WinRAR Vulnerability Exploited
Overview Russian state‑aligned hackers are actively exploiting a known WinRAR flaw — CVE‑2025‑8088 — to steal passwords, session cookies, and sensitive files from Ukrainian organizations. Despite being patched in July 2025, the vulnerability remains a favored entry point for groups like SHADOW‑EARTH‑066 and Earth Dahu (Gamaredon), proving that unpatched software continues to be one of the most reliable attack vectors for persistent threat actors. Exploitation Chain and Attack Scope Two independent intrusion sets are weaponizing the same WinRAR flaw to deploy the GIFTEDCROOK information stealer. Threat Actor Alias / Tracking ID Primary Target Delivery Method SHADOW‑EARTH‑066 CERT‑UA UAC‑0226 Military innovation centers and law enforcement in Ukraine Spear‑phishing RAR archives Earth Dahu (Gamaredon) Russia‑aligned APT Espionage operations via Cloudflare Workers HTML Application files (HTA) Both groups continued producing new exploit samples through April 2026, with other actors like Sandworm, Turla, and Void Rabisu also observed using the same vulnerability. Technical Details of CVE‑2025‑8088 CVE‑2025‑8088 is a path traversal flaw rated CVSS 8.4 that allows attackers to write files outside the extraction directory using NTFS Alternate Data Streams. When a victim opens a malicious RAR archive with an outdated WinRAR version: Payload Stage Component Function Stage 1 LNK shortcut in Startup […]