Two Russia-aligned campaigns are still abusing a known WinRAR vulnerability to target organizations in Ukraine, nearly a year after patches became available. Trend Micro links the activity to Earth Dahu (also known as Gamaredon) and SHADOW-EARTH-066 (also tracked as UAC-0226).
The shared entry point is CVE-2025-8088, a path traversal issue that lets attackers write files outside the chosen extraction directory via NTFS Alternate Data Streams (ADS). WinRAR addressed the flaw in July 2025.
The findings show “how unmanaged software keeps an exploited entry point open long after the fix ships,” Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord said.
What’s happening
Both clusters rely on crafted archives to plant stealthy payloads outside the extraction path, then use familiar Windows mechanisms to start and sustain execution. The end goal is the same: steal data from browsers and documents, then clean up traces.
SHADOW-EARTH-066: from macros to crafted RARs
Trend Micro notes a shift away from earlier Excel macro droppers. The current chain uses RAR archives that include a decoy PDF and three hidden ADS payloads written outside the extraction directory. From there, the sequence is straightforward and persistent:
- A Windows shortcut (LNK) is placed in the Startup folder so it runs at each user logon.
- The shortcut triggers a PowerShell loader via
cmd.exe. - The loader performs in-memory DLL loading to launch an updated build of the GIFTEDCROOK information stealer (
result.dll).
GIFTEDCROOK targets passwords and cookies from Chromium-based browsers (Google Chrome, Microsoft Edge, Opera) and Mozilla Firefox, and it also collects documents with specific extensions. After exfiltration, the malware deletes its artifacts to reduce forensic visibility.
A notable change in this wave: exfiltration moved from Telegram to dedicated command-and-control servers, likely aligning with Russia’s blocking of Telegram earlier this February.
Earth Dahu (Gamaredon): HTA-to-VBScript espionage chain
Earth Dahu has used CVE-2025-8088 since at least September 2025 as part of what researchers describe as an “industrial-scale effort” to keep long-term access.
These attacks, also documented by Sekoia, deploy an HTML Application (HTA) called GammaPhish. GammaPhish then retrieves a VBScript downloader named GammaLoad, which pulls in additional modules such as GammaSteel.
Sekoia explains that GammaLoad is “a collection of VBScripts designed to ensure continuous access and deploy payloads over time by leveraging Dead Drop Resolvers (DDR).” It’s used to deliver a dropper that launches a VBScript loader responsible for executing GammaSteel, a comprehensive information stealer able to monitor file changes in real time.
According to Trend Micro, internal RAR timestamps and file naming conventions show this chain remained active through at least April 10, 2026.
Why this keeps working
“WinRAR is deeply embedded in daily operations across Ukrainian organizations, making it an attractive target for exploitation,” Trend Micro said. “The convergence of both established state-backed groups and independently tracked clusters on a single vulnerability reflects the scale of the cyber threats that Ukraine faces.”
What to do now
- Update WinRAR to a version that includes the July 2025 fix for CVE-2025-8088.
- Inventory where WinRAR is installed and enforce updates on unmanaged endpoints.
Closing a known door stops a lot of noise. In this case, it also removes a proven path for data theft.
Reference: View article