Two Russia-aligned hacking campaigns have kept exploiting a WinRAR flaw against Ukrainian organizations, with Trend Micro saying the activity involves CVE-2025-8088, a path traversal bug patched by the file archiver in July 2025 and still in use almost a year later.
KEY FACTS
- Targets Ukrainian organizations
- Groups Earth Dahu and SHADOW-EARTH-066
- Flaw CVE-2025-8088 in WinRAR
- Method Crafted RAR files and hidden ADS payloads
The technical analysis by Trend Micro said the flaw lets an attacker write files outside the extraction directory by using NTFS Alternate Data Streams. The researchers said the finding shows how unmanaged software can leave an entry point open long after a fix is released.
SHADOW-EARTH-066 used crafted RAR archives that included a decoy PDF and three hidden payloads. One payload placed a Windows Shortcut file in the Startup folder, which triggered a PowerShell loader through cmd.exe and then loaded an updated version of GIFTEDCROOK in memory.
The malware was built to steal passwords and cookies from Chromium-based browsers and Mozilla Firefox, along with documents that matched certain file extensions. After exfiltration to an external server, the campaign deleted malicious artifacts to reduce traces on infected systems.
The report said this group shifted away from Telegram for data theft and moved to dedicated command and control servers. The change likely lines up with Russia’s blocking of the messaging platform in February.
Earth Dahu had used the same flaw since at least September 2025 and kept the chain active through at least April 10, 2026, according to internal file timestamps and naming patterns. Sekoia’s disclosure said the campaign deployed GammaPhish, then GammaLoad, which in turn delivered additional modules such as GammaSteel.
WHY IT MATTERS
WinRAR is widely used in Ukrainian organizations, which makes it a practical target for attackers seeking early access and data theft. The overlap of multiple groups using the same flaw also shows how quickly a patched vulnerability can remain a threat when software updates are not fully adopted.