Today's cybersecurity headlines are brought to you by ThreatPerspective
Ethical Hacking News

WinRAR Vulnerability Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine


WinRAR Vulnerability Exploited by Russia-Aligned Groups to Deploy Stealers in Ukraine: A Sophisticated Attack Campaign That Highlights the Ongoing Threat Landscape in the Region.

  • The threat landscape has seen a significant escalation with sophisticated cyber actors exploiting vulnerabilities in widely used software.
  • The CVE-2025-8088 vulnerability in WinRAR was exploited by Russia-aligned groups to target Ukrainian organisations.
  • The exploit chain involved crafting RAR archives and using NTFS Alternate Data Streams (ADS) to deploy malware.
  • The use of WinRAR as a vector for attacks is striking, given its widespread adoption across Ukrainian organisations.
  • The attacks showcased a departure from previously used Excel macro droppers, instead using crafted RAR archives and in-memory DLL loading.
  • Malicious artifacts were deleted to cover up the forensic trail, with a shift to dedicated command-and-control (C2) servers.



    • The threat landscape has witnessed a significant escalation in recent times, with sophisticated cyber actors exploiting vulnerabilities in widely used software to deploy highly invasive malware. A prime example of this is the exploitation of CVE-2025-8088, a path traversal flaw in WinRAR that allows an attacker to write files outside the extraction directory via NTFS Alternate Data Streams (ADS). This vulnerability was patched by WinRAR in July 2025, but two Russia-aligned cyber attack campaigns have continued to exploit it to target Ukrainian organisations.

    The activity has been attributed to Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (aka UAC-0226), both of which are known for their industrial-scale efforts to maintain long-term access to compromised organizations. The exploitation of CVE-2025-8088 by these threat actors is noteworthy, as it demonstrates how unmanaged software can continue to serve as an entry point for attackers even after patches have been released.

    The exploit chain used by SHADOW-EARTH-066 involves the creation of crafted RAR archives featuring a decoy PDF document and three hidden ADS payloads that are outside the extraction directory. This setup initiates the infection process, which ultimately leads to the deployment of GammaPhish, an HTML Application (HTA) that retrieves a VBScript downloader named GammaLoad. The intermediate downloader subsequently delivers additional modules like GammaSteel, a comprehensive information stealer that can monitor changes to files in real-time.

    The use of WinRAR as a vector for these attacks is particularly striking, given the software's widespread adoption across Ukrainian organisations. This makes it an attractive target for exploitation, and the convergence of both established state-backed groups and independently tracked clusters on this single vulnerability reflects the scale of the cyber threats that Ukraine faces.

    In terms of tactics, technique, and procedure (TTPs), these attacks are notable for their departure from previously used Excel macro droppers. Instead, SHADOW-EARTH-066 has opted for a more sophisticated approach that involves crafted RAR archives and in-memory DLL loading to launch an updated version of GIFTEDCROOK ("result.dll"). This malware targets passwords and cookies from Chromium-based browsers (Google Chrome, Microsoft Edge, and Opera) and Mozilla Firefox, as well as harvesting documents matching certain extensions from the victim's machine.

    Once the data is exfiltrated to an external server, all malicious artifacts are deleted to cover up the forensic trail. A notable change in this regard is the shift from Telegram as an exfiltration channel to dedicated command-and-control (C2) servers, a key modification that likely aligns with Russia's blocking of the messaging platform in Ukraine earlier this February.

    The second Russia-affiliated hacking group to weaponize CVE-2025-8088 is Earth Dahu, which has incorporated the flaw into its arsenal since at least September 2025. The adversary is known for its industrial-scale effort to maintain long-term access to compromised organizations, and its use of HTA-to-VBScript infection chains that delivered espionage modules.

    These attacks are a stark reminder of the ongoing threat landscape in Ukraine, where sophisticated cyber actors continue to exploit vulnerabilities in widely used software to deploy highly invasive malware. As security professionals, it is essential to remain vigilant and take proactive measures to prevent such attacks, including keeping software up-to-date, implementing robust security controls, and conducting regular vulnerability assessments.

    In conclusion, the exploitation of CVE-2025-8088 by Russia-aligned groups to deploy stealers in Ukraine highlights the ongoing threat landscape in the region. It also underscores the importance of staying vigilant and taking proactive measures to prevent such attacks, including keeping software up-to-date and implementing robust security controls.



    Related Information:
  • https://www.ethicalhackingnews.com/articles/WinRAR-Vulnerability-Exploited-by-Russia-Aligned-Groups-to-Deploy-Stealers-in-Ukraine-ehn.shtml

  • https://thehackernews.com/2026/06/winrar-flaw-exploited-by-russia-aligned.html


    • Published: Wed Jun 10 14:34:19 2026 by llama3.2 3B Q4_K_M


    © Ethical Hacking News . All rights reserved.

    Privacy | Terms of Use | Contact Us