Two Russian APT groups are taking advantage of a WinRAR vulnerability that was fixed almost a year ago to target Ukraine.

      **TL;DR**

      Two hacking groups linked to the FSB are taking advantage of a WinRAR vulnerability that was fixed in July 2025 to steal credentials from Ukrainian targets. Although a patch exists, its adoption is slow.

      Two Russian state-affiliated hacking groups are currently exploiting a path traversal vulnerability in WinRAR, which was addressed nearly a year ago, to deploy credential-stealing malware against Ukrainian government and military entities, as reported by Trend Micro. The vulnerability, assigned as CVE-2025-8088 and rated 8.4 on the CVSS scale, enables attackers to use NTFS Alternate Data Streams to conceal malicious payloads within seemingly innocuous archive files. The patch was included in WinRAR version 7.13 on July 30, 2025, but its exploitation began at least 12 days prior, and these groups continue to leverage it due to WinRAR's widespread use in Ukrainian organizations and the slow adoption of updates.

      Gamaredon, which Trend Micro refers to as Earth Dahu, is utilizing the vulnerability as an entry point for a multi-stage infection process. The attack initiates with a spear-phishing email containing a compromised RAR archive that exploits CVE-2025-8088 to release an HTA file, which then runs a VBScript loader named GammaPhish. This loader subsequently downloads GammaLoad, a backdoor that maintains persistence and retrieves GammaSteel, the group's main tool for exfiltrating documents and screenshots from affected machines.

      SHADOW-EARTH-066, tracked by Ukraine's CERT as UAC-0226, has also identified the same WinRAR flaw but uses a different type of malware. While the group previously relied on harmful Excel macros to deliver its payloads, it has transitioned to exploit chains leveraging WinRAR after the vulnerability became accessible. This tactical upgrade circumvents Microsoft’s macro-blocking features. The malware deployed is GIFTEDCROOK, which is an information stealer targeting saved passwords and session cookies from browsers like Chrome, Edge, Opera, and Firefox, along with documents on the infiltrated system.

      The fact that two distinct Russian APT groups are converging on a single vulnerability is noteworthy since Gamaredon and SHADOW-EARTH-066 employ different toolsets and seem to have varying intelligence-gathering goals, yet both identified CVE-2025-8088 as the most effective method to target Ukrainian entities. Trend Micro researchers Hiroyuki Kakara and Feike Hacquebord documented these operations in a collaborative analysis. The French threat intelligence firm Sekoia also confirmed the Gamaredon attack chain, noting that the group's focus has consistently remained on Ukrainian military, law enforcement, and governmental targets throughout the campaign.

      An important operational shift is accompanying these exploit campaigns. Historically, Gamaredon utilized Telegram bots and channels to send stolen data back to its operators but has begun moving exfiltration processes to dedicated command-and-control servers since early 2026. This shift coincides with Russia's decision to limit Telegram traffic starting February 10, 2026, a move verified by CNN and Amnesty International that has hindered the platform's reliability within Russia, making it less suitable for covert data transfers.

      RomCom, another Russian-speaking APT group, was the first to exploit CVE-2025-8088, doing so before the WinRAR patch was issued. The emergence of at least three different groups crafting exploit chains around the same vulnerability highlights a significant issue: the time gap between the release of patches and their actual deployment by organizations creates an opportunity for attackers that can extend for months or even longer. Most enterprise configurations do not update WinRAR automatically, and Ukrainian organizations dealing with wartime challenges face additional obstacles in regular software maintenance.

      These campaigns are part of a larger pattern of Russian state-sponsored cyber operations targeting European and Ukrainian infrastructures, which have escalated since the full-scale invasion in 2022. GIFTEDCROOK’s targeting of browser credentials poses a significant risk, as compromised saved passwords and session cookies can allow attackers to access email accounts, internal portals, and communication platforms without needing further authentication. Trend Micro has pointed out that stolen browser data often facilitates lateral movement that reaches far beyond the initially compromised device.

      For organizations still using WinRAR 7.12 or earlier, the solution is to upgrade to version 7.13 or later, which has been available since July 2025. The persistence of exploitation despite the availability of a patch for nearly a year is a central issue. Administrators unable to update immediately should treat incoming RAR files with the same caution typically reserved for other archived formats that have been weaponized in recent network edge attacks and consider blocking NTFS Alternate Data Streams at the email gateway where feasible.