Overview
Russian state‑aligned hackers are actively exploiting a known WinRAR flaw — CVE‑2025‑8088 — to steal passwords, session cookies, and sensitive files from Ukrainian organizations. Despite being patched in July 2025, the vulnerability remains a favored entry point for groups like SHADOW‑EARTH‑066 and Earth Dahu (Gamaredon), proving that unpatched software continues to be one of the most reliable attack vectors for persistent threat actors.
Exploitation Chain and Attack Scope
Two independent intrusion sets are weaponizing the same WinRAR flaw to deploy the GIFTEDCROOK information stealer.
| Threat Actor | Alias / Tracking ID | Primary Target | Delivery Method |
|---|---|---|---|
| SHADOW‑EARTH‑066 | CERT‑UA UAC‑0226 | Military innovation centers and law enforcement in Ukraine | Spear‑phishing RAR archives |
| Earth Dahu (Gamaredon) | Russia‑aligned APT | Espionage operations via Cloudflare Workers | HTML Application files (HTA) |
Both groups continued producing new exploit samples through April 2026, with other actors like Sandworm, Turla, and Void Rabisu also observed using the same vulnerability.
Technical Details of CVE‑2025‑8088
CVE‑2025‑8088 is a path traversal flaw rated CVSS 8.4 that allows attackers to write files outside the extraction directory using NTFS Alternate Data Streams.
When a victim opens a malicious RAR archive with an outdated WinRAR version:
- A decoy PDF appears on screen.
- Hidden payloads are silently dropped into the Windows Startup folder.
- On next login, the payload chain executes automatically without warnings.
| Payload Stage | Component | Function |
|---|---|---|
| Stage 1 | LNK shortcut in Startup | Triggers PowerShell loader |
| Stage 2 | PowerShell script in C:\ProgramData | Decodes and loads DLL in memory |
| Stage 3 | Encoded DLL (result.dll) | Executes GIFTEDCROOK stealer payload |
The final DLL targets Chrome, Edge, Opera, and Firefox, stealing passwords, session cookies, and master decryption keys while scanning for files across 35 extensions including spreadsheets, emails, and KeePass databases.
GIFTEDCROOK Evolution
The original GIFTEDCROOK (2025) was a standalone executable sending stolen data via a hardcoded Telegram bot. By February 2026, SHADOW‑EARTH‑066 had migrated to the WinRAR exploit chain and replaced Telegram with encrypted HTTPS communication to C&C servers in France, the Netherlands, and Switzerland.
Key enhancements include:
- Chrome App‑Bound Encryption Bypass → Circumvents browser security controls.
- Dual‑Layer RC4 Encryption → Protects exfiltrated data over HTTPS.
- Memory‑Only Execution → Payload never written to disk, evading file‑based detection.
After exfiltration, the malware deletes staging files and removes its Startup entry, leaving almost no trace on compromised systems.
Mitigation and Response
Security teams should prioritize patching and endpoint auditing:
- Update WinRAR → Deploy version 7.13 or later across all systems.
- Hunt for Suspicious Files → Look for LNK or HTA files with randomized names in Startup.
- Inspect ProgramData → Check for short alphanumeric files like
KKNorND8. - Block C&C IPs → Filter network traffic to known malicious servers.
- Rotate Credentials → Reset saved browser passwords and enable multi‑factor authentication.
Indicators of Compromise (Selected)
| Type | Indicator | Description |
|---|---|---|
| IP Address | 166[.]0[.]132[.]237 | SHADOW‑EARTH‑066 C&C server (port 7044) |
| IP Address | 136[.]0[.]141[.]41 | SHADOW‑EARTH‑066 C&C server (port 9580) |
| File Name | result.dll | Final GIFTEDCROOK payload DLL |
| Domain | astrocafe[.]com | Earth Dahu sending domain (registered via reg.ru) |
| User‑Agent | libcurl/8.14.0‑DEV | Network indicator used during HTTPS exfiltration |
(Indicators are defanged to prevent accidental resolution. Re‑fang only within controlled threat intelligence platforms.)
Expert in the Cloud Insight
The continued exploitation of a patched WinRAR flaw underscores a fundamental truth: patch management is not optional — it’s mission‑critical. Without automatic updates or enterprise patch channels, WinRAR remains a soft target for state‑aligned actors.
For defenders, the lesson is clear: visibility and version control must extend to every endpoint — even legacy utilities. Attackers don’t need zero‑days when organizations leave old ones open.
Leave a Reply