CyberIntel ⬡ News
★ Saved ◆ Cyber Reads
← Back ◇ Industry News & Leadership Jun 09, 2026

Russian Attackers Weaponize WinRAR Flaw Against Ukrainian Orgs

Dark Reading Archived Jun 09, 2026 ✓ Full text saved

Two separate campaigns target CVE-2025-8088, fixed last July, to conduct data theft and cyberespionage against military and government targets in Ukraine.

Full text archived locally
✦ AI Summary · Claude Sonnet


    VULNERABILITIES & THREATS THREAT INTELLIGENCE ENDPOINT SECURITY CYBER RISK NEWS Russian Attackers Weaponize WinRAR Flaw Against Ukrainian Orgs Two separate campaigns target CVE-2025-8088, fixed last July, to conduct data theft and cyberespionage against military and government targets in Ukraine. Elizabeth Montalbano,Contributing Writer June 9, 2026 5 Min Read SOURCE: SANKAI VIA GETTY IMAGES At least two Russia-aligned threat clusters have exploited a high-severity WinRAR flaw that has been patched for nearly a year in email-based attacks against military and government organizations in Ukraine. The findings by Trend Micro are further evidence that the vulnerability, tracked as CVE-2025-8088, continues to be a target for threat actors. Russia-backed threat groups tracked as Shadow-Earth-066 and Earth Dahu, aka Gamaredon, are currently targeting the flaw via separate attacks that both begin with weaponized emails but then veered off into different attack chains, according to a blog post published on Monday by Trend Micro. In one campaign, Shadow-Earth-066 — tracked as UAC-0226 by Ukraine's Computer Emergency Response Team (CERT-UA) — used the vulnerability to deploy an updated version of the GiftedCrook information stealer, which collects credentials and documents and then deletes itself from the compromised system.  Related:Check Point VPN Flaw Exploited Since Early May A separate campaign by Earth Dahu — a long-time Russia-aligned threat actor also tracked as Primitive Bear, Shuckworm, Aqua Blizzard, and UAC-0010, among other names — exploited the flaw to deliver espionage-focused malware through an infection chain that uses HTML applications (HTAs). "WinRAR is deeply embedded in daily operations across Ukrainian organizations, making it an attractive target for exploitation," despite the flaw having been patched in WinRAR 7.13 in July 2025, Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord wrote in the post. Indeed, as recently as April, both Show-Earth-066 and Earth Dahu were still generating new exploit samples, and Earth Dahu currently remains active, according to Trend Micro. Targets were similar across both campaigns, with victimology focused on government entities such as military innovation centers, military formations, law enforcement agencies, and related organizations.  Further, Google's Threat Intelligence Group reported that other Russia-aligned threat actors, including Sandworm, Turla, and Void Rabisu, exploited the same vulnerability earlier this year, the researchers said. Unpatched WinRAR Systems Remain a Target CVE-2025-8088 is a path traversal vulnerability affecting the Windows version of WinRAR that allows attackers to execute arbitrary code. Specifically, attackers who exploit the vulnerability can craft malicious archive files that write files outside the intended extraction directory, including into Windows Startup locations that enable code execution after login.  WinRAR is a popular cross-platform file extraction software used not only by many Ukrainian organizations, but also by hundreds of millions of users worldwide. Indeed, WinRAR flaws in general are popular targets for attacks due to this large install base. An earlier flaw tracked as CVE-2023-38831 also came under heavy fire in 2023 from both Russian and Chinese adversaries. Related:4 Critical Threats Where Attackers Have the Advantage In fact, Trend Micro's findings support earlier research demonstrating that organizations that haven't patched CVE-2025-8088 remain extremely vulnerable to attack. A report from Google published in January found that state-sponsored actors are targeting the flaw, with small and midsized businesses especially in the cross-hairs. Waseem Ahmed, head of engineering at Secure.com, tells Dark Reading it's notable, but not surprising, that attackers are still investing in the flaw. That may be because it's cheap to exploit it, as both campaigns demonstrate in their attack chains.  "There's no exotic exploit to engineer and no infrastructure to stand up; it's a phishing email with a booby-trapped archive, and the technique has been a market commodity since before it was even public," he says. "The barrier to weaponize is essentially gone."  Meanwhile, WinRAR remains unpatched on enough endpoints to make the investment in exploiting it worthwhile, the Trend Micro researchers noted. That may be because WinRAR does not auto-update, does not support Group Policy, and falls outside enterprise patch channels like WSUS, SCCM, or Intune. Thus, verifying patch status across hundreds of endpoints requires third-party tools or manual auditing, they wrote. Related:With Complex Cloud Integrations, Small Errors Lead to Major Compromises Similar, But Not Equal WinRAR Attacks Indeed, both Shadow-Earth-066 and Earth Dahu use different approaches to exploit CVE-2025-8088. The former group emails targets with lures that use military or government-related topics relevant to Ukraine with a malicious RAR archive included. The archive abuses the WinRAR path traversal flaw so attackers can place a malicious shortcut (LNK) or payload in a Windows Startup location using NTFS Alternate Data Streams.  In this case, the payload that's eventually executed is GiftedCrook, a stealer designed for rapid credential and document theft that harvests browser passwords, session cookies, and files matching 35 extensions. Earth Dahu also uses malicious emails to exploit the flaw, but in a slightly different way. First, the actor sends a spear-phishing email from a compromised government account that includes a weaponized archive containing documents crafted to appear legitimate. Earth Dahu then uses the WinRAR flaw to place malicious HTA files into locations where Windows will eventually execute them. The HTA files downloads a VBScript from the threat group's command-and-control infrastructure on Cloudflare Workers, which in turn loads malware modules for conducting persistent cyber espionage activities. If You Haven't Patched, Do It Now Patching affected systems is the best way to avoid exploitation of the WinRAR flaw, according to Trend Micro. "Tracking and patching these applications is not optional," the researchers wrote in the post. "It is a basic requirement for reducing the attack surface that threat actors rely on." However, some organizations may not have patched because they don't know where WinRAR may be exposed in a system, Secure.com's Ahmed observes. In this case, he suggests an organization "start from the assumption that you can't patch what you haven't found," and practice continuous asset discovery and risk-based prioritization to find where a network may be vulnerable.  "Then take the controls this bug hands you for free," he recommends. Since "every one of these campaigns persists the same way — by writing to the Windows Startup folder," an organization should start by setting up an alert on that, Ahmed advises. Further, defenders should "strip or detonate inbound archives at the mail gateway, and remove or allowlist WinRAR where it isn't needed" to help thwart the attack chains. "The door's been open for a year," Ahmed says. "The real fix is to stop pretending you know where all your doors are." About the Author Elizabeth Montalbano Contributing Writer Elizabeth Montalbano is freelance writer, editor, and  journalist with 30 years of professional experience and a master's degree from Arizona State University. Her areas of expertise include enterprise technology, cybersecurity, business, and culture. During her long career, Elizabeth has lived and worked as a full-time journalist in Phoenix, San Francisco, and New York City. She specializes in news coverage and analysis, using her years of experience to look at the current state of cybersecurity with a critical gaze. She currently resides in a village on the southwest coast of Portugal, where in her free time she enjoys surfing, hiking with her dogs, growing plants, and playing and performing as a singer and musician. Want more Dark Reading stories in your Google search results? ADD US NOW More Insights Industry Reports How Organizations Are Managing Incident Response How Enterprises Are Developing Secure Applications Inside RSAC 2026: security leaders reveal the risks redefining your defense strategy Essential News & Insights from Black Hat USA 2025 How Enterprises Are Harnessing Emerging Technologies in Cybersecurity Access More Research Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack Defending in the Shadow Era: When the CVE Feed Goes Dark Building SecOps That Make the Most of Every Dollar More Webinars You May Also Like VULNERABILITIES & THREATS Cheap Hardware Module Bypasses AMD, Intel Memory Encryption by Rob Wright NOV 25, 2025 VULNERABILITIES & THREATS Patch Now: Microsoft Flags Zero-Day & Critical Zero-Click Bugs by Jai Vijayan, Contributing Writer NOV 11, 2025 VULNERABILITIES & THREATS Microsoft Issues Emergency Patch for Critical Windows Server Bug by Rob Wright OCT 24, 2025 VULNERABILITIES & THREATS 350M Cars, 1B Devices Exposed to 1-Click Bluetooth RCE by Nate Nelson, Contributing Writer JUL 11, 2025 Editor's Choice CYBERSECURITY OPERATIONS 20 Leaders Who Built the CISO Era: 2 Decades of Change byDark Reading Editorial Team MAY 12, 2026 41 MIN READ APPLICATION SECURITY It's Patch Tuesday for Microsoft & Not a Zero-Day In Sight byJai Vijayan MAY 12, 2026 5 MIN READ CYBERATTACKS & DATA BREACHES Instructure Breach Exposes Schools' Vendor Dependence byAlexander Culafi MAY 6, 2026 4 MIN READ Want more Dark Reading stories in your Google search results? Keep up with the latest cybersecurity threats, newly discovered vulnerabilities, data breach information, and emerging trends. Delivered daily or weekly right to your email inbox. SUBSCRIBE Webinars Advanced Persistent Threats: A Practical Guide to Detection and Response TUESDAY, JUNE 30, 2026 @ 1:00 PM EASTERN DAYLIGHT TIME The Frontier AI Era: Why Cybersecurity Must Move at Machine Speed TUESDAY, JUNE 23, 2026 1:00 PM EDT Build vs. Buy: The Hidden Cost of Building Your Own AI Security Stack THURS, JUNE 25, 2026, AT 1PM EST Defending in the Shadow Era: When the CVE Feed Goes Dark TUES, JUNE 16, 2026 AT 1PM EST Building SecOps That Make the Most of Every Dollar THURS, JULY 9, 2026 AT 1PM EST More Webinars AUG 1-6 | MANDALAY BAY, LAS VEGAS USE CODE: DARKREADING & SAVE $200 ON A BRIEFINGS PASS OR $100 ON A BUSINESS PASS The premier cybersecurity event returns. GET YOUR PASS ANATOMY OF A DATA BREACH This comprehensive virtual event examines the main vulnerabilities and exploits that lead to enterprise data breaches, plus the latest tools and best practices for conducting incident response. BEAT HACKERS TO IT
    💬 Team Notes
    Article Info
    Source
    Dark Reading
    Category
    ◇ Industry News & Leadership
    Published
    Jun 09, 2026
    Archived
    Jun 09, 2026
    Full Text
    ✓ Saved locally
    Open Original ↗