Executive Summary
A critical vulnerability in WinRAR (CVE-2025-8088) has been weaponized by Russia-aligned threat groups to deploy advanced stealer malware in Ukraine, targeting government, military, and law enforcement entities. This flaw, present in all WinRAR versions up to 7.12 and patched in 7.13 (July 2025), enables attackers to craft malicious RAR archives that, when opened, silently drop and execute payloads outside the intended extraction directory—most notably in the Windows Startup folder. The exploitation of this vulnerability has resulted in widespread credential theft, document exfiltration, and persistent access for espionage operations. The campaigns demonstrate a high degree of technical sophistication, leveraging in-memory execution, anti-analysis techniques, and multi-stage payload delivery. Immediate patching and proactive threat hunting are strongly advised.
Threat Actor Profile
The primary actors exploiting WinRAR CVE-2025-8088 are Russia-aligned advanced persistent threat (APT) groups, notably SHADOW-EARTH-066 (CERT-UA: UAC-0226) and Earth Dahu (also known as Gamaredon, Primitive Bear, UAC-0010). These groups have a long history of targeting Ukrainian critical infrastructure and government sectors with espionage and destructive malware. Their operations are characterized by rapid adoption of zero-day exploits, use of compromised government email accounts for spear-phishing, and deployment of custom malware families such as GIFTEDCROOK and GammaSteel. Infrastructure is frequently rotated, leveraging European hosting providers and dynamic DNS, and command-and-control (C2) communications are encrypted and obfuscated to evade detection. Attribution is supported by overlaps in TTPs, infrastructure, and malware code with previously documented Russian cyber campaigns.
Technical Analysis of Malware/TTPs
The exploitation chain begins with a spear-phishing email containing a malicious RAR5 archive. The archive leverages the CVE-2025-8088 path traversal flaw via NTFS Alternate Data Streams (ADS), embedding directory traversal sequences (e.g., ..\..\) in file paths. When extracted with a vulnerable WinRAR version, payloads such as LNK, HTA, VBS, or DLL files are written directly to sensitive locations like %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ or C:\ProgramData\, bypassing user prompts and security warnings.
Upon the next user login, these files are automatically executed. For example, a LNK file in the Startup folder may invoke PowerShell with -ExecutionPolicy Bypass and -WindowStyle Hidden, which in turn loads a stealer DLL (result.dll) directly into memory using low-level NT system calls (NtAllocateVirtualMemory, NtProtectVirtualMemory, NtCreateThreadEx). This in-memory execution avoids writing the DLL to disk, complicating forensic analysis.
The GIFTEDCROOK stealer is engineered to extract credentials from browsers (Chrome, Edge, Opera, Firefox), session cookies, and a wide array of document types (over 35 extensions, including KeePass and OpenVPN configs). It bypasses Chrome App-Bound Encryption (ABE) to access protected data. Exfiltration occurs over HTTPS POST requests to dedicated C2 servers, often using the libcurl/8.14.0-DEV user agent and RC4 encryption for payloads and strings. After execution, the malware self-deletes and removes all artifacts to hinder detection.
Earth Dahu campaigns use similar delivery but favor HTA or VBS payloads, which launch espionage modules or destructive wipers. These actors employ Cloudflare Workers and dynamic DNS for resilient C2, and use HTTP basic-auth URL spoofing to mimic trusted Ukrainian domains. Decoy documents often reference court summons, property seizures, or military manifests to increase the likelihood of user interaction.
Exploitation in the Wild
The vulnerability has been exploited since at least July 2025, initially as a zero-day. Campaigns have been observed continuously through April 2026, with a focus on Ukrainian government, military, and law enforcement agencies. Attackers frequently use compromised Ukrainian government email accounts to distribute spear-phishing emails, increasing the credibility of malicious attachments. The impact includes large-scale credential theft, exfiltration of sensitive documents, and establishment of persistent access for espionage and potential destructive operations. The exploit has also been adopted by other state and financially motivated actors for global campaigns, including in Indonesia, Latin America, and Brazil.
Victimology and Targeting
The primary targets are Ukrainian government ministries, military units, law enforcement agencies, and adjacent organizations involved in national defense and critical infrastructure. Secondary targeting includes technology, hospitality, travel, and financial services sectors, both within Ukraine and internationally. The use of decoy documents tailored to Ukrainian legal and military themes, combined with the compromise of legitimate government email accounts, has enabled high success rates for initial access. There is evidence of spillover into commercial sectors and other countries, as the exploit has been commoditized and sold in underground forums.
Mitigation and Countermeasures
Immediate action is required to mitigate the risk posed by CVE-2025-8088. All endpoints must be updated to WinRAR version 7.13 or later, as this release contains the necessary patch to prevent path traversal via ADS. Security teams should conduct proactive threat hunting for indicators of compromise, focusing on the presence of unauthorized LNK, HTA, or DLL files in %APPDATA%\Microsoft\Windows\Start Menu\Programs\Startup\ and C:\ProgramData\. Network defenses should be configured to block known C2 IP addresses associated with these campaigns, including 166.0.132.237:7044, 136.0.141.41:9580, 136.0.141.138:8406, 38.225.209.229:9623, 136.0.141.112:9200, 38.225.209.122:8009, and 23.26.237.80:8941. Monitoring for suspicious PowerShell and mshta.exe activity, especially with bypassed execution policies and hidden windows, is essential. Compromised credentials must be rotated immediately, and users should be educated to recognize spear-phishing attempts and avoid opening unexpected RAR attachments. Forensic analysis should include searching for the file hashes and behavioral patterns listed in the IOCs section.
References
- Trend Micro: Old WinRAR Flaw Fuels Attacks on Ukraine
- CERT-UA Advisory #14303
- ClearSky: Gamaredon Activity
- Arctic Wolf: GIFTEDCROOK Evolution
- Google Threat Intelligence: Exploiting Critical WinRAR Vulnerability
- ESET: RomCom Exploiting WinRAR
- HackRead: UAC-0099 Hackers Using Old WinRAR Flaw
- Reddit: WinRAR Exploit Discussion
- NVD: CVE-2025-8088
- RARLAB WinRAR Security Advisory
- GitHub POC
About Rescana
Rescana delivers advanced third-party risk management (TPRM) solutions, empowering organizations to continuously monitor, assess, and mitigate cyber risks across their extended supply chain. Our platform leverages real-time intelligence, automated workflows, and deep analytics to provide actionable insights and strengthen your organization’s security posture. For any questions or to request further information, please contact us at ops@rescana.com.
