Russian Hackers Continue to Exploit Patched WinRAR Flaw (CVE-2025-8088) to Target Ukrainian Government and Military

Executive Summary

Despite a patch being available for nearly a year, a critical vulnerability in the WinRAR archiving tool, tracked as CVE-2025-8088, remains a favored weapon for Russian-aligned Advanced Persistent Threat (APT) groups targeting Ukraine. A new report from Trend Micro reveals that at least two distinct Russian state-sponsored actors, Gamaredon (also known as Earth Dahu or UAC-0010) and a group tracked as SHADOW-EARTH-066 (UAC-0226), are persistently exploiting this flaw. The attackers are using specially crafted RAR archives to drop malware, including the GIFTEDCROOK infostealer and other espionage tools, onto the systems of Ukrainian government and military organizations. This campaign underscores how even old, patched vulnerabilities can remain effective initial access vectors when patch management is inconsistent.

Threat Overview

• Vulnerability: CVE-2025-8088, a path traversal vulnerability in WinRAR (CVSS 8.4) patched in July 2025.
• Threat Actors: Gamaredon (FSB-linked) and SHADOW-EARTH-066.
• Targets: Government and military entities in Ukraine.
• Attack Vector: Phishing emails containing malicious RAR archives that exploit CVE-2025-8088.
• Payloads: GIFTEDCROOK information stealer and other espionage tools.

Technical Analysis

The attack leverages CVE-2025-8088, which allows an attacker to write files to arbitrary locations on a victim's machine when a malicious archive is opened. The attackers use this to achieve execution via T1204.002 - Malicious File.

• Exploitation: The malicious RAR archive is crafted to exploit the path traversal flaw. When a user opens the archive, a malicious payload (e.g., a script or executable) is silently dropped into a sensitive location like the Windows Startup folder.
• Execution: The payload is executed the next time the user logs in, establishing persistence (T1547.001 - Registry Run Keys / Startup Folder).
• Malware Campaign (SHADOW-EARTH-066): This group uses the exploit to deliver an updated version of its GIFTEDCROOK infostealer. The malware steals passwords and cookies from browsers and exfiltrates documents. Notably, the group has shifted its C2 infrastructure from Telegram to dedicated servers.
• Malware Campaign (Gamaredon): The prolific Gamaredon group uses the same vulnerability as an initial access vector for its multi-stage infection chains, which are designed for long-term espionage.

Impact Assessment

The continued exploitation of a year-old vulnerability highlights a critical security gap. For Ukrainian government and military targets, a successful breach can lead to the theft of sensitive state secrets, military plans, and intelligence, directly impacting national security. The use of infostealers like GIFTEDCROOK can compromise official accounts, leading to further escalation and deeper network intrusion. The convergence of multiple Russian APTs on this single flaw indicates its perceived reliability and effectiveness against their targets.

IOCs — Directly from Articles

No specific file hashes or C2 domains were provided in the summarized articles.

Detection & Response

• Endpoint Detection: EDR solutions should be configured to detect the specific behavior of CVE-2025-8088 exploitation, such as the WinRAR process writing files to unexpected locations like the Startup folder. This is a form of File Analysis.
• Signature-Based Detection: Antivirus and anti-malware tools should have signatures to detect the GIFTEDCROOK infostealer and Gamaredon's espionage tools.
• Email Security: Use advanced email security gateways to scan for and block malicious attachments, including crafted RAR archives.
• Threat Hunting: Hunt for the execution of scripts or binaries from the Startup folder. Monitor for processes like WinRAR.exe writing files outside of the user-specified extraction path.

Mitigation

• M1051 - Update Software: The most critical mitigation is to ensure that all instances of WinRAR are updated to version 7.13 or later. This is especially important for unmanaged devices where software updates may be overlooked.
• M1017 - User Training: Train users to be suspicious of unsolicited email attachments, even if they appear to be simple archives. Reinforce policies against opening attachments from unknown senders.
• M1038 - Execution Prevention: Use application control policies to restrict the execution of unauthorized scripts or executables from common drop locations like the Startup folder or temporary directories.
• File Association Hardening: Consider changing the default application for .rar files to a more secure archiver or disabling the automatic opening of files within archives.