Two cyber campaigns linked to Russia are actively exploiting a vulnerability in WinRAR to attack Ukrainian organizations. These attacks persist despite the release of patches nearly a year ago. The flaw, identified as CVE-2025-8088, allows attackers to execute path traversal attacks through NTFS Alternate Data Streams, enabling file writes outside the intended extraction directory.
Exploitation by Notorious Groups
Trend Micro attributes this malicious activity to the groups Earth Dahu and SHADOW-EARTH-066. SHADOW-EARTH-066 has shifted from using Excel macro droppers to deploying crafted RAR archives with decoy PDFs and hidden payloads. These payloads include a Windows Shortcut file in the Startup folder, which triggers a PowerShell loader to execute an updated version of the information stealer, GIFTEDCROOK.
The malware targets sensitive data such as passwords and cookies from popular browsers like Google Chrome and Mozilla Firefox. Once the information is exfiltrated, all traces of the malware are removed to evade detection.
Strategic Shifts in Cyber Tactics
Significantly, the attackers have moved from using Telegram for data exfiltration to employing dedicated command-and-control servers. This change likely follows Russia’s ban on Telegram earlier in the year. The second group, Earth Dahu, has been leveraging the same WinRAR flaw since September 2025, utilizing an HTA-to-VBScript infection chain to deploy espionage tools.
Earth Dahu’s operations are characterized by their industrial-scale efforts to sustain access to compromised networks. The group employs GammaPhish, an HTML Application, to download and execute additional malicious components like GammaLoad and GammaSteel, which facilitate long-term data theft.
Implications for Ukraine’s Cybersecurity
WinRAR is a critical tool in many Ukrainian organizations, making it a prime target for cyber exploitation. The convergence of multiple state-backed actors on this single vulnerability underscores the significant cyber threats facing Ukraine. As these attacks continue, they highlight the urgent need for improved cybersecurity measures and awareness of software vulnerabilities.
In response to these threats, organizations are advised to update software promptly and implement robust security protocols to mitigate vulnerabilities. The ongoing cyber conflict emphasizes the importance of staying vigilant against evolving tactics employed by advanced persistent threats.
