In a worrying development, Russian hackers are exploiting a vulnerability in WinRAR to infiltrate Ukrainian organizations and steal sensitive data such as passwords and session cookies. This flaw, identified as CVE-2025-8088, was supposedly fixed in July 2025, yet remains a target for cyber attackers.
Persistent Exploitation of a Patched Vulnerability
Despite the availability of a patch, the vulnerability continues to be exploited by numerous Russian-aligned groups. Two prominent groups, SHADOW-EARTH-066 and Earth Dahu, are actively leveraging this flaw. SHADOW-EARTH-066, also known as UAC-0226, has been particularly focused on deploying an enhanced version of the GIFTEDCROOK malware.
Earth Dahu, recognized for its long-standing operations against Ukraine since 2013, has also been using this exploit. Both groups have been observed creating new exploit samples as recently as April 2026, indicating ongoing malicious activity.
Methods of Attack and Impact
According to a Trend Micro report shared with Cyber Security News, both groups utilize spear-phishing emails to deliver malicious RAR files exploiting CVE-2025-8088. Victims who open these files with outdated WinRAR versions unknowingly execute a payload that activates upon the next system login, dropping files into the Windows Startup folder without any alerts.
The SHADOW-EARTH-066 group has targeted Ukrainian military and government institutions, whereas Earth Dahu has used Cloudflare Workers to deploy espionage tools. Despite different approaches, both groups exploit the same vulnerability.
Challenges in Mitigating the Threat
Other Russian-linked actors, such as Sandworm and Turla, have also been exploiting this flaw. This ongoing threat highlights a significant security gap: WinRAR’s lack of automatic updates and standard enterprise patch channels, which allows outdated versions to remain operational unnoticed.
The vulnerability, rated CVSS 8.4, involves a path traversal flaw that permits attackers to write files outside the extraction directory using NTFS Alternate Data Streams. This process includes dropping an LNK shortcut, a PowerShell loader, and an encoded DLL into critical system locations.
SHADOW-EARTH-066’s attack chain leads to the theft of data, including passwords and session cookies, which are encrypted and sent to command-and-control servers. The malware cleans up afterward to minimize detection.
Recommendations for Organizations
Security experts advise immediate verification of WinRAR versions across all systems, recommending the upgrade to version 7.13 or later. It’s crucial to search for unusual LNK or HTA files in the Startup folder and monitor C:ProgramData for suspicious files. Organizations should also block known command-and-control IP addresses to prevent data exfiltration.
In cases of confirmed compromise, rotating saved credentials and enabling multi-factor authentication on critical accounts are essential steps to mitigate the impact. Security teams must remain vigilant to these evolving threats to enhance their cybersecurity defenses.
