- Two Russian-aligned hacking groups continue to exploit a patched WinRAR vulnerability to target Ukrainian organizations.
- The flaw, CVE-2025-8088, allows attackers to hide malicious payloads outside the intended extraction directory.
- The campaigns deliver information-stealing malware like GIFTEDCROOK and GammaSteel, stealing passwords, cookies, and documents.
- The threat actors have adapted their methods, shifting away from Telegram for data exfiltration after Russia blocked the platform.
- Analysts say the widespread use of WinRAR in Ukraine makes it a highly attractive target for ongoing cyber espionage.
Two Russia-aligned cyber attack campaigns, Earth Dahu and SHADOW-EARTH-066, are actively exploiting a known WinRAR flaw to compromise Ukrainian organizations, nearly a year after a patch was released. According to researchers, the activity demonstrates how unmanaged software leaves an entry point open long after a fix ships.
The vulnerability, CVE-2025-8088, is a path traversal flaw that allows attackers to write files outside the extraction directory. Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord detailed the continued exploitation in an analysis published Monday. Consequently, this provides a stealthy method for delivering malicious payloads.
In one campaign, SHADOW-EARTH-066 now uses crafted RAR archives containing hidden payloads instead of Excel macro droppers. This new infection chain ultimately deploys an updated version of the GIFTEDCROOK information stealer. The malware targets browser passwords and cookies, then exfiltrates stolen documents before deleting all traces.
A notable shift involves the malware’s communication channel moving away from Telegram. This key modification likely aligns with Russia’s blocking of the messaging platform earlier this year. Meanwhile, the second group, Earth Dahu, has incorporated this WinRAR flaw into its arsenal since at least September 2025.
Earth Dahu’s attack chain leads to the deployment of GammaPhish and GammaLoad scripts. As recently documented by Sekoia, these are used to deploy GammaSteel, a comprehensive information stealer capable of monitoring file changes in real-time. The group is known for its industrial-scale effort to maintain long-term access.
The convergence of multiple state-backed groups on this single vulnerability highlights the scale of cyber threats facing Ukraine. Trend Micro noted that WinRAR’s deep integration into daily operations makes it a particularly attractive target for such espionage campaigns.
✅ Follow BITNEWSBOT on Telegram, Facebook, LinkedIn, X.com, and Google News for instant updates.
