Ethical Hacking News
Russian APTs continue to exploit a patch in WinRAR despite numerous efforts to fix it. Researchers have identified two groups actively using the vulnerability CVE-2025-8088 to deploy malware.
A patched vulnerability in WinRAR (CVE-2025-8088) continues to be exploited by Russian APT groups. The vulnerability allows attackers to deploy malicious payloads silently without user interaction. Russian APT groups, including Earth Dahu and SHADOW-EARTH-066, are using the vulnerability to deliver malware despite patches and updates. SHADOW-EARTH-066's latest campaign represents a significant technical upgrade from its previous operations. The group is targeting Chrome, Edge, Opera, and Firefox with a new payload that decrypts browser master keys and extracts passwords and session cookies. The persistence of the patched vulnerability highlights the ongoing challenge in cybersecurity where threat actors exploit vulnerabilities that are supposed to be fixed.
The cybersecurity landscape has witnessed a peculiar development, where a patched vulnerability in the widely used file archiver software, WinRAR, continues to be exploited by Russian Advanced Persistent Threat (APT) groups. The affected vulnerability, identified as CVE-2025-8088, was patched by WinRAR in July 2025, but Russian APTs have been persistently using it as a vector for deployment of malware despite the patches and updates.
The vulnerability in question is a path traversal flaw in WinRAR that allows an attacker to write files outside the extraction directory using NTFS Alternate Data Streams. This allowed attackers to deploy malicious payloads silently without any user interaction. Researchers at Trend Micro have been tracking this vulnerability and have identified two separate Russia-linked APT groups, Earth Dahu (also known as Gamaredon) and SHADOW-EARTH-066 (UAC-0226), that are still actively building new exploit samples and delivering fresh lure documents through the CVE-2025-8088 vulnerability.
SHADOW-EARTH-066’s current campaign represents a significant technical upgrade from its 2025 operations. The group originally used Excel macro droppers with hardcoded Telegram bot tokens in plaintext, a method that was trivially detectable. However, the latest build, timestamped April 9, 2026, drops three hidden files via path traversal: an LNK shortcut into the Startup folder, a heavily obfuscated PowerShell loader into C:\ProgramData\", and a SUB-encoded DLL payload into the same directory. The PowerShell loader uses direct NT system calls to load the final DLL entirely in memory, making file-based detection ineffective.
The final payload, internally named result.dll, is a direct evolution of GIFTEDCROOK and targets Chrome, Edge, Opera, and Firefox. It decrypts browser master keys, extracts passwords and session cookies, bypasses Chrome’s App-Bound Encryption, and scans Documents, Downloads, and TEMP directories for 35 file extensions covering documents, spreadsheets, presentations, KeePass databases, and OpenVPN config files. After exfiltrating everything to dedicated C2 servers via dual-layer RC4-encrypted HTTPS, it deletes all three staging artifacts from disk.
The reason both keep using this vulnerability is structural. WinRAR doesn’t auto-update. It’s not covered by Group Policy or centralized enterprise patch management like WSUS, SCCM, or Intune. Verifying patch status across an organization requires third-party tooling or manual auditing. This is exactly the profile threat actors look for: widely installed, infrequently updated, outside standard patch channels.
This persistence of a patched vulnerability highlights the ongoing challenge in the cybersecurity world where threat actors continue to exploit vulnerabilities that are supposed to be patched and fixed. It also underscores the need for better awareness and education on software updates among organizations and users. Moreover, it serves as a reminder that even with patches and updates, no system is completely immune to exploitation.
Related Information:
https://www.ethicalhackingnews.com/articles/Russian-APTs-Continue-to-Exploit-Patched-WinRAR-Flaw-CVE-2025-8088-Despite-Patches-and-Updates-ehn.shtml
https://securityaffairs.com/193476/apt/russian-apts-still-exploiting-patched-winrar-flaw-cve-2025-8088.html
Published: Wed Jun 10 17:34:06 2026 by llama3.2 3B Q4_K_M
