chrome App-Bound Encryption, sweeps 35 file extensions, and exfiltrates over dual-layer RC4 HTTPS to /rcv/ endpoints on a small bank of Malaysia-hosted IPs.
  • Earth Dahu (Gamaredon) goes script-based and uses live-off-the-cloud infrastructure. HTA + VBScript dropped into Startup, fetched via Cloudflare Workers proxies and Dynamic DNS; ClearSky has separately reported a wiper component on the same chain.
  • Phishing comes from compromised Ukrainian government Exchange accounts. Sender reputation and DKIM signing buy the campaign legitimacy that content-based filters can’t override. URLs use user@host-notation spoofing to mask Cloudflare Workers destinations behind ssu.gov.ua-style prefixes.
  • Two independent mature groups converging on the same bug after a patch is shipped is the loudest possible signal that the bug class is worth investing in. Expect more dwell.

Defensive Recommendations

  • Inventory WinRAR everywhere it exists. Run a software-inventory pass against every Windows endpoint — managed, BYOD, and contractor — and flag any version less than 7.13. Don’t restrict the scope to corporate-imaged machines; the user-installed instances are the high-risk population.
  • Push the upgrade through whatever channel you have. If WSUS/SCCM/Intune don’t carry WinRAR natively, package it. If you can’t package, force-uninstall via Group Policy and standardise on a different archive tool (the OS has handled ZIP natively for two decades, and 7-Zip auto-updates more cleanly than WinRAR).
  • Block or sandbox inbound RAR archives at the mail gateway. RAR is not a business-critical attachment format; most organisations can move to ZIP-only without operational pain. Where RAR must pass, route it through a sandbox-detonation step before delivery.
  • Monitor for file writes into Startup folders from WinRAR.exe as the process ancestor. The CVE-2025-8088 exploitation pattern always produces a Sysmon Event ID 11 on the Startup path with WinRAR as the creating process. That is high-fidelity telemetry and trivial to alert on.
  • Watch for new .hta files in Startup followed by mshta.exe child of explorer.exe at next logon. That is the Gamaredon signature. For SHADOW-EARTH-066, look for newly-created LNKs in Startup paired with PowerShell loaders in C:\ProgramData\.
  • Block outbound to Cloudflare Workers subdomains from low-trust user contexts. Workers proxying is legitimate for plenty of services, but for most user populations there is no business case for direct browser hits to *.workers.dev. Add it to the proxy block-list and route exceptions through a documented allow-list.
  • Hunt for @-notation URLs in inbound mail and in HTA / script telemetry. Any URL of the form https://<trusted-domain>@<arbitrary-host> is almost certainly malicious; the legitimate use cases are vanishingly rare.
  • Pull credentials out of the harvest path. Move secrets that today live in KeePass databases, OpenVPN config files, and browser-stored passwords into hardware-backed credential stores wherever feasible (FIDO2 tokens, OS keychains, enterprise SSO). The 35-extension sweep is hard to stop in the moment; reducing the value of what it captures is the only durable answer.

Conclusion

The bug at the centre of this story is patched and has been for eleven months. The story is therefore not really about the bug — it’s about the gap between patch availability and patch deployment on a class of software that sits outside enterprise patch management. Two unrelated, mature, Russia-aligned threat actors looked at that gap, decided independently that it was worth building campaigns around, and have been running those campaigns continuously since mid-2025. For organisations supporting Ukrainian operations — or anyone who handles a non-trivial volume of RAR-format input from external parties — the action items are mundane: inventory WinRAR, force the upgrade, block RAR at the mail gateway where you can, and put the Sysmon rule on Startup-folder writes by WinRAR. The campaigns are sophisticated; the fix is procedural. That asymmetry is the operational reality the Trend Micro report and Security Affairs are documenting.

Original text: “Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088” by Pierluigi Paganini at Security Affairs.

Comments are closed.