Russian APTs Still Exploiting Patched WinRAR Flaw CVE-2025-8088

Pierluigi Paganini
June 10, 2026

Despite a 2025 patch, Russian-linked groups still exploit a WinRAR flaw (CVE-2025-8088) to deploy malware via phishing archives.

CVE-2025-8088 is a path traversal flaw in WinRAR that lets an attacker write files outside the extraction directory using NTFS Alternate Data Streams. WinRAR fixed it in version 7.13 in July 2025. Nearly a year later, Trend Micro researchers published an analysis showing two separate Russia-linked APT groups, Earth Dahu (aka Gamaredon) and SHADOW-EARTH-066 (UAC-0226), are still actively building new exploit samples and delivering fresh lure documents through it. The patch exists. The installations don’t have it.

The mechanics of the flaw are worth understanding precisely. Victims receive a RAR archive, typically via spear-phishing email. They open it and see a decoy PDF, something that looks like a Ukrainian court summons, a Ministry of Defense registry, or a military equipment manifest designed to create urgency.

In the background, with no warning and no additional user interaction, WinRAR silently writes hidden files to locations outside the extraction directory, including the Windows Startup folder. On the next login, those files execute automatically.

“WinRAR is deeply embedded in daily operations across Ukrainian organizations, making it an attractive target for exploitation. CVE-2025-8088 is a path traversal flaw (CVSS 8.4), patched in WinRAR 7.13 in July 2025, that allows an attacker to silently write files outside the extraction directory via NTFS Alternate Data Streams.” reads the report published by Trend Micro “Once the victim opens the archive, no further interaction is needed; they see only a decoy document. All the samples we analyzed exploit this vulnerability.”

SHADOW-EARTH-066’s current campaign represents a significant technical upgrade from its 2025 operations. The group originally used Excel macro droppers with hardcoded Telegram bot tokens in plaintext, a method that was trivially detectable.

The latest build, timestamped April 9, 2026, drops three hidden files via path traversal: an LNK shortcut into the Startup folder, a heavily obfuscated PowerShell loader into C:\ProgramData\, and a SUB-encoded DLL payload into the same directory. The PowerShell loader uses direct NT system calls to load the final DLL entirely in memory, never writing the decoded payload to disk, making file-based detection ineffective.

The final payload, internally named result.dll, is a direct evolution of GIFTEDCROOK and targets Chrome, Edge, Opera, and Firefox. It decrypts browser master keys, extracts passwords and session cookies, bypasses Chrome’s App-Bound Encryption, and scans Documents, Downloads, and TEMP directories for 35 file extensions covering documents, spreadsheets, presentations, KeePass databases, and OpenVPN config files. After exfiltrating everything to dedicated C2 servers via dual-layer RC4-encrypted HTTPS, it deletes all three staging artifacts from disk. One-shot execution, no persistence left behind.

“The stealer operates as a one-shot execution. After cleanup, no startup mechanism and no staging files remain on the endpoint.“ continues the report.

The shift from Telegram to dedicated C2 servers isn’t just a technical upgrade. In February 2026, Russia moved toward blocking Telegram domestically, which made hardcoded Telegram tokens increasingly unreliable as an exfiltration channel for operators working from Russian-adjacent infrastructure. The new C2 servers, seven IPs hosted on a Malaysian VPS provider with points of presence in France, the Netherlands, and Switzerland, communicate on non-standard high ports and all use the same URI path /rcv/, indicating shared server-side tooling across the campaign’s builds.

Earth Dahu’s approach is structurally different but uses the same entry point. Rather than a multi-file compiled stealer chain, Gamaredon drops a single HTA or VBScript file into the Startup folder via the same CVE-2025-8088 path traversal. On the next login, mshta.exe executes the HTA, which loads VBScript from external resources hosted through Cloudflare Workers and Dynamic DNS, then delivers espionage modules depending on the target.

“Since at least September 2025, Earth Dahu has also incorporated CVE-2025-8088 into its operations.” continues the report. “We first reported on this adoption in a private intelligence report distributed through TrendAI Vision One™︎ in December 2025, when Earth Dahu used the vulnerability with an HTA-to-VBScript infection chain that delivered espionage modules. Based on RAR internal file timestamps and file naming conventions, the chain remained active through at least April 10, 2026.”

ClearSky has also reported a wiper component delivered through the same chain.

Earth Dahu’s spear-phishing emails show operational sophistication at the delivery layer. Many were sent from compromised accounts on Ukrainian government Exchange servers, with one cluster showing four separate accounts originating from the same internal IP, pointing to a single compromised workstation distributing email through multiple mailboxes. The C2 URLs embedded in HTA files use HTTP basic-auth @-notation to spoof legitimate domains: a URL structured as hxxps://ssu[.]gov[.]ua@malicious[.]workers[.]dev displays the Security Service of Ukraine’s domain to the left of the @ while routing traffic to the attacker’s Cloudflare Workers subdomain. Spoofed domains span Ukrainian government sites, major news outlets, the BBC, and Deutsche Welle.

The two campaigns share an entry point but nothing else. SHADOW-EARTH-066 uses compiled C++ with static libcurl, direct NT syscalls, and direct IP-based C2. Earth Dahu uses script-based tooling, HTA and VBScript, proxied through Cloudflare Workers. No shared infrastructure connects them. Both decided independently that CVE-2025-8088 was worth building around.

The reason both keep using it is structural. WinRAR doesn’t auto-update. It’s not covered by Group Policy or centralized enterprise patch management like WSUS, SCCM, or Intune. Verifying patch status across an organization requires third-party tooling or manual auditing. This is exactly the profile threat actors look for: widely installed, infrequently updated, outside standard patch channels. CVE-2018-20250, a WinRAR vulnerability disclosed in 2018, was still showing up in targeted attacks years later. The pattern repeats.

“Despite CVE-2025-8088 was patched in WinRAR 7.13 in July 2025, yet at the time of writing, multiple threat actor groups continued to build new exploit samples with fresh lure documents and use this vulnerability as a reliable initial access vector against Ukrainian organizations.” concludes the report. “The convergence of both established state-backed groups and independently tracked clusters on a single vulnerability reflects the scale of the cyber threats that Ukraine faces.”

Follow me on Twitter: @securityaffairs and Facebook and Mastodon