Two Russia-aligned cyber attack campaigns are continuing to exploit a critical WinRAR vulnerability, CVE-2025-8088, to target Ukrainian organizations, even nearly a year after security patches were made available. This ongoing exploitation highlights the persistent threat posed by unmanaged software and the challenges in patching legacy systems, leaving critical infrastructure vulnerable to cyber espionage.
The persistent exploitation of the WinRAR vulnerability is attributed by cybersecurity firm Trend Micro to two distinct Russian-linked threat actor groups: Earth Dahu (also known as Gamaredon) and SHADOW-EARTH-066 (also known as UAC-0226). The vulnerability, a path traversal flaw that allows attackers to write files outside designated extraction directories using NTFS Alternate Data Streams (ADS), was patched by WinRAR in July 2025. However, its continued use demonstrates a significant cybersecurity gap.
Persistent Exploitation of WinRAR Vulnerability by Russian Actors
The ongoing attacks underscore a broader trend in sophisticated cyber espionage, where threat actors leverage known, but unpatched, software vulnerabilities to gain initial access and maintain persistence. According to Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord, the continued exploitation of CVE-2025-8088 demonstrates “how unmanaged software keeps an exploited entry point open long after the fix ships.” This highlights a critical challenge for organizations in maintaining up-to-date software inventories and patch management processes, especially in environments heavily reliant on older or legacy applications.
SHADOW-EARTH-066’s Evolving Tactics
SHADOW-EARTH-066 has significantly altered its attack methodology to incorporate the WinRAR exploit. Previously, this threat actor relied on Excel macro droppers to deploy an information stealer named GIFTEDCROOK. The latest iteration of their campaign involves meticulously crafted RAR archives. These archives contain a decoy PDF document, alongside three concealed ADS payloads strategically placed outside the intended extraction directory to initiate the infection chain.
Once the archive is extracted, a Windows Shortcut (LNK) file is placed in the Startup folder. This ensures automatic execution every time a user logs into their system. Subsequently, this LNK file triggers a PowerShell loader through “cmd.exe.” This loader then employs in-memory DLL loading techniques to ultimately execute an updated version of GIFTEDCROOK, disguised as “result.dll.”
The GIFTEDCROOK malware is designed to harvest sensitive information from infected systems. It specifically targets passwords and cookies from popular web browsers, including Chromium-based browsers like Google Chrome, Microsoft Edge, and Opera, as well as Mozilla Firefox. Additionally, it scours the victim’s machine for documents matching predefined extensions. Following successful data exfiltration to external servers, all malicious artifacts are systematically deleted to erase any forensic evidence of the intrusion.
A notable shift in SHADOW-EARTH-066’s operations is the transition from using Telegram as an exfiltration channel to employing dedicated command-and-control (C2) servers. This modification is believed to be a direct response to Russia’s blocking of the Telegram messaging platform within the country earlier in February. This adaptation showcases the evolving nature of cyber threat operations and their responsiveness to geopolitical changes.
Earth Dahu’s Persistent Espionage Efforts
The second Russia-affiliated hacking group, Earth Dahu, has also weaponized CVE-2025-8088. This threat actor has integrated the WinRAR vulnerability into its operational repertoire since at least September 2025. Earth Dahu is recognized for its “industrial-scale effort” aimed at securing and maintaining long-term access to compromised organizations, indicating a strategic focus on persistent surveillance and intelligence gathering.
“Earth Dahu used the vulnerability with an HTA-to-VBScript infection chain that delivered espionage modules,” Trend Micro detailed in its analysis. Evidence suggests that this infection chain remained active through at least April 10, 2026, based on RAR internal file timestamps and naming conventions.
These attacks, which have also been recently documented by Sekoia, result in the deployment of GammaPhish, an HTML Application (HTA). This HTA then retrieves a VBScript downloader known as GammaLoad. The GammaLoad downloader, in turn, facilitates the delivery of additional espionage modules, such as GammaSteel. GammaLoad is described by Sekoia as “a collection of VBScripts designed to ensure continuous access and deploy payloads over time by leveraging Dead Drop Resolvers (DDR).” Its purpose is to deploy a dropper that initiates a VBScript loader, which is responsible for executing GammaSteel. GammaSteel is a comprehensive information stealer capable of monitoring file changes in real-time.
Implications for Ukrainian Cybersecurity Landscape
“WinRAR is deeply embedded in daily operations across Ukrainian organizations, making it an attractive target for exploitation,” Trend Micro observed. The convergence of both established state-backed groups and independently tracked clusters on a single vulnerability underscores the severe and multifaceted cyber threats that Ukraine continues to face. The continued reliance on unpatched software, particularly widely used applications like WinRAR, creates a persistent attack surface that sophisticated state-sponsored actors can and do exploit.
The ongoing exploitation of this WinRAR vulnerability suggests that Ukrainian organizations must prioritize robust patch management and software inventory solutions. The next expected step for organizations will be to ensure all systems are updated with the latest security patches for WinRAR and related software. However, the persistence of these campaigns indicates that the threat actor groups involved are well-resourced and adaptable, suggesting that vigilance and enhanced detection capabilities will remain crucial for defending against ongoing cyber espionage efforts.