WinRAR Vulnerability from Years Past Still Powering 2026 Attacks Against Ukraine
- Jun 14
- 4 min read
Key Findings
CVE-2025-8088, a WinRAR path traversal flaw patched in July 2025, remains actively exploited against Ukrainian organizations as of April 2026, nearly a year after the fix was released
Two Russia-aligned threat groups, SHADOW-EARTH-066 (UAC-0226) and Earth Dahu (Gamaredon), are leveraging the vulnerability in coordinated campaigns targeting Ukrainian government and military entities
The exploit abuses NTFS Alternate Data Streams to silently write files to the Windows Startup directory, achieving persistence without user awareness
WinRAR's lack of automatic updates, Group Policy support, or enterprise patch management integration leaves vulnerable installations invisible to standard vulnerability management tools
SHADOW-EARTH-066 has significantly upgraded its capabilities from basic macro-based attacks to sophisticated in-memory malware with encrypted C2 infrastructure
Patch adoption remains the core obstacle; organizations continue running outdated WinRAR versions despite available fixes
Background
The WinRAR vulnerability landscape has a troubling history of persistence. CVE-2025-8088 is not the first WinRAR flaw to remain exploitable long after patching. A similar vulnerability from 2018 continued to appear in targeted campaigns for years afterward, and CVE-2025-8088 appears to be following an identical trajectory. This pattern reflects a fundamental architectural limitation: WinRAR does not auto-update, lacks Group Policy support, and operates outside standard enterprise patch channels like WSUS, SCCM, or Intune. As a result, the software becomes nearly invisible to mature vulnerability management programs, even within organizations with otherwise robust security practices.
How the Exploit Works
The vulnerability exploits NTFS Alternate Data Streams to bypass extraction location controls. Attackers craft RAR archives containing a visible decoy document—commonly a fake court summons or property seizure notice—alongside hidden ADS entries packed with directory traversal sequences. When a user opens the archive in a vulnerable WinRAR version, the malware silently writes files outside the intended extraction folder, typically into the Windows Startup directory. The victim sees only the harmless decoy document and receives no warning that files have been written to sensitive system locations. This silent persistence mechanism makes detection difficult without active endpoint monitoring.
SHADOW-EARTH-066: Evolution of a Threat Actor
SHADOW-EARTH-066's capabilities have undergone dramatic transformation in under a year. The group previously relied on macro-laden Excel files and GIFTEDCROOK, a basic stealer that dumped stolen browser data to Telegram using hardcoded bot tokens and plaintext exfiltration. The group has now shifted entirely to WinRAR exploit chains paired with sophisticated in-memory malware delivery. Their updated payload, internally named result.dll, loads entirely in memory using direct NT system calls like NtAllocateVirtualMemory and NtCreateThreadEx, deliberately avoiding common API hooks that security tools monitor. The malware targets credentials across Chrome, Edge, Opera, and Firefox, can bypass Chrome's App-Bound Encryption, and scans for files across 35 different extensions covering documents, spreadsheets, archives, and KeePass databases. After exfiltrating data via RC4-encrypted HTTPS to dedicated command servers, the malware deletes every trace of itself from the infected machine. This represents a significant upgrade in operational sophistication and tradecraft.
Earth Dahu's Script-Based Approach
While SHADOW-EARTH-066 builds compiled malware, Earth Dahu (Gamaredon) opts for a different strategy centered on scripted payloads. Their version of the CVE-2025-8088 exploit drops a single HTA file into the Startup folder. On the next system reboot, mshta.exe automatically executes the file, loading VBScript through Cloudflare Workers and Dynamic DNS infrastructure that eventually delivers espionage modules. Earth Dahu employs a particularly deceptive technique using spoofed URLs with HTTP basic-auth formatting to display trusted domains like ssu.gov.ua in front of the actual malicious destination, tricking victims into believing they're visiting a legitimate Ukrainian government site. The group's spear-phishing campaigns frequently originate from compromised government and judicial email accounts, often impersonating court summons or property seizure notices. This approach leverages social engineering and compromised infrastructure to increase believability.
Why Patching Alone Falls Short
The fundamental problem is not the existence of the vulnerability or the availability of a patch, but rather the disconnect between patch development and patch deployment. WinRAR's architecture makes it nearly impossible for enterprises to manage systematically. Without auto-update capability, Group Policy support, or integration into standard patch channels, WinRAR remains outside the visibility of most vulnerability management programs. Even security teams at organizations with mature patch management practices often fail to track WinRAR installations consistently. This architectural gap creates a persistent window of opportunity for attackers. The longer organizations go without discovering and manually updating WinRAR across their endpoints, the more valuable the exploit remains to threat actors. Given that an older WinRAR vulnerability remained exploitable for years after patching, CVE-2025-8088 will likely follow the same trajectory unless organizations take deliberate manual action.
Recommended Actions
Organizations with connections to Ukrainian government, military, or legal systems should treat this as an urgent priority. Begin by auditing all endpoints for outdated WinRAR installations using third-party software inventory tools, since native patch management will not catch them. Update all instances to WinRAR 7.13 or later. Security teams should actively hunt for suspicious indicators of compromise including unusual LNK files in Startup folders, unexpected mshta.exe activity, and PowerShell processes reading from C:\ProgramData. Monitor for evidence of credential theft from browsers and file exfiltration. Given the tendency of unpatched archive utilities to remain exploitable for extended periods, treat this as an ongoing operational priority rather than a one-time remediation effort.
Sources
https://securityonline.info/winrar-vulnerability-ukraine-cve-2025-8088/
https://cyber.netsecops.io/articles/russian-apts-exploit-old-winrar-flaw-against-ukraine

Comments